ae1d2fc3c4a341973ebb044ca97551bfc03795b06a8fad6422306ab068d0b260

Analysis

max time kernel
125s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-04-2023 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StreamHelpersSetup.exe
Size

5.1MB
MD5

204d43f3f04ab08863730428aef33a0e
SHA1

9a13f8f7b230be2ab7eeb2b21240041e5209495f
SHA256

ae1d2fc3c4a341973ebb044ca97551bfc03795b06a8fad6422306ab068d0b260
SHA512

7555201978828c71006decbf09dad8ff4535fe572438fdc41ed0a990073bccca43525da1a6c639fb6a7313642dcde608a3440b7de68b158336da1aaf5b21a7d1
SSDEEP

98304:VABCUgjLwvDqtrJwnN5xdnbzXzt4AM0faL6qutk1RsmVmjcJoO9VePFuLmho:iBx6qN5bnty0yLYtUyXcCO9VePamm

Score

8^/10

bootkit evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

booster.exemelter.exemelter.exe

pid process

1820 booster.exe
2040 melter.exe
1048 melter.exe
Loads dropped DLL 7 IoCs

Processes:

WScript.execmd.exe

pid process

1860 WScript.exe
1860 WScript.exe
1860 WScript.exe
1860 WScript.exe
1828 cmd.exe
1828 cmd.exe
1828 cmd.exe

pid	process
1820	booster.exe
2040	melter.exe
1048	melter.exe

pid	process
1860	WScript.exe
1860	WScript.exe
1860	WScript.exe
1860	WScript.exe
1828	cmd.exe
1828	cmd.exe
1828	cmd.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\F:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\D:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\F:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

booster.exe

description ioc process

File opened for modification \??\PhysicalDrive0 booster.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	booster.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\risi.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	\??\c:\PROGRA~1\WINDOW~3\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\images\bg-today.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\TipTsf.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\tpcps.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\System\OLEDB~1\ja-JP\sqlxmlx.rll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyGirl\flower_trans_matte.wmv	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\RECTAN~1\1047x576black.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\Adobe\READER~1.0\Reader\PDFSIG~1.PDF	cmd.exe
File opened for modification	\??\c:\PROGRA~2\Adobe\READER~1.0\Resource\TYPESU~1\Unicode\Mappings\Adobe\zdingbat.txt	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\Images\1.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\TipBand.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\keypad\kor-kor.xml	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\hwrusalm.dat	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\ipsptb.xml	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\System\msadc\fr-FR\msdaprsr.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\INTERN~1\F12Resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\en-US\calendar.html	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\SLIDES~1.GAD\images\Tulip.jpg	cmd.exe
File opened for modification	\??\c:\PROGRA~2\COMMON~1\MICROS~1\ink\it-IT\micaut.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\MEDIAC~1.GAD\images\Gadget_WMC_LogoText.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\IpsMigrationPlugin.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\mshwjpnr.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\ShadesOfBlue.jpg	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyBoy\babyblue.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\RESIZI~1\Panel_Mask.wmv	cmd.exe
File opened for modification	\??\c:\PROGRA~1\INTERN~1\en-US\F12.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\de-DE\js\RSSFeeds.js	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\ja-JP\TipRes.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\es-ES\tipresx.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\ja-JP\DVDMaker.exe.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\it\System.Net.Resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\ja-JP\js\timeZones.js	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\divider-horizontal.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\it-IT\rtscom.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\System\ado\msadomd.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\rtstreamsink.ax	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\SPECIA~1\SpecialNavigationUp_ButtonGraphic.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Vignette\NavigationUp_ButtonGraphic.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI0FCF~1\Journal.exe	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\images\rss_headline_glow_flyout.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\trash.gif	cmd.exe
File opened for modification	\??\c:\PROGRA~2\Adobe\READER~1.0\Resource\TYPESU~1\Unicode\Mappings\win\CP1254.TXT	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\System\msadc\msdaremr.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\FlipPage\1047x576black.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\tr.gif	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Eurosti.TTF	cmd.exe
File opened for modification	\??\c:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\Microsoft.VisualC.STLCLR.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\fr-FR\css\flyout.css	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\30.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\COMMON~1\MICROS~1\ink\en-US\TipTsf.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\INTERN~1\ie9props.propdesc	cmd.exe
File opened for modification	\??\c:\PROGRA~1\INTERN~1\iexplore.exe	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WINDOW~1\fr-FR\WinMail.exe.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\en-US\js\highDpiImageSwap.js	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\fr-FR\ShapeCollector.exe.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\ja\System.Data.Entity.Design.Resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI54FB~1\es-ES\wmpnssci.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\en-US\js\calendar.js	cmd.exe
File opened for modification	\??\c:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\PDXFIL~1.ICO	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\System\msadc\de-DE\msaddsr.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\settings_divider.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\ja-JP\flyout.html	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\es-ES\weather.html	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\wlsrvc.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1976 timeout.exe
1760 timeout.exe
1780 timeout.exe

