Analysis
-
max time kernel
47s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 02:44
Static task
static1
Behavioral task
behavioral1
Sample
ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe
Resource
win7-20220812-en
General
-
Target
ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe
-
Size
7.6MB
-
MD5
7a3b036178be3af2d199e119abf83f8f
-
SHA1
28ee4138634cf74b088ffe28ac802aaa2a89d0ff
-
SHA256
ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5
-
SHA512
baa0521a42e4920708689c46c6f909581fa298b9bacf856d5c02e8053abd33ba14e3df630a42bd4aff1d29058ade8a48cf7bcb1834448fb8dcb1cbd8119a83bb
-
SSDEEP
196608:wcDE5xxyWRPQrnjGdTAdSwgbzERTY6+Z2vlyZHs7:wBpUGsbR0MsZHs7
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Executes dropped EXE 3 IoCs
pid Process 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 4536 gentlemjmp_ieu.exe 4004 gentlemjmp_ieu.tmp -
Loads dropped DLL 5 IoCs
pid Process 4004 gentlemjmp_ieu.tmp 4004 gentlemjmp_ieu.tmp 4004 gentlemjmp_ieu.tmp 4004 gentlemjmp_ieu.tmp 4004 gentlemjmp_ieu.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp -
Enumerates processes with tasklist 1 TTPs 15 IoCs
pid Process 3324 tasklist.exe 5068 tasklist.exe 4520 tasklist.exe 4772 tasklist.exe 3716 tasklist.exe 400 tasklist.exe 1452 tasklist.exe 4328 tasklist.exe 2448 tasklist.exe 2332 tasklist.exe 2592 tasklist.exe 2808 tasklist.exe 3860 tasklist.exe 2164 tasklist.exe 4048 tasklist.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp -
Gathers network information 2 TTPs 5 IoCs
Uses commandline utility to view network configuration.
pid Process 4504 NETSTAT.EXE 4684 NETSTAT.EXE 1956 NETSTAT.EXE 3160 NETSTAT.EXE 3616 NETSTAT.EXE -
Script User-Agent 10 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 38 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 39 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 40 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 41 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4904 powershell.exe 4904 powershell.exe 4940 powershell.exe 4940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 4904 powershell.exe Token: SeDebugPrivilege 400 tasklist.exe Token: SeDebugPrivilege 2332 tasklist.exe Token: SeDebugPrivilege 2592 tasklist.exe Token: SeDebugPrivilege 3616 NETSTAT.EXE Token: SeDebugPrivilege 4504 NETSTAT.EXE Token: SeDebugPrivilege 4684 NETSTAT.EXE Token: SeDebugPrivilege 1956 NETSTAT.EXE Token: SeDebugPrivilege 3160 NETSTAT.EXE Token: SeDebugPrivilege 1452 tasklist.exe Token: SeDebugPrivilege 4328 tasklist.exe Token: SeDebugPrivilege 3324 tasklist.exe Token: SeDebugPrivilege 3860 tasklist.exe Token: SeDebugPrivilege 2164 tasklist.exe Token: SeDebugPrivilege 2448 tasklist.exe Token: SeDebugPrivilege 4048 tasklist.exe Token: SeDebugPrivilege 5068 tasklist.exe Token: SeDebugPrivilege 2808 tasklist.exe Token: SeDebugPrivilege 4520 tasklist.exe Token: SeDebugPrivilege 3716 tasklist.exe Token: SeDebugPrivilege 4772 tasklist.exe Token: SeDebugPrivilege 4940 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2564 wrote to memory of 3440 2564 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe 81 PID 2564 wrote to memory of 3440 2564 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe 81 PID 2564 wrote to memory of 3440 2564 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe 81 PID 3440 wrote to memory of 3684 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 82 PID 3440 wrote to memory of 3684 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 82 PID 3440 wrote to memory of 3684 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 82 PID 3684 wrote to memory of 4904 3684 cmd.exe 84 PID 3684 wrote to memory of 4904 3684 cmd.exe 84 PID 3684 wrote to memory of 4904 3684 cmd.exe 84 PID 3440 wrote to memory of 4628 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 85 PID 3440 wrote to memory of 4628 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 85 PID 3440 wrote to memory of 4628 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 85 PID 4628 wrote to memory of 4232 4628 cmd.exe 87 PID 4628 wrote to memory of 4232 4628 cmd.exe 87 PID 4628 wrote to memory of 4232 4628 cmd.exe 87 PID 4232 wrote to memory of 400 4232 cmd.exe 88 PID 4232 wrote to memory of 400 4232 cmd.exe 88 PID 4232 wrote to memory of 400 4232 cmd.exe 88 PID 3440 wrote to memory of 112 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 89 PID 3440 wrote to memory of 112 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 89 PID 3440 wrote to memory of 112 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 89 PID 112 wrote to memory of 3188 112 cmd.exe 91 PID 112 wrote to memory of 3188 112 cmd.exe 91 PID 112 wrote to memory of 3188 112 cmd.exe 91 PID 3188 wrote to memory of 2332 3188 cmd.exe 92 PID 3188 wrote to memory of 2332 3188 cmd.exe 92 PID 3188 wrote to memory of 2332 3188 cmd.exe 92 PID 3440 wrote to memory of 3620 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 95 PID 3440 wrote to memory of 3620 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 95 PID 3440 wrote to memory of 3620 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 95 PID 3620 wrote to memory of 4612 3620 cmd.exe 97 PID 3620 wrote to memory of 4612 3620 cmd.exe 97 PID 3620 wrote to memory of 4612 3620 cmd.exe 97 PID 4612 wrote to memory of 2592 4612 cmd.exe 98 PID 4612 wrote to memory of 2592 4612 cmd.exe 98 PID 4612 wrote to memory of 2592 4612 cmd.exe 98 PID 3440 wrote to memory of 4200 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 99 PID 3440 wrote to memory of 4200 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 99 PID 3440 wrote to memory of 4200 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 99 PID 3440 wrote to memory of 1964 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 101 PID 3440 wrote to memory of 1964 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 101 PID 3440 wrote to memory of 1964 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 101 PID 1964 wrote to memory of 3616 1964 cmd.exe 103 PID 1964 wrote to memory of 3616 1964 cmd.exe 103 PID 1964 wrote to memory of 3616 1964 cmd.exe 103 PID 1964 wrote to memory of 640 1964 cmd.exe 104 PID 1964 wrote to memory of 640 1964 cmd.exe 104 PID 1964 wrote to memory of 640 1964 cmd.exe 104 PID 1964 wrote to memory of 2288 1964 cmd.exe 105 PID 1964 wrote to memory of 2288 1964 cmd.exe 105 PID 1964 wrote to memory of 2288 1964 cmd.exe 105 PID 3440 wrote to memory of 2560 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 106 PID 3440 wrote to memory of 2560 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 106 PID 3440 wrote to memory of 2560 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 106 PID 2560 wrote to memory of 4504 2560 cmd.exe 108 PID 2560 wrote to memory of 4504 2560 cmd.exe 108 PID 2560 wrote to memory of 4504 2560 cmd.exe 108 PID 2560 wrote to memory of 3716 2560 cmd.exe 109 PID 2560 wrote to memory of 3716 2560 cmd.exe 109 PID 2560 wrote to memory of 3716 2560 cmd.exe 109 PID 2560 wrote to memory of 1012 2560 cmd.exe 110 PID 2560 wrote to memory of 1012 2560 cmd.exe 110 PID 2560 wrote to memory of 1012 2560 cmd.exe 110 PID 3440 wrote to memory of 456 3440 ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe"C:\Users\Admin\AppData\Local\Temp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\is-D7H5A.tmp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp"C:\Users\Admin\AppData\Local\Temp\is-D7H5A.tmp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp" /SL5="$A0046,7652844,56832,C:\Users\Admin\AppData\Local\Temp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\ex.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV4⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV4⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV4⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\cmd.bat""3⤵PID:4200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"3⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5900 "4⤵PID:640
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"4⤵PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"3⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5901 "4⤵PID:3716
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"4⤵PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"3⤵PID:456
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5902 "4⤵PID:4496
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"4⤵PID:4420
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"3⤵PID:5096
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"4⤵PID:704
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5903 "4⤵PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"3⤵PID:1904
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5904 "4⤵PID:3208
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"4⤵PID:4532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV4⤵PID:3868
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV4⤵PID:2764
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV4⤵PID:3120
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV4⤵PID:4584
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV4⤵PID:3220
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV4⤵PID:4888
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq regedit.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:2848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV4⤵PID:4232
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV4⤵PID:3188
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV4⤵PID:1748
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV4⤵PID:1148
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:2288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV4⤵PID:2788
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV4⤵PID:4256
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\gentlemjmp_ieu.exe"C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD3⤵
- Executes dropped EXE
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\is-N11JB.tmp\gentlemjmp_ieu.tmp"C:\Users\Admin\AppData\Local\Temp\is-N11JB.tmp\gentlemjmp_ieu.tmp" /SL5="$1B01D6,7142274,56832,C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-IPTQA.tmp\ex.bat""5⤵PID:544
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50774a05ce5ee4c1af7097353c9296c62
SHA1658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994
-
Filesize
17KB
MD574502846b60e11eab49b0be0c282d6c7
SHA1ac349fc2f79cfc4bd6f9ff62589e1f41134ed168
SHA25612628c6c9a3f292f864940416615010774f4626e3ae632720f5607317b7b9cfc
SHA5121e63c37789aaff68932442cbb9c11a2e3980e771d517eb452176b850a4b2a32033532626da0276d43cc3419cf2da0483f880bba313899c9201692c1ca5a61f1c
-
C:\Users\Admin\AppData\Local\Temp\is-D7H5A.tmp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp
Filesize690KB
MD51305181de520f125aeabf85dc24a89d6
SHA198b7548fede3f1468ccbdee405abdc4e5d2ec671
SHA2560e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf
SHA512b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793
-
C:\Users\Admin\AppData\Local\Temp\is-D7H5A.tmp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp
Filesize690KB
MD51305181de520f125aeabf85dc24a89d6
SHA198b7548fede3f1468ccbdee405abdc4e5d2ec671
SHA2560e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf
SHA512b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
786B
MD53b0db403b591addc563a25026ac5014b
SHA1e95fff7db01128c6e07ca064184ea542c02c4f7c
SHA256adca7abd28b7c4d82d59881f65a108ed6d31cb67f60df9b1af2de12ccaaca03e
SHA512703832d7fb8e019021ebbee926889402a67af1319a051fc713388f89b42466dfa91233419f880dee3b8b6381a813a28f06a52cfaaf5f546d4de0e360a8055bac
-
Filesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
Filesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
Filesize
385KB
MD592c2e247392e0e02261dea67e1bb1a5e
SHA1db72fed8771364bf8039b2bc83ed01dda2908554
SHA25625fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68
SHA512e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5
-
Filesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
Filesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
Filesize
118B
MD5f0315949ccc3d22d958503f5735cfbcc
SHA1883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0
SHA256201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d
SHA512aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251
-
Filesize
144B
MD5e902b4bcf5b531d057d091d00be3daee
SHA10cd058fcfab51dbfe91b139dc52245d5a4326f55
SHA2569daadc1e6c019a712e5236eafc29e687ea79efd4de1310dc2eeb1ed165ea26c3
SHA5125f7a84040b4bbf46173ff5404d970af5cb3e54c0dfc0d6ab6b161c2f417b6b1a023abe7b9f2b723b2985511894649c54c045204de01b2a52a51d7143e8f82c11
-
Filesize
126B
MD5110d64c0e450ff59542f81690a2d53b7
SHA17f2e989deb095a0530792989e5fa9d7279d5f3e7
SHA256735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e
SHA51200b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34
-
Filesize
120B
MD5c842d438cebab4b876572a8bc032aabe
SHA1e95c7d4e2f6246daba6f0baec8e1b94c91384c4d
SHA256ef7d9a0d456e1901b0bdebdce961d480bcf8270a7d7646591bdc2886c8716218
SHA512aa8a28a1b0a0b9b65db195863fec9b903ffa335ccee7d50dc514f5d9c63f2ca51b2bf52694879adf43021cedfc4c5f8e7c3c90bb6dc493114a700cd79cce183c
-
Filesize
126B
MD58fec1ab28e8ee7394915990458fb85dc
SHA1c70e183a783a9621cd64584de99f8163deb40872
SHA256b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd
SHA512c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9
-
Filesize
132B
MD597cc4c6dda23b9631b8c9185859ad061
SHA15f912a6c094bd918afe5e9f0c70cd45b36dff722
SHA25655b728e4cc0974b19641d1dc77df0f381f244b254d39e2566dcf525b9d106cd8
SHA512cf82517f44425d402305129821cff7668c5db27d5427b8a8886e99146a1a56ef43b8055e6c62929fbfdf293a88664a760e49443ac89453fa3163ed1ebfb8469e
-
Filesize
122B
MD5b921f2f9f97a642d513e1307f7685e0f
SHA13489b63a484a6114f1828100908bbbc622b07ed1
SHA256953998031a5ac3582232545f923b32f02587fb233791a0326b889f28af4cfabc
SHA5121da42e0ed2dca9f2a559739c6a0c6b28a54e0d8d0617bec542729a362dd0f36f9287bcd4433c9cabd7db7430e7295f6879c7777a86035c4f3c86b3b05847ae0e
-
Filesize
122B
MD5660d266764b1952b43431d6c7dc0dfa9
SHA1809794738d6ca580d6ec14e77a717e831b0d0e5c
SHA256e3c86ead8667eac8c9ea88e2ee5f5f14f0f0be59a54864f99cbee17d554f74e5
SHA5126fc27ec6f453c2791aa9d0c38817128ed8e2fff26748fbe0cfee6411d8a120970494b3504078a3079c90d409434f22b35974efd5cbbaf14ce3657715fc18f4c3
-
Filesize
122B
MD559a8010aab7eb203cd9fda8f6be1beca
SHA1b9a07636b921183c88880320294e279c935cddd7
SHA2562a5b80a6a1522b75fda6e7f99ceb912bc7db1bd6be11995fdcbde1ab7d836dba
SHA51226ae700f89e827f9d5f8d29c7f393eb3e5885d32266591d61b20ffd7ba1d08dfbc0e6e9368c94288185a01960cbd0a8ce96b063187396465e640e963e9b3666e
-
Filesize
122B
MD5a59dd0f9883ea39c5119831b0eed46cc
SHA18c9354051f7d92310636f0f17e5770aede9d1ad3
SHA256ff1f1293c860b0709d0244a8c6a29294543efdc698a70469e1cd388c0db84493
SHA5124a07eac5507fc174879eb960becf19b3a20b224232f74dfeb28d393bed3f181a0d4020efb9b656000d4ce756491c44f4f5a86dec184feca593c9bf6bd8700dac
-
Filesize
122B
MD532b997a9d994996a4369a580e6541b7d
SHA1d61b48404dd6f6dd43d90858ffb7ddb967ecb1f1
SHA25639863141871b63880b4282066451321a902a7e6b97264c9ffdfd8128ac8293b8
SHA512f3ff262b5986436671b4cf970d2ab4eb0dfd3d70651e7e84c8ae38788ef12032db825b81e6e1d8c4f20f0aa5a8067e6e7943b7e3e3c9817e97f0ab227f3fbe1f
-
Filesize
146B
MD5f0b99c1273d3787f7769feb4d56e6803
SHA16105232df9585072be8ca04712f8760812943cbf
SHA256176a95493ca3bbfc9a68b4283b53a291faef0f9a7c413b43e1bdad86834a820d
SHA51273b313c0046f6fcec974f2af64859c0af122e9f86503c7427519b7d2aaaf67e2f8cc68de17b93f24604aff815b843fce9a01571c1db48d3c12867e49daab0133
-
Filesize
138B
MD5755c6764b8ecbb83798450705f51510f
SHA1deb141c4fc3220f0ff5c16eabf1adf850bf55610
SHA256cfe680c9896cade2f5163ee0a463a7f7dbae7ee4aadf8de15c6c119a1d582016
SHA512a6292b9416cbbc4a407d143acd502b6a726abb5411309e292f6696a7e55ecb5b78b4bdc764dc3484e85a5a40f21d410018172544b00882759b251aa9dce5df89
-
Filesize
132B
MD5410515fbd7d2a2b4fab0fb80c76c2a74
SHA1f32bd4fc7ade9efdc92b99e79a0b2f95edfc5893
SHA2566b398a1053c39530e13afb3bad98900d9a5a6d27523a0c5d44c746afb539fe99
SHA512f301aaeb96aa848eb6823830397c9fb12086db558663235c8b0882cefe2ae105cc75e2cc70315ce2fdfa17d3538427f4afa6a9cf24834a884a10cb4cb87652aa
-
Filesize
130B
MD50cbb771b9f9523adb96d5bae77154a05
SHA1528330a335047039ab012b01bb7a3f585e6f5a8d
SHA2564b6e256fc13fdb04ac97e583dda99f6ade2356f9c692f5150b262d3e464bd71e
SHA51241f44acafb84b24e15ebee4a18c2ae39c06ad401db2272939ad1d650c27e1a219d7c05df63a7ec2ab0676c7ed34ca5c7ed1d4cfaa143998e90ce12f13875f0f1
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
81B
MD5784d0dec1b75b73bfb86095f4aa9a1b4
SHA13ce5a6f9822e596a6056cfea3f1bc6bfc281a4c8
SHA2567967c55836683f221e6aa10e59fa519d2186125f299bebfa5febbdbfd8ea7306
SHA5128c18aa559866fd8d625c0042c71c9496cbbf63b76e553109f6e13f24a1dff4aea11ffa665ad7b182b72ad5ac5c57e26e63e78f628bfbf240208b76eea4bbb1a4
-
Filesize
786B
MD55bbc3e493fde32a885d3402d8400b522
SHA147eb2afd66f2fd9760781812979226e79f055803
SHA25631e9bb47344cf27f767a28693bf3f96852610d5e3c33bfa9bcde40598c69da47
SHA512fd0c19e441321c3958e3652dbd03e1ac12a6e03ec3c15f0eaa09ee582338eec0e7780ca51ba8f2fc8855dbbc327c94f8a2ea76476e251b34de4e0e8e1ab89685
-
Filesize
10B
MD5f0b81e3ecd1b5d144558da07bece8803
SHA19ee5bf12a207859d89dc893b8d02bd5c739edb52
SHA256dd7aaa38192189cbf2adfc9416289be6ea3c2e10f2ca08bae453cb1df66babc1
SHA512774a7485d316be62ca6a2303cf0e8f59611b804eb2d518dd76bcdbf755544818032be367d9c2d5ad778059b0c2da2d5a0e46e2a5420d6fd2da3cc0b2bcbe34a6
-
Filesize
7.1MB
MD52826b1bfca3a87c68fdcfa6afafb9b9f
SHA16b1a78a5299dd1ad8242606c9477494d128f4d6a
SHA2564c95a4306acdec394f3dfa1e0b682a2c6faa2e71b1c4ff92f909695c4743b48d
SHA512e78daeb6ec86322be00d9caf674f2725491d39f545b03e6ef39de71c219c6a2867bbdbb313da16ab0145a2a8f25c6da9b782ac42a481524895df08e9b4b17028
-
Filesize
7.1MB
MD52826b1bfca3a87c68fdcfa6afafb9b9f
SHA16b1a78a5299dd1ad8242606c9477494d128f4d6a
SHA2564c95a4306acdec394f3dfa1e0b682a2c6faa2e71b1c4ff92f909695c4743b48d
SHA512e78daeb6ec86322be00d9caf674f2725491d39f545b03e6ef39de71c219c6a2867bbdbb313da16ab0145a2a8f25c6da9b782ac42a481524895df08e9b4b17028
-
Filesize
690KB
MD51305181de520f125aeabf85dc24a89d6
SHA198b7548fede3f1468ccbdee405abdc4e5d2ec671
SHA2560e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf
SHA512b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793
-
Filesize
690KB
MD51305181de520f125aeabf85dc24a89d6
SHA198b7548fede3f1468ccbdee405abdc4e5d2ec671
SHA2560e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf
SHA512b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793