211be80bbab4b878ecce1d42c5191cfd9a2575bfa4fa0e05906d6e7bb3b28775

Analysis

max time kernel
147s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-11-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chew-wga09windows.zip
Size

8.8MB
MD5

9a2eceb09cdea9a5767db6b5ae761432
SHA1

8913a8cc829e61bef7f38f7953655e33e52356c5
SHA256

211be80bbab4b878ecce1d42c5191cfd9a2575bfa4fa0e05906d6e7bb3b28775
SHA512

ae5d8c57ba1699d91110bf6a78505843bc02fa5b79716947ef18a8ba070f67e35bb0985a1011a7d20977aa03431786695d33f7c6f0a06fecf13d109de64843a9
SSDEEP

196608:uq5hul04G65AMYTyMUWkK3RVGKIyUXgwybiPifLOXP6lKMsMlnh2U0Mzz:bql04dAtTUqVGZjXgwyLSMKVAh2sn

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 38 IoCs

Processes:

CW.eXeautorun.exehosts.exetouch.exebanish.exetouch.exebanish.exetouch.exetouch.exetouch.exetouch.exebanish.exetouch.exebanish.exetouch.exetouch.exetouch.exetouch.exebanish.exetouch.exebanish.exetouch.exetouch.exetouch.exetouch.exebanish.exetouch.exebanish.exetouch.exetouch.exetouch.exetouch.exebanish.exetouch.exebanish.exetouch.exetouch.exetouch.exe

pid	process
2032	CW.eXe
832	autorun.exe
316	hosts.exe
1136	touch.exe
1764	banish.exe
1232	touch.exe
1956	banish.exe
1040	touch.exe
1828	touch.exe
1880	touch.exe
2028	touch.exe
1784	banish.exe
708	touch.exe
1616	banish.exe
240	touch.exe
376	touch.exe
1788	touch.exe
316	touch.exe
1732	banish.exe
1752	touch.exe
1964	banish.exe
964	touch.exe
568	touch.exe
328	touch.exe
708	touch.exe
912	banish.exe
1040	touch.exe
1064	banish.exe
1132	touch.exe
872	touch.exe
1248	touch.exe
944	touch.exe
900	banish.exe
1164	touch.exe
376	banish.exe
1656	touch.exe
2040	touch.exe
1012	touch.exe

Possible privilege escalation attempt 60 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
1624	takeown.exe
1944	icacls.exe
872	icacls.exe
956	takeown.exe
1548	takeown.exe
904	icacls.exe
1712	takeown.exe
1956	takeown.exe
900	takeown.exe
1732	icacls.exe
1248	takeown.exe
1612	takeown.exe
1752	icacls.exe
1068	icacls.exe
1992	takeown.exe
1656	takeown.exe
1692	icacls.exe
1924	takeown.exe
1268	takeown.exe
1880	takeown.exe
1488	icacls.exe
1232	icacls.exe
2028	icacls.exe
572	icacls.exe
1828	icacls.exe
1136	icacls.exe
2020	icacls.exe
2028	icacls.exe
572	takeown.exe
1128	takeown.exe
376	icacls.exe
904	icacls.exe
1732	icacls.exe
1480	takeown.exe
1940	icacls.exe
376	takeown.exe
1620	takeown.exe
2028	takeown.exe
328	icacls.exe
1764	icacls.exe
1688	icacls.exe
912	icacls.exe
600	takeown.exe
1596	icacls.exe
1556	icacls.exe
1812	icacls.exe
1596	takeown.exe
1612	icacls.exe
1596	icacls.exe
424	takeown.exe
2020	icacls.exe
912	icacls.exe
1624	takeown.exe
1944	icacls.exe
1680	icacls.exe
1828	icacls.exe
1232	icacls.exe
1488	takeown.exe
1104	icacls.exe
1012	takeown.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\hosts.exe	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\hosts.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\hosts.exe	upx
behavioral1/memory/316-107-0x0000000000400000-0x0000000000420000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
behavioral1/memory/1136-127-0x0000000000400000-0x0000000000411000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe	upx
behavioral1/memory/1764-142-0x0000000000400000-0x000000000041E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
behavioral1/memory/1232-151-0x0000000000400000-0x0000000000411000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe	upx
behavioral1/memory/1956-165-0x0000000000400000-0x000000000041E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
behavioral1/memory/1040-173-0x0000000000400000-0x0000000000411000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
behavioral1/memory/1828-184-0x0000000000400000-0x0000000000411000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
behavioral1/memory/1880-200-0x0000000000400000-0x0000000000411000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe	upx
behavioral1/memory/2028-242-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1784-253-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/708-258-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1616-266-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/240-269-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/376-273-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1788-278-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/316-295-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1732-301-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/1752-304-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1964-309-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/964-314-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/568-318-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/328-324-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/708-341-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/912-346-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/1040-351-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1064-357-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/1132-360-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/872-364-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1248-370-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/944-376-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/900-380-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/1164-386-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1656-394-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/2040-398-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/1012-404-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Loads dropped DLL 64 IoCs

Processes:

CW.eXeautorun.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exetouch.execmd.exeicacls.execmd.execmd.exe

pid	process
2032	CW.eXe
832	autorun.exe
832	autorun.exe
832	autorun.exe
1012	cmd.exe
1620	cmd.exe
1620	cmd.exe
1696	cmd.exe
288	cmd.exe
288	cmd.exe
1868	cmd.exe
964	cmd.exe
964	cmd.exe
976	cmd.exe
976	cmd.exe
1340	cmd.exe
1340	cmd.exe
1920	cmd.exe
1920	cmd.exe
2020	cmd.exe
1464	cmd.exe
1464	cmd.exe
704	cmd.exe
1484	cmd.exe
1484	cmd.exe
944	cmd.exe
944	cmd.exe
1548	cmd.exe
1548	cmd.exe
1580	cmd.exe
1580	cmd.exe
1708	cmd.exe
904	cmd.exe
904	cmd.exe
1716	cmd.exe
944	cmd.exe
944	cmd.exe
1012	cmd.exe
1012	cmd.exe
1448	cmd.exe
1448	cmd.exe
1612	cmd.exe
1612	cmd.exe
1752	cmd.exe
1868	cmd.exe
1868	cmd.exe
548	cmd.exe
572	cmd.exe
572	cmd.exe
1300	cmd.exe
288
1300	cmd.exe
1300	cmd.exe
872	touch.exe
552	cmd.exe
1448
1068	icacls.exe
1128	cmd.exe
1268
704	cmd.exe
1600
704	cmd.exe
704	cmd.exe
704	cmd.exe

Modifies file permissions 1 TTPs 60 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	process
2028	takeown.exe
1944	icacls.exe
1680	icacls.exe
1940	icacls.exe
2020	icacls.exe
1732	icacls.exe
1480	takeown.exe
2028	icacls.exe
1136	icacls.exe
1068	icacls.exe
1104	icacls.exe
1596	takeown.exe
1752	icacls.exe
2020	icacls.exe
1488	icacls.exe
1624	takeown.exe
1612	icacls.exe
1688	icacls.exe
1992	takeown.exe
1620	takeown.exe
1956	takeown.exe
2028	icacls.exe
1012	takeown.exe
1556	icacls.exe
1812	icacls.exe
1232	icacls.exe
1232	icacls.exe
600	takeown.exe
1596	icacls.exe
1732	icacls.exe
1712	takeown.exe
328	icacls.exe
1924	takeown.exe
904	icacls.exe
1828	icacls.exe
424	takeown.exe
1548	takeown.exe
1248	takeown.exe
1656	takeown.exe
1488	takeown.exe
956	takeown.exe
1880	takeown.exe
1596	icacls.exe
900	takeown.exe
1692	icacls.exe
1764	icacls.exe
1624	takeown.exe
1268	takeown.exe
1828	icacls.exe
1612	takeown.exe
912	icacls.exe
912	icacls.exe
376	icacls.exe
572	icacls.exe
872	icacls.exe
1944	icacls.exe
376	takeown.exe
1128	takeown.exe
904	icacls.exe
572	takeown.exe

Drops file in System32 directory 9 IoCs

Processes:

touch.exetouch.exetouch.exetouch.exetouch.exetouch.exetouch.exetouch.exetouch.exe

description	ioc	process
File opened for modification	C:\Windows\system32\sppcomapi.dll	touch.exe
File opened for modification	C:\Windows\system32\systemcpl.dll	touch.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	touch.exe
File opened for modification	C:\Windows\SysWOW64\systemcpl.dll	touch.exe
File opened for modification	C:\Windows\system32\user32.dll	touch.exe
File opened for modification	C:\Windows\SysWOW64\user32.dll	touch.exe
File opened for modification	C:\Windows\system32\winver.exe	touch.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	touch.exe
File opened for modification	C:\Windows\system32\slmgr.vbs	touch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

autorun.exe

pid process

832 autorun.exe

pid	process
832	autorun.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

7zG.exeAUDIODG.EXEtakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeautorun.exe

description	pid	process
Token: SeRestorePrivilege	964	7zG.exe
Token: 35	964	7zG.exe
Token: SeSecurityPrivilege	964	7zG.exe
Token: SeSecurityPrivilege	964	7zG.exe
Token: 33	1748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1748	AUDIODG.EXE
Token: 33	1748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1748	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	1712	takeown.exe
Token: SeTakeOwnershipPrivilege	1880	takeown.exe
Token: SeTakeOwnershipPrivilege	1656	takeown.exe
Token: SeTakeOwnershipPrivilege	1956	takeown.exe
Token: SeTakeOwnershipPrivilege	956	takeown.exe
Token: SeTakeOwnershipPrivilege	376	takeown.exe
Token: SeTakeOwnershipPrivilege	1924	takeown.exe
Token: SeTakeOwnershipPrivilege	1548	takeown.exe
Token: SeTakeOwnershipPrivilege	1624	takeown.exe
Token: SeTakeOwnershipPrivilege	1268	takeown.exe
Token: SeTakeOwnershipPrivilege	1012	takeown.exe
Token: SeTakeOwnershipPrivilege	1248	takeown.exe
Token: SeTakeOwnershipPrivilege	1620	takeown.exe
Token: SeShutdownPrivilege	832	autorun.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

964 7zG.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

CW.eXeautorun.exeAcroRd32.exe

pid process

2032 CW.eXe
2032 CW.eXe
832 autorun.exe
832 autorun.exe
1540 AcroRd32.exe
1540 AcroRd32.exe
1540 AcroRd32.exe

pid	process
964	7zG.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CW.eXeautorun.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 832	2032	CW.eXe	autorun.exe
PID 2032 wrote to memory of 832	2032	CW.eXe	autorun.exe
PID 2032 wrote to memory of 832	2032	CW.eXe	autorun.exe
PID 2032 wrote to memory of 832	2032	CW.eXe	autorun.exe
PID 2032 wrote to memory of 832	2032	CW.eXe	autorun.exe
PID 2032 wrote to memory of 832	2032	CW.eXe	autorun.exe
PID 2032 wrote to memory of 832	2032	CW.eXe	autorun.exe
PID 832 wrote to memory of 1012	832	autorun.exe	cmd.exe
PID 832 wrote to memory of 1012	832	autorun.exe	cmd.exe
PID 832 wrote to memory of 1012	832	autorun.exe	cmd.exe
PID 832 wrote to memory of 1012	832	autorun.exe	cmd.exe
PID 832 wrote to memory of 1012	832	autorun.exe	cmd.exe
PID 832 wrote to memory of 1012	832	autorun.exe	cmd.exe
PID 832 wrote to memory of 1012	832	autorun.exe	cmd.exe
PID 1012 wrote to memory of 316	1012	cmd.exe	hosts.exe
PID 1012 wrote to memory of 316	1012	cmd.exe	hosts.exe
PID 1012 wrote to memory of 316	1012	cmd.exe	hosts.exe
PID 1012 wrote to memory of 316	1012	cmd.exe	hosts.exe
PID 1012 wrote to memory of 316	1012	cmd.exe	hosts.exe
PID 1012 wrote to memory of 316	1012	cmd.exe	hosts.exe
PID 1012 wrote to memory of 316	1012	cmd.exe	hosts.exe
PID 316 wrote to memory of 1784	316	hosts.exe	cmd.exe
PID 316 wrote to memory of 1784	316	hosts.exe	cmd.exe
PID 316 wrote to memory of 1784	316	hosts.exe	cmd.exe
PID 316 wrote to memory of 1784	316	hosts.exe	cmd.exe
PID 316 wrote to memory of 1784	316	hosts.exe	cmd.exe
PID 316 wrote to memory of 1784	316	hosts.exe	cmd.exe
PID 316 wrote to memory of 1784	316	hosts.exe	cmd.exe
PID 1784 wrote to memory of 1656	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1656	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1656	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1656	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1656	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1656	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1656	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 2040	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 2040	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 2040	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 2040	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 2040	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 2040	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 2040	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 2020	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 2020	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 2020	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 2020	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 2020	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 2020	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 2020	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1992	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 1992	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 1992	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 1992	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 1992	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 1992	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 1992	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 1712	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1712	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1712	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1712	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1712	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1712	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1712	1784	cmd.exe	cmd.exe
PID 1784 wrote to memory of 1812	1784	cmd.exe	find.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\chew-wga09windows.zip
1⤵
PID:704