pid	process
1976	timeout.exe
1760	timeout.exe
1780	timeout.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1016	taskkill.exe
1004	taskkill.exe
1644	taskkill.exe
1756	taskkill.exe
440	taskkill.exe
1592	taskkill.exe
1184	taskkill.exe
1752	taskkill.exe
992	taskkill.exe
1516	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1040 reg.exe

pid	process
1040	reg.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

taskkill.exeAUDIODG.EXEtaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeshutdown.exeWScript.exe

description	pid	process
Token: SeDebugPrivilege	992	taskkill.exe
Token: 33	1468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1468	AUDIODG.EXE
Token: 33	1468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1468	AUDIODG.EXE
Token: SeDebugPrivilege	440	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeShutdownPrivilege	1824	shutdown.exe
Token: SeRemoteShutdownPrivilege	1824	shutdown.exe
Token: 33	1236	WScript.exe
Token: SeIncBasePriorityPrivilege	1236	WScript.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

StreamHelpersSetup.exeWScript.execmd.exeWScript.execmd.exeWScript.exe

description	pid	process	target process
PID 1584 wrote to memory of 1796	1584	StreamHelpersSetup.exe	WScript.exe
PID 1584 wrote to memory of 1796	1584	StreamHelpersSetup.exe	WScript.exe
PID 1584 wrote to memory of 1796	1584	StreamHelpersSetup.exe	WScript.exe
PID 1584 wrote to memory of 1796	1584	StreamHelpersSetup.exe	WScript.exe
PID 1796 wrote to memory of 1828	1796	WScript.exe	cmd.exe
PID 1796 wrote to memory of 1828	1796	WScript.exe	cmd.exe
PID 1796 wrote to memory of 1828	1796	WScript.exe	cmd.exe
PID 1796 wrote to memory of 1828	1796	WScript.exe	cmd.exe
PID 1828 wrote to memory of 1196	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 1196	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 1196	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 1196	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 1976	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1976	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1976	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1976	1828	cmd.exe	timeout.exe
PID 1196 wrote to memory of 1836	1196	WScript.exe	cmd.exe
PID 1196 wrote to memory of 1836	1196	WScript.exe	cmd.exe
PID 1196 wrote to memory of 1836	1196	WScript.exe	cmd.exe
PID 1196 wrote to memory of 1836	1196	WScript.exe	cmd.exe
PID 1836 wrote to memory of 1648	1836	cmd.exe	cacls.exe
PID 1836 wrote to memory of 1648	1836	cmd.exe	cacls.exe
PID 1836 wrote to memory of 1648	1836	cmd.exe	cacls.exe
PID 1836 wrote to memory of 1648	1836	cmd.exe	cacls.exe
PID 1836 wrote to memory of 1860	1836	cmd.exe	WScript.exe
PID 1836 wrote to memory of 1860	1836	cmd.exe	WScript.exe
PID 1836 wrote to memory of 1860	1836	cmd.exe	WScript.exe
PID 1836 wrote to memory of 1860	1836	cmd.exe	WScript.exe
PID 1860 wrote to memory of 1820	1860	WScript.exe	booster.exe
PID 1860 wrote to memory of 1820	1860	WScript.exe	booster.exe
PID 1860 wrote to memory of 1820	1860	WScript.exe	booster.exe
PID 1860 wrote to memory of 1820	1860	WScript.exe	booster.exe
PID 1828 wrote to memory of 980	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 980	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 980	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 980	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 1760	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1760	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1760	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1760	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 992	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 992	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 992	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 992	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1724	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 1724	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 1724	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 1724	1828	cmd.exe	WScript.exe
PID 1828 wrote to memory of 1780	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1780	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1780	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1780	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 440	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 440	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 440	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 440	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1516	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1516	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1516	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1516	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1184	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1184	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1184	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 1184	1828	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\StreamHelpersSetup.exe
"C:\Users\Admin\AppData\Local\Temp\StreamHelpersSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\launch.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c quiche.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\boost.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c boosteur.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
6⤵
PID:1648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\booster.exe
"C:\Users\Admin\AppData\Local\Temp\booster.exe"
7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1820

C:\Windows\SysWOW64\timeout.exe
timeout /t 8
4⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\tbi.vbs"
4⤵
PID:980

C:\Windows\SysWOW64\timeout.exe
timeout /t 60
4⤵
- Delays execution with timeout.exe
PID:1760

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spotify.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\voice.vbs"
4⤵
PID:1724

C:\Windows\SysWOW64\timeout.exe
timeout /t 15
4⤵
- Delays execution with timeout.exe
PID:1780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im javaw.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im hl2.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Fortnite.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im steam.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Roblox Game Client.exe
4⤵
- Kills process with taskkill
PID:1644

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ROBLOX.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /V Wallpaper /F /T REG_SZ /D "C:\Users\Admin\risi.bmp"
4⤵
- Sets desktop wallpaper using registry
PID:1572

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
4⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:1040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\music.vbs"
4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sup.bat
5⤵
- Drops file in Program Files directory
PID:1684

C:\Program Files (x86)\StreamHelper\melter.exe
melter.exe
4⤵
- Executes dropped EXE
PID:2040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\disk.vbs"
4⤵
- Enumerates connected drives
PID:1596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\disco.vbs"
4⤵
PID:1868

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 300 -c "Dans 5 minutes tu n'as plus de PC fils de viol, le 18-25 t'a bien baiser le cul :)"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Program Files (x86)\StreamHelper\melter.exe
melter.exe
4⤵
- Executes dropped EXE
PID:1048

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:624

C:\Program Files (x86)\StreamHelper\melter.exe
melter.exe
4⤵
PID:1844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1520

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2080

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2232

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2296

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2408

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2488

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2548

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2852

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2908

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3056

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:1604

C:\Program Files (x86)\StreamHelper\melter.exe
melter.exe
4⤵
PID:2224

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3024

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2144

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2896

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2128

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2568

C:\Program Files (x86)\StreamHelper\melter.exe
melter.exe
4⤵
PID:2676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2364

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2888

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:2600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3092

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3152

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3220

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3536

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3656

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3792

C:\Program Files (x86)\StreamHelper\melter.exe
melter.exe
4⤵
PID:3864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:3984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\StreamHelper\lol.vbs"
4⤵
PID:4048

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\StreamHelper\boost.vbs
Filesize
120B

MD5
f3e07dede674b896bcc801136c44071c

SHA1
ca247f4409fe13b67a56f9a6ad7ec283c0b94b8d

SHA256
8e82588c88ee82e8b8903d6151f8955ba10b200e85790da40ec2f0c5fd70db92

SHA512
9751a0bf42bd02a23d3108fd5c859d5b213946eb3a929c6f5ec68d185f728edb67f7bac3e51ad3100bf4d3b8588b24bc4c8a03e13ee965bd9f4091c607f07303

Download Submit
C:\Program Files (x86)\StreamHelper\booster.exe
Filesize
43KB

MD5
f08519331b54f872eb2b4843e28ca379

SHA1
ef12b99f1350f795a0a4b7c5e0cc717c9f029ac2

SHA256
3ac6a07b9f9a3147a01e2bbbdd1fa146a9d3cc8270012b474b4904ae85c466b8

SHA512
a101caf11255b3f83db2dfeddd4e3e84a1be5d4c31c8b89f373f87699559e7700341e03849bf723ec151df58ebfd3828c8c21aed363bc303685c39e76294ee6c

Download Submit
C:\Program Files (x86)\StreamHelper\boosteur.bat
Filesize
770B

MD5
5519eeb4c771e20f731ce5c26ff4f603

SHA1
016929997064f4129fa2f629bdb46590c31d6968

SHA256
f7c4089aac4c4fcfbcf6b1fe5b3ee95f8691d3f418f4c205f71512b7c9a5b27a

SHA512
a21b83234cd159c4da3ca21ec1149b35ca661c86e1be6b52b3812c5513c1c3cde3d8edd3024d4c81aa9a421e0e5d8cfe8c178e40f514982182f5c2e5ef5ec046

Download Submit
C:\Program Files (x86)\StreamHelper\cactus.wav
Filesize
4.8MB

MD5
161f58c22f8a3bca7173d02ca6d6d73e

SHA1
5d52baec0ac4c107e8842f82eaf626067510e49b

SHA256
4c862183628a081c9373b75c4976150c8446decfa3a62c466533ec8b35702b6b

SHA512
5a98a86140975916e9528cf9051e06093791eaa1cc6e19cabcd740b7daeb4bfd45badc1aebe54ebc7227e24a7fc666547afc11ef5aecabdd5957c64710cc2e47

Download Submit
C:\Program Files (x86)\StreamHelper\dance.mp3
Filesize
2.0MB

MD5
c102479ae6d60d131bd1034f9eb8193e

SHA1
81a6b2703e0be14ea6dc040dacc6da149a0d299c

SHA256
c5ad168f5b28fdb733e953d6e61453f4223101288e3fbcc9d0c4855dcf6aa8aa

SHA512
df7b0a80f83fc275f0adf4e0e2f682e83454ea8716d18465075a9c555357e6f41743258984bf4bff3e8894bdfbf10fabd1a7b5d176b0581555bdec551d22a4b8

Download Submit
C:\Program Files (x86)\StreamHelper\disco.vbs
Filesize
177B

MD5
38dae080aaa5ff588d7be3f094c92a0a

SHA1
6f9577e34e542d6b57f53cc6b0391466a83b7a98

SHA256
9d95e003f63da579778670ef6c7e08f257a17ba8c39921f178a04f531539ac80

SHA512
7e30d94837cb0c4e505be9aad5555f721ae79a13362a588dc76211c68ec40862c6962d2352d44d7c95d93ce2352f1da7d06db3c104cb9f607b9af9bdae470297

Download Submit
C:\Program Files (x86)\StreamHelper\disk.vbs
Filesize
150B

MD5
0f15b8498b07d33a2a6ef7fbc99d881d

SHA1
9f535201f0c139e20e268606385680e426f6101f

SHA256
6eccc84353a61dda9f563e40844ec6047cd9df7e2c1c6294d264e6397ec60a46

SHA512
dc02c3fe1d1ddf16114216a39ce37c94221f82353204be94886c73687ead2e072efba60b70f145a614c9e5c9159e2fcf6c426c65703043e8baa1772001522397

Download Submit
C:\Program Files (x86)\StreamHelper\launch.vbs
Filesize
118B

MD5
bd9f638588edfd9b5d1041737a76d13e

SHA1
e4be0b88fc48a5cabea3663e19bbc98354c102a1

SHA256
a55ca437d6cf437bfa228d70f78f201078e855acbfebb08dee3f3c21a5990c6d

SHA512
676d0143fb72f65b6874a930f326cd0edba27693d16207845f99c2791e5b2468bfb842f83f99c4a5ec66c460ddf43ddf0ddc025350fdf89ca3c386b091c15d40

Download Submit
C:\Program Files (x86)\StreamHelper\lol.vbs
Filesize
103B

MD5
3f84670acb185eec13ebbf2bab4164c1

SHA1
05dfb8debf1508d1617b823fb0085169f2c517b4

SHA256
40d63af92dee0590287eb438b1f684149eb278d522e9f96ffa230ff99171686a

SHA512
faf42f0438ee578298fc23682feccc9a617d5cde1e0bb1a33a4502dfabe26e6d4f0845f673650aca4a5d271ecea44215d32ba499744a5104b7fd356fe19ab349

Download Submit
C:\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Program Files (x86)\StreamHelper\music.vbs
Filesize
444B

MD5
20e249d880d08eb08c238fa98ce92fe2

SHA1
0798d99f13578457a236436bcdc02ce6947ab6cf

SHA256
6b836dcc27bc5c12cfd948cd34f1bf225eac5ef929d0235f71d4c6e69277a7aa

SHA512
ee54aaac04e013a436c65b35ebdefc5680b295a2e7f3473978124feaa012b705549cc2c92bdd8c53b66808e277255b5cad9a685cb6d3105f6dcdcd5d2a71ebb5

Download Submit
C:\Program Files (x86)\StreamHelper\quiche.bat
Filesize
6KB

MD5
af491a3748d2664941f34d496825e0c5

SHA1
3bac0f5601fe339d0e08c0d6a27aa3a97a7c739a

SHA256
22c2a53e915cce9081bf126a9aa7a439607bcaf4ae6cb6a80f9bb3fd74f1625f

SHA512
09f4c34ebc909de7fc9c8a788321de2cf218be647f6954a54b03fa2ca2cbde1ffdff25f1f8cd643659687dcef8320d4c17080b4572f3be062df063c4ecb918e4

Download Submit
C:\Program Files (x86)\StreamHelper\risi.bmp
Filesize
3.8MB

MD5
0c3585edc3299bd0fb8e15f0efe29609

SHA1
e26dd5616724bc823528e4b420ddebec0762e2f1

SHA256
7d7738bd9c53db91229c8569477a68d8089d26bafacf8cbd8b41be52d186a7e3

SHA512
364544c5fc25e294cd30a956e21c863ef99d3b7dbbd5ff582b295610e00f8695d95d3d1d6aa30246295c87e6063c9d17ee9b5d3b4b3775dadb7e0954132c4e31

Download Submit
C:\Program Files (x86)\StreamHelper\sup.bat
Filesize
55B

MD5
9073ecdece799357e2732b4953cf338f

SHA1
c99f4cb06e254c4f13b13d12ba79b63b0661e66d

SHA256
b48c0a3d8130c6c74255d81f16eff5c90a2e468d783fa356d9918508c88dde18

SHA512
e0249eebb666eb57811ad704d14f13fa393cc847ca53ba9ec1454d5d1d6bc54ceebecf2306e335b719a89fc6c28255ad4a14283b7c6eb4b2b87e37c31727b129

Download Submit
C:\Program Files (x86)\StreamHelper\tbi.vbs
Filesize
363B

MD5
1f678c0df90895b443eeb0cad9e75f04

SHA1
638be67050f85a0f73ce20bcb38040f830ce8429

SHA256
ddb44c4d6479a36ebb2ccc2879df3ca9472a6c71edd927adaa06dd01e976eee1

SHA512
beb7b20f7ccb63a58ac4dcb61b23f1d16471f3e20214a357f115f30d9f8dc015b6673e1a21dae20dddd77ab3a5193271c00d782f0af639388533bc78d4e7cd91

Download Submit
C:\Program Files (x86)\StreamHelper\voice.vbs
Filesize
259B

MD5
f3ce5251d5ed80233f90dd9bfac638fe

SHA1
c1092ba3391c1295ae6e965b26b2a1b5e1a72ae4

SHA256
5738305e7025ccadef95032e5af4dae7b0a39ecd18f698fb3107448b3063a8af

SHA512
108235e3aba7223ef30136c169e2946a30557164946d813fe914ac27f6bacf7dc8bcc785a2bf846c5e85edea80a2f5365c4e138871f6bd11e8dc775c51bbe56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\booster.exe
Filesize
43KB

MD5
f08519331b54f872eb2b4843e28ca379

SHA1
ef12b99f1350f795a0a4b7c5e0cc717c9f029ac2

SHA256
3ac6a07b9f9a3147a01e2bbbdd1fa146a9d3cc8270012b474b4904ae85c466b8

SHA512
a101caf11255b3f83db2dfeddd4e3e84a1be5d4c31c8b89f373f87699559e7700341e03849bf723ec151df58ebfd3828c8c21aed363bc303685c39e76294ee6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\booster.exe
Filesize
43KB

MD5
f08519331b54f872eb2b4843e28ca379

SHA1
ef12b99f1350f795a0a4b7c5e0cc717c9f029ac2

SHA256
3ac6a07b9f9a3147a01e2bbbdd1fa146a9d3cc8270012b474b4904ae85c466b8

SHA512
a101caf11255b3f83db2dfeddd4e3e84a1be5d4c31c8b89f373f87699559e7700341e03849bf723ec151df58ebfd3828c8c21aed363bc303685c39e76294ee6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\getadmin.vbs
Filesize
133B

MD5
6b537d3cf7e455bab5f4ae38ff4a7fd8

SHA1
6ec7bfa55972ec66b6001196136c5ed5ff4b1280

SHA256
b6291fdc9d22d281246f3415b59399f6178e8f78823e35ff82f5624c85397c15

SHA512
e1dca68d2acaf0be631ea6ba1a5775daa8a6510783d27e51fcfbfdab3c9d049989edc11b21279ab890b79efccc4c210975face045084eb1417e9de81bfc63291

Download Submit
\??\c:\PROGRA~2\STREAM~1\cactus.vbs
Filesize
2KB

MD5
9b67ddaa62f2268045f451ccf8f2947d

SHA1
c445539d11af6f8410171382b2e5e3acb414009e

SHA256
55a5ce12d97539cc58e4c9dbffd8d7a410719c5060bb2eaf3e36a63f1a402a23

SHA512
7d3c7449980a3b535b58f0135346a0e55eb8db2d951ab390290d460de448756cac49b25d26e7c3309e927b87a14e06b37db14df10cf8e510cee2783f01c7bb7d

Download Submit
\??\c:\Users\Admin\AppData\Local\MICROS~1\MEDIAP~1\CURREN~1.WMD
Filesize
1.0MB

MD5
eb43c7b7367b0a79403bd86050933f67

SHA1
6aeb786d066aa81fc17794ca13b206b94d2a20d4

SHA256
f34621641247db43a55e112b4b22c4726016c7e495d1e5a02886bff9d911a5c1

SHA512
5752b5727bda134c998ef6f527724a908d93ca033865340309927bbabb1a9a65e83ddb6e550f153b0c303d161d197b270dbae59834f5e6545b5d86c0562b091f

Download Submit
\??\c:\Users\Admin\AppData\Roaming\MICROS~1\Speech\Files\USERLE~1\SP_047~1.DAT
Filesize
940B

MD5
2d798decba87abe27863df279eb38429

SHA1
e8f2a9d8695582dc52a3cde457899f1bb2d274aa

SHA256
37cd9915ff219eaf2dc2512701c18c70d348ba6d3eacf43de9332d3eb469f7e5

SHA512
0f1637abac6722a6fe92a73ed16a44a10d42a3419227702f4e1efe107a9e57b434a8816c4951dc2fe016bbd63a449ac6f232e93bd09e5e9d5b1c0361d49e1b87

Download Submit
\??\c:\Users\Admin\risi.bmp
Filesize
3.8MB

MD5
0c3585edc3299bd0fb8e15f0efe29609

SHA1
e26dd5616724bc823528e4b420ddebec0762e2f1

SHA256
7d7738bd9c53db91229c8569477a68d8089d26bafacf8cbd8b41be52d186a7e3

SHA512
364544c5fc25e294cd30a956e21c863ef99d3b7dbbd5ff582b295610e00f8695d95d3d1d6aa30246295c87e6063c9d17ee9b5d3b4b3775dadb7e0954132c4e31

Download Submit
\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
\Program Files (x86)\StreamHelper\melter.exe
Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
\Users\Admin\AppData\Local\Temp\booster.exe
Filesize
43KB

MD5
f08519331b54f872eb2b4843e28ca379

SHA1
ef12b99f1350f795a0a4b7c5e0cc717c9f029ac2

SHA256
3ac6a07b9f9a3147a01e2bbbdd1fa146a9d3cc8270012b474b4904ae85c466b8

SHA512
a101caf11255b3f83db2dfeddd4e3e84a1be5d4c31c8b89f373f87699559e7700341e03849bf723ec151df58ebfd3828c8c21aed363bc303685c39e76294ee6c

Download Submit
\Users\Admin\AppData\Local\Temp\booster.exe
Filesize
43KB

MD5
f08519331b54f872eb2b4843e28ca379

SHA1
ef12b99f1350f795a0a4b7c5e0cc717c9f029ac2

SHA256
3ac6a07b9f9a3147a01e2bbbdd1fa146a9d3cc8270012b474b4904ae85c466b8

SHA512
a101caf11255b3f83db2dfeddd4e3e84a1be5d4c31c8b89f373f87699559e7700341e03849bf723ec151df58ebfd3828c8c21aed363bc303685c39e76294ee6c

Download Submit
\Users\Admin\AppData\Local\Temp\booster.exe
Filesize
43KB

MD5
f08519331b54f872eb2b4843e28ca379

SHA1
ef12b99f1350f795a0a4b7c5e0cc717c9f029ac2

SHA256
3ac6a07b9f9a3147a01e2bbbdd1fa146a9d3cc8270012b474b4904ae85c466b8

SHA512
a101caf11255b3f83db2dfeddd4e3e84a1be5d4c31c8b89f373f87699559e7700341e03849bf723ec151df58ebfd3828c8c21aed363bc303685c39e76294ee6c

Download Submit
\Users\Admin\AppData\Local\Temp\booster.exe
Filesize
43KB

MD5
f08519331b54f872eb2b4843e28ca379

SHA1
ef12b99f1350f795a0a4b7c5e0cc717c9f029ac2

SHA256
3ac6a07b9f9a3147a01e2bbbdd1fa146a9d3cc8270012b474b4904ae85c466b8

SHA512
a101caf11255b3f83db2dfeddd4e3e84a1be5d4c31c8b89f373f87699559e7700341e03849bf723ec151df58ebfd3828c8c21aed363bc303685c39e76294ee6c

Download Submit
memory/1236-229-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1584-111-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1820-154-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads