Analysis
-
max time kernel
869s -
max time network
848s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
18-11-2022 13:47
General
-
Target
ContractCopy3862.html
-
Size
978KB
-
MD5
1118f053697a3048b19099fb2acd284a
-
SHA1
dee050fc962253582dd0660f648a69a11b364f92
-
SHA256
9f7eb4e5382c19d8e3ecbc71f13aaf467df4f61a835fee78ca199bdd3b7178ca
-
SHA512
c0247925481973b621d263ecfa7c68c85ba6b8f6fcbfa2eb283cbad8b8e13dd0df015a34b8985526a956b010f588960ed347f0d24d60969667f2b88c48b82bcc
-
SSDEEP
24576:D0R0eQGLbURy4/kZf1CvbWs3O0IITkgPGW3MK:D0lylhaIfL
Malware Config
Extracted
qakbot
404.30
obama222
1668692319
105.184.161.242:443
73.36.196.11:443
82.31.37.241:443
24.116.45.121:443
213.67.255.57:2222
200.93.14.206:2222
188.54.79.88:995
87.220.205.14:2222
72.88.245.71:443
92.137.74.174:2222
91.68.227.219:443
184.153.132.82:443
74.66.134.24:443
47.16.73.77:2222
41.97.183.39:443
177.205.92.100:2222
24.64.114.59:3389
105.111.45.51:995
86.180.222.237:2222
76.184.95.190:993
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Executes dropped EXE 5 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Users\Admin\AppData\Local\Temp\ContractCopy3862.html1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb81c84f50,0x7ffb81c84f60,0x7ffb81c84f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=808 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=980 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2644 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1244 /prefetch:82⤵
-
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=/CRezgR45sScs36OhtfUGau/Pny5/j2MraQRNDft --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0x7ff61b0c5960,0x7ff61b0c5970,0x7ff61b0c59803⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4548_PONQHSIEUKKSDOOJ" --sandboxed-process-id=2 --init-done-notifier=740 --sandbox-mojo-pipe-token=6333659683203458659 --mojo-platform-channel-handle=716 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4548_PONQHSIEUKKSDOOJ" --sandboxed-process-id=3 --init-done-notifier=984 --sandbox-mojo-pipe-token=12719176659620607976 --mojo-platform-channel-handle=9803⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1428 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,16528983199102823198,2044827517496332871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3872 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\ContractCopy.js"1⤵
- Checks computer location settings
- Enumerates connected drives
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" addled\melodramatic.tmp2⤵
-
C:\Windows\SysWOW64\regsvr32.exeaddled\melodramatic.tmp3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.execmd /c set5⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a5⤵
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP5⤵
-
-
C:\Windows\SysWOW64\net.exenet share5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share6⤵
-
-
-
C:\Windows\SysWOW64\route.exeroute print5⤵
-
-
C:\Windows\SysWOW64\netstat.exenetstat -nao5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet localgroup5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup6⤵
-
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4212_1968414675\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4212_1968414675\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={5a1793d2-984a-4d41-8258-9bbe0c59da16} --system2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\ContractCopy.js"1⤵
- Checks computer location settings
- Enumerates connected drives
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" addled\melodramatic.tmp2⤵
-
C:\Windows\SysWOW64\regsvr32.exeaddled\melodramatic.tmp3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\ContractCopy.js"1⤵
- Checks computer location settings
- Enumerates connected drives
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" addled\melodramatic.tmp2⤵
-
C:\Windows\SysWOW64\regsvr32.exeaddled\melodramatic.tmp3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\ContractCopy.js"1⤵
- Checks computer location settings
- Enumerates connected drives
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" addled\melodramatic.tmp2⤵
-
C:\Windows\SysWOW64\regsvr32.exeaddled\melodramatic.tmp3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
Filesize
449KB
MD579d7f318441c21d17739e43990697d1d
SHA19683265bf401d11313b768dfc4b3aeb10015d18c
SHA2560ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970
SHA51267c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595
-
Filesize
37KB
MD5f8b7cac6e9587baabf4045c34890c7ce
SHA161814262c6ee5ceaab2c0263c913cae52e203af7
SHA2568b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30
SHA5124f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211
-
Filesize
378KB
MD57adcb76ec34d774d1435b477e8625c47
SHA1ec4ba0ad028c45489608c6822f3cabb683a07064
SHA256a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d
SHA512c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4
-
Filesize
2.3MB
MD5b03b34bf2cd409714e8bb7e670b3315c
SHA1ca59a059824a53fca8966c6ae00d4fd3b94265e2
SHA256bb1733b7cb012f8b7d6cd0347283a549ffeab7beb4b3d0168e0d8c9cecdef8eb
SHA512fb4218f55bfff09ae13392d0cce3518eaff1da9b9d42d59a21ee1bb9ba42b574923858a7c23ae4bfac61bd5f977ea3e520ad5f7a69454eb59bc34bcaa13cd737
-
Filesize
1.3MB
MD57f3e3ab3e7f714da01ec0f495982e8d4
SHA1a6cdec146f2eb192460d3d3061baf4a7ead6ee22
SHA256ebfeeac7733a77a1e32995d638d67d2e05eefdbb62782053d8354959e046d0fa
SHA512493b6db2193cd91e95f0963b9ad898a2040c2abcf1b4a509e5a4d53980c95ec030b412e180c26a1bd504e4c839ef5b7e3b6f08878ec11cefa531157ef0f6368b
-
Filesize
6.1MB
MD5ee46beaa6c9244880e8a510d080b4416
SHA1a83c3946a2f53f064e91d8b60d5f6c697a560062
SHA256d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c
SHA5124e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25
-
Filesize
576KB
MD5169a2ef320119891cf3189aa3fd23b0e
SHA1de51c936101ef79bbc0f1d3c800cf832d221eef8
SHA2561072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780
SHA5127fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca
-
Filesize
14.4MB
MD52a91302bfe645cc3b7ed302fbb9c6940
SHA189234bccd1c8a511d59c60458754bc9488067039
SHA256664f9ea097d1992b28aff370ab00e19f049d1e62cc2776e61b07bbe0c4364935
SHA5120610a19401bf0b97a1b24c107b326d93a8e8e10072f3c42d203932dd6a5ead1d03b001a67d757e786e24016fca805fc2c8bf9ae3745b9f6f541b29cebd0db0d6
-
Filesize
14.4MB
MD52a91302bfe645cc3b7ed302fbb9c6940
SHA189234bccd1c8a511d59c60458754bc9488067039
SHA256664f9ea097d1992b28aff370ab00e19f049d1e62cc2776e61b07bbe0c4364935
SHA5120610a19401bf0b97a1b24c107b326d93a8e8e10072f3c42d203932dd6a5ead1d03b001a67d757e786e24016fca805fc2c8bf9ae3745b9f6f541b29cebd0db0d6
-
Filesize
14.4MB
MD52a91302bfe645cc3b7ed302fbb9c6940
SHA189234bccd1c8a511d59c60458754bc9488067039
SHA256664f9ea097d1992b28aff370ab00e19f049d1e62cc2776e61b07bbe0c4364935
SHA5120610a19401bf0b97a1b24c107b326d93a8e8e10072f3c42d203932dd6a5ead1d03b001a67d757e786e24016fca805fc2c8bf9ae3745b9f6f541b29cebd0db0d6
-
Filesize
14.4MB
MD52a91302bfe645cc3b7ed302fbb9c6940
SHA189234bccd1c8a511d59c60458754bc9488067039
SHA256664f9ea097d1992b28aff370ab00e19f049d1e62cc2776e61b07bbe0c4364935
SHA5120610a19401bf0b97a1b24c107b326d93a8e8e10072f3c42d203932dd6a5ead1d03b001a67d757e786e24016fca805fc2c8bf9ae3745b9f6f541b29cebd0db0d6
-
Filesize
14.4MB
MD52a91302bfe645cc3b7ed302fbb9c6940
SHA189234bccd1c8a511d59c60458754bc9488067039
SHA256664f9ea097d1992b28aff370ab00e19f049d1e62cc2776e61b07bbe0c4364935
SHA5120610a19401bf0b97a1b24c107b326d93a8e8e10072f3c42d203932dd6a5ead1d03b001a67d757e786e24016fca805fc2c8bf9ae3745b9f6f541b29cebd0db0d6
-
Filesize
3KB
MD5967af7efcd061ee50dbbabbb6f67510f
SHA12124c8f0ed6e798c0dad3bff9f6ab7a96cdabd13
SHA256b545c169e7ac67b82095a55468078122fdc4a69f3adc721313676524c23551e2
SHA5120e497888adec92acee8221894e9054901768083e163578e219251637944eb419b00b0a03e4a4ca59c09c1301d25ea19161648f5bcfea4b446599a2b61787247e
-
Filesize
1KB
MD535c7e305a06f30d3f0a97693c3504265
SHA1b30c965f53a93676cc9d87d29f5e6ac5b605dd84
SHA2563b6fb2683b4dfd83fdd0c6ee096f378aa85c6b1acc73ec66288802a71c9381f7
SHA512a6ac0ddc3c99d59a2c667410fe94bb8f267d1cf422c337febcfbae23d5c965b0e965ff0b77fc88fa9e7b06ee6ce6d532b6ecb0d87a53fb282260ef812379eb7c
-
Filesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
Filesize
195B
MD57a8e3a0b6417948df4d49f3915428d7a
SHA14fc084aabdb13483567d5c417c7ed8fd16726a80
SHA256d1ac274cf1018020f2d9635a518ed1a1f21cc2cbe9e2a4392ec792d54b5b52fe
SHA512064d84a57b28c19ad10742859da493d0826b47adc632f6c623dfb4de36d72a9d29be98518061a9ffd42d99fcf01f27de39ce74782b3a5acbbe11dfddeeab59a1
-
Filesize
40B
MD51e177cc4c4d47a58b25ecb341f818c42
SHA145617950ce7442a259b459e970a376af4bc54786
SHA25688165020bca4e08bc1ccd36123728ba4b16e168fd1c3f26c527d13e4a9cb658d
SHA512eecb95a19b38a2fe7b49dd2427bb940cf59d287ac33e2a6f93489304795c2f83698f92354efe5a1fec0e487bf202e44c5c743b2b1f5a892a134118a79c047baa
-
Filesize
40B
MD51e177cc4c4d47a58b25ecb341f818c42
SHA145617950ce7442a259b459e970a376af4bc54786
SHA25688165020bca4e08bc1ccd36123728ba4b16e168fd1c3f26c527d13e4a9cb658d
SHA512eecb95a19b38a2fe7b49dd2427bb940cf59d287ac33e2a6f93489304795c2f83698f92354efe5a1fec0e487bf202e44c5c743b2b1f5a892a134118a79c047baa
-
Filesize
449KB
MD579d7f318441c21d17739e43990697d1d
SHA19683265bf401d11313b768dfc4b3aeb10015d18c
SHA2560ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970
SHA51267c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595
-
Filesize
37KB
MD5f8b7cac6e9587baabf4045c34890c7ce
SHA161814262c6ee5ceaab2c0263c913cae52e203af7
SHA2568b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30
SHA5124f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211
-
Filesize
378KB
MD57adcb76ec34d774d1435b477e8625c47
SHA1ec4ba0ad028c45489608c6822f3cabb683a07064
SHA256a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d
SHA512c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4
-
Filesize
2.3MB
MD5b03b34bf2cd409714e8bb7e670b3315c
SHA1ca59a059824a53fca8966c6ae00d4fd3b94265e2
SHA256bb1733b7cb012f8b7d6cd0347283a549ffeab7beb4b3d0168e0d8c9cecdef8eb
SHA512fb4218f55bfff09ae13392d0cce3518eaff1da9b9d42d59a21ee1bb9ba42b574923858a7c23ae4bfac61bd5f977ea3e520ad5f7a69454eb59bc34bcaa13cd737
-
Filesize
1.3MB
MD57f3e3ab3e7f714da01ec0f495982e8d4
SHA1a6cdec146f2eb192460d3d3061baf4a7ead6ee22
SHA256ebfeeac7733a77a1e32995d638d67d2e05eefdbb62782053d8354959e046d0fa
SHA512493b6db2193cd91e95f0963b9ad898a2040c2abcf1b4a509e5a4d53980c95ec030b412e180c26a1bd504e4c839ef5b7e3b6f08878ec11cefa531157ef0f6368b
-
Filesize
6.1MB
MD5ee46beaa6c9244880e8a510d080b4416
SHA1a83c3946a2f53f064e91d8b60d5f6c697a560062
SHA256d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c
SHA5124e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25
-
Filesize
576KB
MD5169a2ef320119891cf3189aa3fd23b0e
SHA1de51c936101ef79bbc0f1d3c800cf832d221eef8
SHA2561072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780
SHA5127fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
-
-
Filesize
796KB
-
Filesize
168KB
-
Filesize
168KB
-
-
Filesize
796KB
-
Filesize
460KB
-
Filesize
796KB
-
-
Filesize
168KB
-
Filesize
796KB
-
Filesize
168KB
-
Filesize
796KB
-
-
-
-
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
796KB
-
-
Filesize
168KB
-
Filesize
796KB
-
-
-
-
-
Filesize
796KB
-
-
Filesize
168KB
-
Filesize
796KB
-
Filesize
168KB
-
-
Filesize
168KB
-
Filesize
168KB
-
-
-
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
-
-
-
-
-
-
-
-
Filesize
168KB
-
Filesize
168KB
-
-