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1164

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\chew-wga09windows\" -spe -an -ai#7zMap8560:114:7zEvent17452
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Local\Temp\chew-wga09windows\chew-wga09windows\CW.eXe
"C:\Users\Admin\AppData\Local\Temp\chew-wga09windows\chew-wga09windows\CW.eXe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\chew-wga09windows\chew-wga09windows\CW.eXe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C hosts.exe /i
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\hosts.exe
hosts.exe /i
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hosts.cmd" /i"
5⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" TYPE "C:\Windows\System32\drivers\etc\hosts" "
6⤵
PID:1656

C:\Windows\SysWOW64\find.exe
FIND /I "genuine.microsoft.com"
6⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" TYPE "C:\Windows\System32\drivers\etc\hosts" "
6⤵
PID:2020

C:\Windows\SysWOW64\find.exe
FIND /I "mpa.one.microsoft.com"
6⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" TYPE "C:\Windows\System32\drivers\etc\hosts" "
6⤵
PID:1712

C:\Windows\SysWOW64\find.exe
FIND /I "sls.microsoft.com"
6⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C COPY /Y a32_original a64_original
3⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C COPY /Y a32_original b64_original
3⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C COPY /Y a32_patched a64_patched
3⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C COPY /Y a32_patched b64_patched
3⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\slmgr.vbs t1.txt
3⤵
- Loads dropped DLL
PID:1620

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\System32\slmgr.vbs t1.txt
4⤵
- Executes dropped EXE
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\slmgr.vbs"
3⤵
- Loads dropped DLL
PID:1696

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\System32\slmgr.vbs"
4⤵
- Executes dropped EXE
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\System32\slmgr.vbs""
5⤵
PID:1828

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\System32\slmgr.vbs"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\System32\slmgr.vbs" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\slmgr.vbs t2a.txt
3⤵
- Loads dropped DLL
PID:288

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\slmgr.vbs t2a.txt
4⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\slmgr.vbs"
3⤵
- Loads dropped DLL
PID:1868

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\Sysnative\slmgr.vbs"
4⤵
- Executes dropped EXE
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\Sysnative\slmgr.vbs""
5⤵
PID:1820

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\Sysnative\slmgr.vbs"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\Sysnative\slmgr.vbs" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\slmgr.vbs t2b.txt
3⤵
- Loads dropped DLL
PID:964

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\slmgr.vbs t2b.txt
4⤵
- Executes dropped EXE
PID:1040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\slmgr.vbs"
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\slmgr.vbs
3⤵
- Loads dropped DLL
PID:976

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\slmgr.vbs
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\slmgr.vbs" /grant "Admin":RX
3⤵
PID:1692

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\slmgr.vbs" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\slmgr.vbs"
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\slmgr.vbs
3⤵
- Loads dropped DLL
PID:1340

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\slmgr.vbs
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\slmgr.vbs" /grant "Admin":RX
3⤵
PID:1964

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\slmgr.vbs" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\slmgr.vbs"
3⤵
PID:1620

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\slmgr.vbs"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\slmgr.vbs" /deny "SYSTEM":F
3⤵
PID:1992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\slmgr.vbs" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\slmgr.vbs"
3⤵
PID:1828

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Sysnative\slmgr.vbs"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\slmgr.vbs" /deny "SYSTEM":F
3⤵
PID:568

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\slmgr.vbs" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\slmgr.vbs"
3⤵
PID:1716

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\slmgr.vbs"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\slmgr.vbs" /deny "SYSTEM":F
3⤵
PID:1612

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\slmgr.vbs" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C COPY /Y a64_patched b64_patched
3⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\sppcomapi.dll t1.txt
3⤵
- Loads dropped DLL
PID:1920

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\System32\sppcomapi.dll t1.txt
4⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\sppcomapi.dll"
3⤵
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\System32\sppcomapi.dll"
4⤵
- Executes dropped EXE
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\System32\sppcomapi.dll""
5⤵
PID:1580

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\System32\sppcomapi.dll"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\System32\sppcomapi.dll" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\sppcomapi.dll t2a.txt
3⤵
- Loads dropped DLL
PID:1464

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\sppcomapi.dll t2a.txt
4⤵
- Executes dropped EXE
PID:708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\sppcomapi.dll"
3⤵
- Loads dropped DLL
PID:704

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\Sysnative\sppcomapi.dll"
4⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\Sysnative\sppcomapi.dll""
5⤵
PID:900

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\Sysnative\sppcomapi.dll"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\Sysnative\sppcomapi.dll" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\sppcomapi.dll t2b.txt
3⤵
- Loads dropped DLL
PID:1484

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\sppcomapi.dll t2b.txt
4⤵
- Executes dropped EXE
PID:240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\sppcomapi.dll"
3⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\sppcomapi.dll
3⤵
- Loads dropped DLL
PID:944

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\sppcomapi.dll
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\sppcomapi.dll" /grant "Admin":RX
3⤵
PID:1948

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\sppcomapi.dll" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\sppcomapi.dll"
3⤵
PID:424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\sppcomapi.dll
3⤵
- Loads dropped DLL
PID:1548

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\sppcomapi.dll
4⤵
- Executes dropped EXE
PID:1788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\sppcomapi.dll" /grant "Admin":RX
3⤵
PID:1464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sppcomapi.dll" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\sppcomapi.dll"
3⤵
PID:1592

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sppcomapi.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\sppcomapi.dll" /deny "SYSTEM":F
3⤵
PID:1616

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sppcomapi.dll" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\sppcomapi.dll"
3⤵
PID:240

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Sysnative\sppcomapi.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\sppcomapi.dll" /deny "SYSTEM":F
3⤵
PID:1136

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\sppcomapi.dll" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\sppcomapi.dll"
3⤵
PID:548

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sppcomapi.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\sppcomapi.dll" /deny "SYSTEM":F
3⤵
PID:1012

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sppcomapi.dll" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\systemcpl.dll t1.txt
3⤵
- Loads dropped DLL
PID:1580

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\System32\systemcpl.dll t1.txt
4⤵
- Executes dropped EXE
PID:316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\systemcpl.dll"
3⤵
- Loads dropped DLL
PID:1708

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\System32\systemcpl.dll"
4⤵
- Executes dropped EXE
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\System32\systemcpl.dll""
5⤵
PID:1464

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\System32\systemcpl.dll"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\System32\systemcpl.dll" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\systemcpl.dll t2a.txt
3⤵
- Loads dropped DLL
PID:904

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\systemcpl.dll t2a.txt
4⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\systemcpl.dll"
3⤵
- Loads dropped DLL
PID:1716

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\Sysnative\systemcpl.dll"
4⤵
- Executes dropped EXE
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\Sysnative\systemcpl.dll""
5⤵
PID:1868

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\Sysnative\systemcpl.dll"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\Sysnative\systemcpl.dll" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\systemcpl.dll t2b.txt
3⤵
- Loads dropped DLL
PID:944

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\systemcpl.dll t2b.txt
4⤵
- Executes dropped EXE
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\systemcpl.dll"
3⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\systemcpl.dll
3⤵
- Loads dropped DLL
PID:1012

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\systemcpl.dll
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\systemcpl.dll" /grant "Admin":RX
3⤵
PID:288

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\systemcpl.dll" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\systemcpl.dll"
3⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\systemcpl.dll
3⤵
- Loads dropped DLL
PID:1448

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\systemcpl.dll
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\systemcpl.dll" /grant "Admin":RX
3⤵
PID:516

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\systemcpl.dll" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\systemcpl.dll"
3⤵
PID:1268

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\systemcpl.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\systemcpl.dll" /deny "SYSTEM":F
3⤵
PID:1816

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\systemcpl.dll" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\systemcpl.dll"
3⤵
PID:964

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Sysnative\systemcpl.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\systemcpl.dll" /deny "SYSTEM":F
3⤵
PID:1688

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\systemcpl.dll" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\systemcpl.dll"
3⤵
PID:1012

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\systemcpl.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\systemcpl.dll" /deny "SYSTEM":F
3⤵
PID:1300

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\systemcpl.dll" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\user32.dll t1.txt
3⤵
- Loads dropped DLL
PID:1612

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\System32\user32.dll t1.txt
4⤵
- Executes dropped EXE
PID:708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\user32.dll"
3⤵
- Loads dropped DLL
PID:1752

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\System32\user32.dll"
4⤵
- Executes dropped EXE
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\System32\user32.dll""
5⤵
PID:516

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\System32\user32.dll"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\user32.dll t2a.txt
3⤵
- Loads dropped DLL
PID:1868

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\user32.dll t2a.txt
4⤵
- Executes dropped EXE
PID:1040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\user32.dll"
3⤵
- Loads dropped DLL
PID:548

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\Sysnative\user32.dll"
4⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\Sysnative\user32.dll""
5⤵
PID:592

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\Sysnative\user32.dll"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\Sysnative\user32.dll" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\user32.dll t2b.txt
3⤵
- Loads dropped DLL
PID:572

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\user32.dll t2b.txt
4⤵
- Executes dropped EXE
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\user32.dll"
3⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\user32.dll
3⤵
- Loads dropped DLL
PID:1300

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\user32.dll
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\user32.dll" /grant "Admin":RX
3⤵
- Loads dropped DLL
PID:552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\user32.dll" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Loads dropped DLL
- Modifies file permissions
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\user32.dll"
3⤵
- Loads dropped DLL
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\user32.dll
3⤵
- Loads dropped DLL
PID:704

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\user32.dll
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\user32.dll" /grant "Admin":RX
3⤵
PID:1040

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\user32.dll" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C COPY /Y a64_patched b64_patched
3⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\System32\winver.exe t1.txt
3⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\System32\winver.exe t1.txt
4⤵
- Executes dropped EXE
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\System32\winver.exe"
3⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\System32\winver.exe"
4⤵
- Executes dropped EXE
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\System32\winver.exe""
5⤵
PID:1948

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\System32\winver.exe"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\System32\winver.exe" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\winver.exe t2a.txt
3⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\Sysnative\winver.exe t2a.txt
4⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C banish.exe "C:\Windows\Sysnative\winver.exe"
3⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
banish.exe "C:\Windows\Sysnative\winver.exe"
4⤵
- Executes dropped EXE
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd" "C:\Windows\Sysnative\winver.exe""
5⤵
PID:1924

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\Sysnative\winver.exe"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\Sysnative\winver.exe" /grant "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\winver.exe t2b.txt
3⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r C:\Windows\SysWOW64\winver.exe t2b.txt
4⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y a64_patched "C:\Windows\Sysnative\winver.exe"
3⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\winver.exe
3⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2a.txt C:\Windows\Sysnative\winver.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\winver.exe" /grant "Admin":RX
3⤵
PID:524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\winver.exe" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C move /y b64_patched "C:\Windows\SysWOW64\winver.exe"
3⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\winver.exe
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
touch.exe /h /q /c /m /a /r t2b.txt C:\Windows\SysWOW64\winver.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\winver.exe" /grant "Admin":RX
3⤵
PID:1652

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\winver.exe" /grant "Admin":RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\winver.exe"
3⤵
PID:1136

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\winver.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\winver.exe" /deny "SYSTEM":F
3⤵
PID:1776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\winver.exe" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\winver.exe"
3⤵
PID:1656

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Sysnative\winver.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\winver.exe" /deny "SYSTEM":F
3⤵
PID:1040

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\winver.exe" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\winver.exe"
3⤵
PID:1216

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\winver.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\winver.exe" /deny "SYSTEM":F
3⤵
PID:1232

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\winver.exe" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\System32\sfc.exe"
3⤵
PID:1708

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\sfc.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\System32\sfc.exe" /deny "SYSTEM":F
3⤵
PID:900

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\sfc.exe" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\Sysnative\sfc.exe"
3⤵
PID:288

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Sysnative\sfc.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\Sysnative\sfc.exe" /deny "SYSTEM":F
3⤵
PID:1924

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Sysnative\sfc.exe" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C takeown /f "C:\Windows\SysWOW64\sfc.exe"
3⤵
PID:1488

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\sfc.exe"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C icacls "C:\Windows\SysWOW64\sfc.exe" /deny "SYSTEM":F
3⤵
PID:1712

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\sfc.exe" /deny "SYSTEM":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1556

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\chew-wga09windows\chew-wga09windows\instructions.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:592

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\banish.cmd
Filesize
760B

MD5
4f4199874adea9219f1e4ad27d97d9c4

SHA1
dc1dae4f4865f84e1d0f572cacd94f48b83fa289

SHA256
099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff

SHA512
c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017

Download Submit
C:\Users\Admin\AppData\Local\Temp\banish.cmd
Filesize
760B

MD5
4f4199874adea9219f1e4ad27d97d9c4

SHA1
dc1dae4f4865f84e1d0f572cacd94f48b83fa289

SHA256
099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff

SHA512
c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017

Download Submit
C:\Users\Admin\AppData\Local\Temp\chew-wga09windows\chew-wga09windows\CW.eXe
Filesize
9.0MB

MD5
6738d790fc0f3928a8a5f19d829cae4d

SHA1
db0a727520178061506c7ec07a99bac581610329

SHA256
60ca507ef4ba7dbbb7ef6ea4b975b9b09a24d7d0c91d38d0876331203f962d98

SHA512
ceacf7ecdf1fa12da540f96592bd7114eb963bab8dc50641c000c1dff74b0b03ee24049df631d6c68ae70d208ff62e3476674f25e2faf5a3a09c9f46555d97b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chew-wga09windows\chew-wga09windows\CW.eXe
Filesize
9.0MB

MD5
6738d790fc0f3928a8a5f19d829cae4d

SHA1
db0a727520178061506c7ec07a99bac581610329

SHA256
60ca507ef4ba7dbbb7ef6ea4b975b9b09a24d7d0c91d38d0876331203f962d98

SHA512
ceacf7ecdf1fa12da540f96592bd7114eb963bab8dc50641c000c1dff74b0b03ee24049df631d6c68ae70d208ff62e3476674f25e2faf5a3a09c9f46555d97b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chew-wga09windows\chew-wga09windows\instructions.pdf
Filesize
143KB

MD5
6f1b88334ce2ac49833d0ab1a6b26b53

SHA1
50ed5d3c4b9bb449a6e8c29770df5898af4d5513

SHA256
f668567104f7e2f1b3ee0daf45b3832f992a1fb455be39ccb61c3fe2ec029658

SHA512
80b693d743372b4be135ae4c5b88768e17e65a3bbdb6e382ccaad0269604c79db6c398113198caafefd47acb64a4b9fc58ab32dfaf3d00ca4cda105b63fac9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hosts.cmd
Filesize
1KB

MD5
2bb98e62970df565a279b0948379770e

SHA1
43fbb46903ff7c367fac5a706d305a2fbcff59ef

SHA256
4bed3bf6776da43e3b1fe232717ec320ad27782ff2092ecf447a53d468f2bac1

SHA512
dce449e23b3954c7dbd2b536ca032e59e4ac87ca791555d39935bd969ce35d68a2626cac69c23799eead8e3ceea356808d6bab6fc342d81dc9500c7b0cda574d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg
Filesize
3KB

MD5
93270c4fa492e4e4edee872a2b961dde

SHA1
7b3c079d55d00aa5390662f0a2059e60546ed003

SHA256
25d49cbbd65d48ad462455f1143f73ee997df8f747e7d2213daab18e321c028b

SHA512
3d12721eb229d9227efc51c8e93d5f3ff6cabc305b643b764fcd6da76c031db4c8218b76b1f6158891995f23ce323c13826f59477924361cfb0dee2b9f94fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Cik11.Btn
Filesize
4KB

MD5
eb199b1cb2087cadf5dd4d7b06db4f62

SHA1
2033bed8c8de0805e8fdbebadfd710e42fbe1a68

SHA256
b99136b165304979e84e98930ea5fee03508b8967acf6b82844b96863d916b15

SHA512
a133b9d14143b0d67f876b19f22fcf7d72352872352d7c5dd8a9ae05551e9350c5ede194416a0802816dd4c82418679c52b3ae578bf0f63e446ea868f8a9d387

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Home2.Btn
Filesize
3KB

MD5
1c85362b0780dfb2f580e567ad57643a

SHA1
c1ca2efb091d5540c8d300a00420fb3060874e61

SHA256
70919d158d55ba3a9c38bbe91c79bc69452e67fe7862aa00fe77df56a7dde4e7

SHA512
57d643adeb7ae8409312a0b8ac1b4774d51543f31ee4f1ea27a57fb34521d21d3590e23d8470d03967aff137117c8ace46b8a20adc6e65c1a411f70dbfd85690

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\button.btn
Filesize
17KB

MD5
9ecb9fcfdcb46a87ec244cfe23659e0e

SHA1
b389705b9cc52e7e12a0f7f68a4f6922ea9db107

SHA256
3ff2c5e7c1b7471d41d64bd39b2d8e2df3761408c0b235ce8ccbb3d39417466f

SHA512
12a61f1cdff7faf5fe40fd83d2cbb4ef17554be2b2ead82162d685a3b492f7149bfb82b8c65a5d20e061a287140c5350923c0adab9fc7e47a7c98f3fdead8498

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\genuine-chew.jpg
Filesize
23KB

MD5
2e2ac2c68ef9ed0e14108208dc6880bb

SHA1
15bed281564c4ae5d59c8e8d7691b63ba253448b

SHA256
510acf5a6ce7e9570a591a48951161341de4f1da13e0117ab4aa6832e5bddb97

SHA512
ee40b725211ec3001154c7484de7ce78df7a885fef6ba09585cad7281b4b08acb60459856d8c3b1684adceef643995f2cf708212183ca2ddb7f231713306590c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\main-screen.jpg
Filesize
170KB

MD5
16ace5798f3499d9685197740cd00735

SHA1
5a5d4765b3d2046cd1d4fcc714e77d188b8e52ab

SHA256
0c88a592cb5448d2131a15f208580365cf383a2445ed60ca55987f42ecc4ce11

SHA512
f5e7f3bdba6aa633bb28991c5dc9ce0e9a010ca133165417ff81c48d6cacd87d89b93533176311a60823d8d98c13bd4134ce1bcd0f90f644092779cf47aa14e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\wait-install.jpg
Filesize
163KB

MD5
e9e643548d3f92376e0becea1b79d731

SHA1
a273f8456c05003220494d8cf49f631408b07cdf

SHA256
68e008a39348d54344d4c4213fea395f710b078c6a5fa5fd493c08acd8ed0c78

SHA512
c4d7f083bec2b5341f866511e4f7d258c3bd6d4f4f5404bf7e2b68ffbe5d0b33ad0d5de4db2c0fd2201ebbbd45927ad1af132431f184e9c0277982659db863a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\IRDissolveTransition.tns
Filesize
136KB

MD5
6a9b0ab9341ac4204aafc7fac9872962

SHA1
dc6ceafcb39b7329552d0883f2c3284dddbb0ddc

SHA256
6315b5d1869c3b4cbcbead77ad63da3a60d86ede287eccef338f74178ec181f2

SHA512
76bacf1de5ac883bb47ae8d3299d5f399ae84bcd19eadc3fd8ee01ae2605bbbbddd6aacf7fdec490b8e6baf362ae05dbf972a5710c2bc732e8542a1c5d04bca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a32_original
Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a32_patched
Filesize
110KB

MD5
ad42973557017119b0e5f176c745909b

SHA1
6f8911725ac86efa8eb4b08c5147a4ef365c12f7

SHA256
5c59f39702c8b1749453641b78b9aafcd6b38b11bc0b7b4b2e8ce7e5f6a5b4da

SHA512
fefa5a762166d416a0f2e1557e4d7097efedc30fc7a77b11d6178b00c8a5c6ea6767371e320c20722e48f077ee10c59a472e95f0519afd65d247aeb88422061c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a64_original
Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a64_patched
Filesize
110KB

MD5
ad42973557017119b0e5f176c745909b

SHA1
6f8911725ac86efa8eb4b08c5147a4ef365c12f7

SHA256
5c59f39702c8b1749453641b78b9aafcd6b38b11bc0b7b4b2e8ce7e5f6a5b4da

SHA512
fefa5a762166d416a0f2e1557e4d7097efedc30fc7a77b11d6178b00c8a5c6ea6767371e320c20722e48f077ee10c59a472e95f0519afd65d247aeb88422061c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\a64_patched
Filesize
1KB

MD5
96119226320b3b2a80e87fdb9d446ba0

SHA1
6fb6e603542ada336451c0f8af79e791f65b51ee

SHA256
041f6d11a1c631b9868c52ca4b8636dc9ca443b3a786bcf13c3477bdcb8a0551

SHA512
dbf894aab1b2fd826059bf685327688f1b8059dfb523d9fc25acd69ff3ed507d4d080bdacb6bfaa85e5a4de8bcb1bd7d2326f048cb9cd716f169ad1f20d1bf3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\b64_original
Filesize
188KB

MD5
b5d219bff6f911b6a8d77cee467d8384

SHA1
4ab378126674875646c9dcbd361d3c1d95019c79

SHA256
8aa58bc72593b3678f77d92d4f6ae9beae6a704c78f773ec6927728afaba30e0

SHA512
7e597df4c8dfb01de5945b0b250f5a8c25a85b30ef5201ea5e2f1016013c50464ac544f74cb5fec43ab5c3e20bd0ae6f4054d20418a677a80ba682614922ba95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\b64_patched
Filesize
110KB

MD5
ad42973557017119b0e5f176c745909b

SHA1
6f8911725ac86efa8eb4b08c5147a4ef365c12f7

SHA256
5c59f39702c8b1749453641b78b9aafcd6b38b11bc0b7b4b2e8ce7e5f6a5b4da

SHA512
fefa5a762166d416a0f2e1557e4d7097efedc30fc7a77b11d6178b00c8a5c6ea6767371e320c20722e48f077ee10c59a472e95f0519afd65d247aeb88422061c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
Filesize
32KB

MD5
4a43ea617017d5de7d93eb2380634eee

SHA1
b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21

SHA256
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549

SHA512
c241538ccf8feeb115dec39fc5f668675769b2681d96d77bca1f5d826a4841ddbf8ed0f167bdee1ec70d623b7a6382c88a3aa3b85083898a71585ca47796852e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
Filesize
32KB

MD5
4a43ea617017d5de7d93eb2380634eee

SHA1
b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21

SHA256
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549

SHA512
c241538ccf8feeb115dec39fc5f668675769b2681d96d77bca1f5d826a4841ddbf8ed0f167bdee1ec70d623b7a6382c88a3aa3b85083898a71585ca47796852e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
Filesize
32KB

MD5
4a43ea617017d5de7d93eb2380634eee

SHA1
b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21

SHA256
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549

SHA512
c241538ccf8feeb115dec39fc5f668675769b2681d96d77bca1f5d826a4841ddbf8ed0f167bdee1ec70d623b7a6382c88a3aa3b85083898a71585ca47796852e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\chew.enc
Filesize
3.9MB

MD5
12a32fa128964e6a70b7ead729bfd933

SHA1
af5ae624d8f1aba5b1c651d6435fdaaadb475d3f

SHA256
a7bec382f29d784338e0130bf180a2387454be59ce8bf198f43fe9655cc473d7

SHA512
a335e01ca8ada8b7ae15dd9405409266a01a8e597f556c8cb316c35366a0a4e3f8cadd048108f0cb713d51ccb08d0845298fc56858f9300c21f5422c1fb8ee01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\hosts.exe
Filesize
32KB

MD5
72ddf833fa206326e15c2c97679d323e

SHA1
ad148ff4b7f77831b469be8bb19d32d029c23b50

SHA256
387bcf2758752a65d0b3cef4bba95d5b1ef6e16e09e75a21e343ad2a407380c1

SHA512
66fd693751c90c10eb527b91a095af8464a59c5252d6455198cfe8289f1e94e2a062dc3841914b19aba93e152452c004d4c70dd8c7eda380b98b59ce841bf305

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\hosts.exe
Filesize
32KB

MD5
72ddf833fa206326e15c2c97679d323e

SHA1
ad148ff4b7f77831b469be8bb19d32d029c23b50

SHA256
387bcf2758752a65d0b3cef4bba95d5b1ef6e16e09e75a21e343ad2a407380c1

SHA512
66fd693751c90c10eb527b91a095af8464a59c5252d6455198cfe8289f1e94e2a062dc3841914b19aba93e152452c004d4c70dd8c7eda380b98b59ce841bf305

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\t1.txt
Filesize
32B

MD5
500cf1681dda5a94296d684421ce1329

SHA1
8d117d0dfb98c5b9a18eece31d52be17dc4faddf

SHA256
c5e2e7fa58c4734d9fe7d7a3d2519f49f915a8c9b74f66d883d6f945e8dc88e0

SHA512
4d827e96d0d6333690c9777144525a929cbf68273d3ce67b7f1d53a2eb2cc20feca9cb073d12d0575eae0631b8cd03856044cd6f987799b8780844b3246b773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\t1.txt
Filesize
32B

MD5
500cf1681dda5a94296d684421ce1329

SHA1
8d117d0dfb98c5b9a18eece31d52be17dc4faddf

SHA256
c5e2e7fa58c4734d9fe7d7a3d2519f49f915a8c9b74f66d883d6f945e8dc88e0

SHA512
4d827e96d0d6333690c9777144525a929cbf68273d3ce67b7f1d53a2eb2cc20feca9cb073d12d0575eae0631b8cd03856044cd6f987799b8780844b3246b773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\t2a.txt
Filesize
32B

MD5
500cf1681dda5a94296d684421ce1329

SHA1
8d117d0dfb98c5b9a18eece31d52be17dc4faddf

SHA256
c5e2e7fa58c4734d9fe7d7a3d2519f49f915a8c9b74f66d883d6f945e8dc88e0

SHA512
4d827e96d0d6333690c9777144525a929cbf68273d3ce67b7f1d53a2eb2cc20feca9cb073d12d0575eae0631b8cd03856044cd6f987799b8780844b3246b773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\t2b.txt
Filesize
32B

MD5
500cf1681dda5a94296d684421ce1329

SHA1
8d117d0dfb98c5b9a18eece31d52be17dc4faddf

SHA256
c5e2e7fa58c4734d9fe7d7a3d2519f49f915a8c9b74f66d883d6f945e8dc88e0

SHA512
4d827e96d0d6333690c9777144525a929cbf68273d3ce67b7f1d53a2eb2cc20feca9cb073d12d0575eae0631b8cd03856044cd6f987799b8780844b3246b773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd
Filesize
1.7MB

MD5
1c42c49a03f8416736f243907b1c8c0a

SHA1
64a6bc73c97b85c35813d7c3386753e0c8fd7e63

SHA256
6f9a4a22186afb4efd48689fe9dad4a1cf1cfd6f2706d3411c8f5d83607e0ba9

SHA512
6385706f690fa75267af441fc614a3971e4a7e5dab08de76e6a2773f5a4284bfb13e9c08595fc9b3dc39672f74ec1af26c79581df0cf9eb45b8ddb2785f22026

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
Filesize
3.0MB

MD5
6ed1ff22271e42f1b1b794fcf013c792

SHA1
bedfc9238562d8f060aa8ba2dd611fb0bd69028c

SHA256
3d64730cc54b77e11ab31a232434b09ca14fc393f3194eb8c622e62aa41d21f9

SHA512
0ddc4a0e772e45e5e87f2c1dacd559bb20a2a991f24af8415f714cb04fd9307ae9eb43bbc1acf551d3bc066f9c15d0a660568eaab391ad8378b30afe9a62b3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
Filesize
3.0MB

MD5
6ed1ff22271e42f1b1b794fcf013c792

SHA1
bedfc9238562d8f060aa8ba2dd611fb0bd69028c

SHA256
3d64730cc54b77e11ab31a232434b09ca14fc393f3194eb8c622e62aa41d21f9

SHA512
0ddc4a0e772e45e5e87f2c1dacd559bb20a2a991f24af8415f714cb04fd9307ae9eb43bbc1acf551d3bc066f9c15d0a660568eaab391ad8378b30afe9a62b3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\mainicon.ico
Filesize
361KB

MD5
31aca1a1047efbc8d2a6e22101b2227b

SHA1
7f0500f0dd7b33f13efcef891700d17306762e02

SHA256
a9eaafa2c8e36bb80f58d5930694676d76dab647b8f709f3142649bb8018fbfa

SHA512
190dd9471fdc93e9eeb8dede79f3b9f1a67c3ff62e5733f51ddf03130790ae0e409da92d46c8e616c35bcd5dbc9d2139c95452843f8a8a4ba8b4d70d1e43427a

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
859B

MD5
5361a203271ff575d69d62158f12aec6

SHA1
7f0caef9adb530df5e9cd80449ef16084aef3443

SHA256
d38c4345f64d0b589f1762997e50059a38e0e7a8024365486cbcedcd3132086f

SHA512
a270b51fe4463e1b4bf55aca7a34f0cc08e87926d79b35bc37c161e90a40e349d70717b8253b5fb7edac47bdd4bb7c4acd578b5df738558185e74c70ee75ebe1

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
892B

MD5
806496cd30e421c5a148aa06cb99bbdc

SHA1
a50f05c73e1369cbbda6df57583cd36c171e77f9

SHA256
dd41fab5dc373dcb1594ae9a59b167ab506c925f51d10904ac621c3e4a85b9ca

SHA512
47b8a5edefa28c63c8bf195329279f155834cfebb528c61b0c3fd3db04f6649bbaa6c9bc73686da05a5a5f7b9123a2f162a263e047e89fa39d29351e2c8b09e4

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
826B

MD5
961c911ea0df015fffa52e08da2be1a3

SHA1
33cf9565ae11b209a893af4a3b6d64d6358c69b9

SHA256
c844aec911504bdc2a50e7ede96c433671e29fa991b0fd7678364a2fd5f1b48a

SHA512
539846a57b25d9f047b734c73b57ff3fb0d5454cf9c541412766510970517dc0835734a43a4c1d49c7e32741dbbc39c987c15b18204d51f78286f4ca2e72227e

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\IRDissolveTransition.tns
Filesize
136KB

MD5
6a9b0ab9341ac4204aafc7fac9872962

SHA1
dc6ceafcb39b7329552d0883f2c3284dddbb0ddc

SHA256
6315b5d1869c3b4cbcbead77ad63da3a60d86ede287eccef338f74178ec181f2

SHA512
76bacf1de5ac883bb47ae8d3299d5f399ae84bcd19eadc3fd8ee01ae2605bbbbddd6aacf7fdec490b8e6baf362ae05dbf972a5710c2bc732e8542a1c5d04bca6

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\IRDissolveTransition.tns
Filesize
136KB

MD5
6a9b0ab9341ac4204aafc7fac9872962

SHA1
dc6ceafcb39b7329552d0883f2c3284dddbb0ddc

SHA256
6315b5d1869c3b4cbcbead77ad63da3a60d86ede287eccef338f74178ec181f2

SHA512
76bacf1de5ac883bb47ae8d3299d5f399ae84bcd19eadc3fd8ee01ae2605bbbbddd6aacf7fdec490b8e6baf362ae05dbf972a5710c2bc732e8542a1c5d04bca6

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
Filesize
32KB

MD5
4a43ea617017d5de7d93eb2380634eee

SHA1
b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21

SHA256
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549

SHA512
c241538ccf8feeb115dec39fc5f668675769b2681d96d77bca1f5d826a4841ddbf8ed0f167bdee1ec70d623b7a6382c88a3aa3b85083898a71585ca47796852e

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\banish.exe
Filesize
32KB

MD5
4a43ea617017d5de7d93eb2380634eee

SHA1
b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21

SHA256
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549

SHA512
c241538ccf8feeb115dec39fc5f668675769b2681d96d77bca1f5d826a4841ddbf8ed0f167bdee1ec70d623b7a6382c88a3aa3b85083898a71585ca47796852e

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\hosts.exe
Filesize
32KB

MD5
72ddf833fa206326e15c2c97679d323e

SHA1
ad148ff4b7f77831b469be8bb19d32d029c23b50

SHA256
387bcf2758752a65d0b3cef4bba95d5b1ef6e16e09e75a21e343ad2a407380c1

SHA512
66fd693751c90c10eb527b91a095af8464a59c5252d6455198cfe8289f1e94e2a062dc3841914b19aba93e152452c004d4c70dd8c7eda380b98b59ce841bf305

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\touch.exe
Filesize
17KB

MD5
a103b253997ac29f8da01a79ee4d47a4

SHA1
23fdf54155596f7e962d01634254b1d2b5dd9928

SHA256
47f0dad56e2e39ff9aeef66380a6175d369e67b29c4c6bcdc715f0b886b604e4

SHA512
e2d155b6a60ca9b53f628b55b44794d1affdafb306e674a1f8f1918ea76a6d2d1966572686c746a7d6908e593001f73ca52f55a491157c106ce088af5f5636b9

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
Filesize
3.0MB

MD5
6ed1ff22271e42f1b1b794fcf013c792

SHA1
bedfc9238562d8f060aa8ba2dd611fb0bd69028c

SHA256
3d64730cc54b77e11ab31a232434b09ca14fc393f3194eb8c622e62aa41d21f9

SHA512
0ddc4a0e772e45e5e87f2c1dacd559bb20a2a991f24af8415f714cb04fd9307ae9eb43bbc1acf551d3bc066f9c15d0a660568eaab391ad8378b30afe9a62b3e3

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
Filesize
3.0MB

MD5
6ed1ff22271e42f1b1b794fcf013c792

SHA1
bedfc9238562d8f060aa8ba2dd611fb0bd69028c

SHA256
3d64730cc54b77e11ab31a232434b09ca14fc393f3194eb8c622e62aa41d21f9

SHA512
0ddc4a0e772e45e5e87f2c1dacd559bb20a2a991f24af8415f714cb04fd9307ae9eb43bbc1acf551d3bc066f9c15d0a660568eaab391ad8378b30afe9a62b3e3

Download Submit
memory/240-269-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/288-143-0x0000000000000000-mapping.dmp

Download
memory/316-86-0x0000000000000000-mapping.dmp

Download
memory/316-295-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/316-107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/328-324-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/328-203-0x0000000000000000-mapping.dmp

Download
memory/376-273-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/568-318-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/568-218-0x0000000000000000-mapping.dmp

Download
memory/572-140-0x0000000000000000-mapping.dmp

Download
memory/704-259-0x0000000000000000-mapping.dmp

Download
memory/708-108-0x0000000000000000-mapping.dmp

Download
memory/708-341-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/708-258-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/708-256-0x0000000000000000-mapping.dmp

Download
memory/832-60-0x0000000000000000-mapping.dmp

Download
memory/872-364-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/872-163-0x0000000000000000-mapping.dmp

Download
memory/900-380-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/904-228-0x0000000000000000-mapping.dmp

Download
memory/912-346-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/944-376-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/964-166-0x0000000000000000-mapping.dmp

Download
memory/964-314-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/976-177-0x0000000000000000-mapping.dmp

Download
memory/1012-82-0x0000000000000000-mapping.dmp

Download
memory/1012-404-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1040-170-0x0000000000000000-mapping.dmp

Download
memory/1040-173-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1040-351-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1064-357-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1116-116-0x0000000000000000-mapping.dmp

Download
memory/1132-360-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1136-127-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1136-123-0x0000000000000000-mapping.dmp

Download
memory/1164-386-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1164-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1232-147-0x0000000000000000-mapping.dmp

Download
memory/1232-151-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1248-370-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1340-192-0x0000000000000000-mapping.dmp

Download
memory/1464-254-0x0000000000000000-mapping.dmp

Download
memory/1488-187-0x0000000000000000-mapping.dmp

Download
memory/1540-77-0x0000000002F30000-0x0000000002FA6000-memory.dmp

Filesize
472KB

Download
memory/1552-113-0x0000000000000000-mapping.dmp

Download
memory/1580-247-0x0000000000000000-mapping.dmp

Download
memory/1596-216-0x0000000000000000-mapping.dmp

Download
memory/1612-226-0x0000000000000000-mapping.dmp

Download
memory/1616-261-0x0000000000000000-mapping.dmp

Download
memory/1616-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-206-0x0000000000000000-mapping.dmp

Download
memory/1620-118-0x0000000000000000-mapping.dmp

Download
memory/1624-224-0x0000000000000000-mapping.dmp

Download
memory/1656-92-0x0000000000000000-mapping.dmp

Download
memory/1656-249-0x0000000000000000-mapping.dmp

Download
memory/1656-394-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1692-185-0x0000000000000000-mapping.dmp

Download
memory/1692-220-0x0000000000000000-mapping.dmp

Download
memory/1696-128-0x0000000000000000-mapping.dmp

Download
memory/1712-138-0x0000000000000000-mapping.dmp

Download
memory/1712-102-0x0000000000000000-mapping.dmp

Download
memory/1716-307-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1716-222-0x0000000000000000-mapping.dmp

Download
memory/1732-189-0x0000000000000000-mapping.dmp

Download
memory/1732-301-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1752-304-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-344-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1764-132-0x0000000000000000-mapping.dmp

Download
memory/1764-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1784-245-0x0000000000000000-mapping.dmp

Download
memory/1784-89-0x0000000000000000-mapping.dmp

Download
memory/1784-253-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1788-278-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1804-379-0x00000000001F0000-0x000000000020E000-memory.dmp

Filesize
120KB

Download
memory/1812-103-0x0000000000000000-mapping.dmp

Download
memory/1812-212-0x0000000000000000-mapping.dmp

Download
memory/1820-158-0x0000000000000000-mapping.dmp

Download
memory/1828-251-0x0000000000000000-mapping.dmp

Download
memory/1828-184-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1828-135-0x0000000000000000-mapping.dmp

Download
memory/1828-181-0x0000000000000000-mapping.dmp

Download
memory/1828-214-0x0000000000000000-mapping.dmp

Download
memory/1868-231-0x0000000000000000-mapping.dmp

Download
memory/1868-152-0x0000000000000000-mapping.dmp

Download
memory/1880-196-0x0000000000000000-mapping.dmp

Download
memory/1880-200-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1880-161-0x0000000000000000-mapping.dmp

Download
memory/1920-234-0x0000000000000000-mapping.dmp

Download
memory/1956-165-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1956-155-0x0000000000000000-mapping.dmp

Download
memory/1960-174-0x0000000000000000-mapping.dmp

Download
memory/1964-111-0x0000000000000000-mapping.dmp

Download
memory/1964-201-0x0000000000000000-mapping.dmp

Download
memory/1964-309-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1992-98-0x0000000000000000-mapping.dmp

Download
memory/1992-210-0x0000000000000000-mapping.dmp

Download
memory/2020-243-0x0000000000000000-mapping.dmp

Download
memory/2020-97-0x0000000000000000-mapping.dmp

Download
memory/2028-238-0x0000000000000000-mapping.dmp

Download
memory/2028-242-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-208-0x0000000000000000-mapping.dmp

Download
memory/2032-57-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/2040-94-0x0000000000000000-mapping.dmp

Download
memory/2040-398-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads