gozi | 22ab9e84557956259e6ff19ba005f3e4009cda1c52e1d7d7ec994103486dcacd

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2023 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
Size

43KB
MD5

6cfc839efb84296adb7230d036656d63
SHA1

0a6520a252c0d0e5530db01e61337a85a35f5d1c
SHA256

22ab9e84557956259e6ff19ba005f3e4009cda1c52e1d7d7ec994103486dcacd
SHA512

e32d608773ecb723577daea10cae59043b8f44785116842311a603d5e10132ed2a05f7ac8a57bce595c108e031dcf91dd2adff31c95ebbc9d8bded7a2de5a675
SSDEEP

768:AqH6jABB3QIMQr4G9DvcWjnC5x5D001EMlpXEtafscjT7u31GUOEfbG:ARATBMDSvnC57D0CFEtafFu3DS

Score

10^/10

gozi 1000 banker evasion isfb trojan upx

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

repeseparation.ru

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

winhlp64.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF winhlp64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	winhlp64.exe

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4800-275-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

winhlp64.exenircmd.exenircmd.exe

pid process

4684 winhlp64.exe
4800 nircmd.exe
824 nircmd.exe
Loads dropped DLL 6 IoCs

Processes:

winhlp64.exe

pid process

4684 winhlp64.exe
4684 winhlp64.exe
4684 winhlp64.exe
4684 winhlp64.exe
4684 winhlp64.exe
4684 winhlp64.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\nircmd.exe	upx
C:\Windows\nircmd.exe	upx
behavioral2/memory/4800-275-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Windows\nircmd.exe	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 myexternalip.com
59 myexternalip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

winhlp64.exe

pid process

4684 winhlp64.exe
4684 winhlp64.exe

flow	ioc
58	myexternalip.com
59	myexternalip.com

Drops file in Program Files directory 3 IoCs

Processes:

winhlp64.exe

description	ioc	process
File created	C:\Program Files (x86)\MTA San Andreas 1.5\MTA\bass_aa6c-1-6.dll	winhlp64.exe
File created	C:\Program Files (x86)\MTA San Andreas 1.5\MTA\basso3pus1-6.dll	winhlp64.exe
File created	C:\Program Files (x86)\MTA San Andreas 1.5\MTA\game_s5amta.dll	winhlp64.exe

Drops file in Windows directory 18 IoCs

Processes:

winhlp64.exe5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe

description	ioc	process
File created	C:\Windows\Sha3rprompt.dll	winhlp64.exe
File created	C:\Windows\ldplayers.exe	winhlp64.exe
File created	C:\Windows\AsmResolve2r.PE.dll	winhlp64.exe
File created	C:\Windows\opus.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\winhlp64.exe	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\vulklan-1.exe	winhlp64.exe
File created	C:\Windows\lddll.exe	winhlp64.exe
File created	C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.txt	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\libssl-1_1.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\Tasks\SA.txt	winhlp64.exe
File created	C:\Windows\nircmd.exe	winhlp64.exe
File created	C:\Windows\zlib1.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\basswebmss.dll	winhlp64.exe
File created	C:\Windows\libsodium.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\cguuiM.exe	winhlp64.exe
File created	C:\Windows\AsmResolve1-6r.dll	winhlp64.exe
File created	C:\Windows\dpp.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\libcrypto-1_1.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe

Program crash 52 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4736	4684	WerFault.exe	winhlp64.exe
4864	4684	WerFault.exe	winhlp64.exe
4592	4684	WerFault.exe	winhlp64.exe
4596	4684	WerFault.exe	winhlp64.exe
5052	4684	WerFault.exe	winhlp64.exe
5004	4684	WerFault.exe	winhlp64.exe
4248	4684	WerFault.exe	winhlp64.exe
2124	4684	WerFault.exe	winhlp64.exe
3688	4684	WerFault.exe	winhlp64.exe
2240	4684	WerFault.exe	winhlp64.exe
3804	4684	WerFault.exe	winhlp64.exe
1196	4684	WerFault.exe	winhlp64.exe
2876	4684	WerFault.exe	winhlp64.exe
3832	4684	WerFault.exe	winhlp64.exe
4856	4684	WerFault.exe	winhlp64.exe
4952	4684	WerFault.exe	winhlp64.exe
440	4684	WerFault.exe	winhlp64.exe
4768	4684	WerFault.exe	winhlp64.exe
5096	4684	WerFault.exe	winhlp64.exe
1552	4684	WerFault.exe	winhlp64.exe
644	4684	WerFault.exe	winhlp64.exe
2668	4684	WerFault.exe	winhlp64.exe
1240	4684	WerFault.exe	winhlp64.exe
628	4684	WerFault.exe	winhlp64.exe
816	4684	WerFault.exe	winhlp64.exe
4756	4684	WerFault.exe	winhlp64.exe
3936	4684	WerFault.exe	winhlp64.exe
4344	4684	WerFault.exe	winhlp64.exe
3164	4684	WerFault.exe	winhlp64.exe
4432	4684	WerFault.exe	winhlp64.exe
4660	4684	WerFault.exe	winhlp64.exe
1820	4684	WerFault.exe	winhlp64.exe
2624	4684	WerFault.exe	winhlp64.exe
5048	4684	WerFault.exe	winhlp64.exe
4740	4684	WerFault.exe	winhlp64.exe
4248	4684	WerFault.exe	winhlp64.exe
4624	4684	WerFault.exe	winhlp64.exe
4532	4684	WerFault.exe	winhlp64.exe
3696	4684	WerFault.exe	winhlp64.exe
3328	4684	WerFault.exe	winhlp64.exe
2072	4684	WerFault.exe	winhlp64.exe
656	4684	WerFault.exe	winhlp64.exe
4708	4684	WerFault.exe	winhlp64.exe
1552	4684	WerFault.exe	winhlp64.exe
644	4684	WerFault.exe	winhlp64.exe
2668	4684	WerFault.exe	winhlp64.exe
1328	4684	WerFault.exe	winhlp64.exe
3348	4684	WerFault.exe	winhlp64.exe
1180	4684	WerFault.exe	winhlp64.exe
2296	4684	WerFault.exe	winhlp64.exe
3464	4684	WerFault.exe	winhlp64.exe
4584	4684	WerFault.exe	winhlp64.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winhlp64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winhlp64.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

winhlp64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOSReleaseDate	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	winhlp64.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4512 PING.EXE

pid	process
4512	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winhlp64.exe

pid	process
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe
4684	winhlp64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.execmd.exewinhlp64.exe

description	pid	process	target process
PID 4232 wrote to memory of 3280	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 3280	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 3280	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 656	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 656	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 656	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 1404	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 1404	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 1404	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 372	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 372	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 372	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 848	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 848	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 848	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 1240	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 1240	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 1240	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 3160	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 3160	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 3160	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 4012	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 4012	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 4012	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 2264	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 2264	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4232 wrote to memory of 2264	4232	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 2264 wrote to memory of 4512	2264	cmd.exe	PING.EXE
PID 2264 wrote to memory of 4512	2264	cmd.exe	PING.EXE
PID 2264 wrote to memory of 4512	2264	cmd.exe	PING.EXE
PID 2264 wrote to memory of 4684	2264	cmd.exe	winhlp64.exe
PID 2264 wrote to memory of 4684	2264	cmd.exe	winhlp64.exe
PID 2264 wrote to memory of 4684	2264	cmd.exe	winhlp64.exe
PID 4684 wrote to memory of 4896	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4896	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4896	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4540	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4540	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4540	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4008	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4008	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4008	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 3952	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 3952	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 3952	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 1240	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 1240	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 1240	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 436	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 436	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 436	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 2604	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 2604	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 2604	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4012	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4012	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4012	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 2904	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 2904	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 2904	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 1560	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 1560	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 1560	4684	winhlp64.exe	cmd.exe
PID 4684 wrote to memory of 4916	4684	winhlp64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
"C:\Users\Admin\AppData\Local\Temp\5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title
2⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\dpp.dll dpp.dll
2⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\libssl-1_1.dll libssl-1_1.dll
2⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\opus.dll opus.dll
2⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\zlib1.dll zlib1.dll
2⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\libcrypto-1_1.dll libcrypto-1_1.dll
2⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\libsodium.dll libsodium.dll
2⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\winhlp64.exe winhlp64.exe
2⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 1.1.1.1 -n 1 -w 300 > nul && start C:\Windows\winhlp64.exe qbw3f2j1lE0j2K7265K2p6l621927x6u5Urd1xlt61z295h2dglKWyrEt32r7o24 ch1726636xGdnU2rAdcg8e612S12C1x66gd3Kl56d1nkG7212UOIx71S5dc2k111 5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 300
3⤵
- Runs ping.exe
PID:4512

C:\Windows\winhlp64.exe
C:\Windows\winhlp64.exe qbw3f2j1lE0j2K7265K2p6l621927x6u5Urd1xlt61z295h2dglKWyrEt32r7o24 ch1726636xGdnU2rAdcg8e612S12C1x66gd3Kl56d1nkG7212UOIx71S5dc2k111 5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
3⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 552
4⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title
4⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 576
4⤵
- Program crash
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 900
4⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 948
4⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 620
4⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 916
4⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 936
4⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1140
4⤵
- Program crash
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1140
4⤵
- Program crash
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1572
4⤵
- Program crash
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1612
4⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1832
4⤵
- Program crash
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1628
4⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1616
4⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\cguuiM.exe cguuiM.exe > nul
4⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\vulklan-1.exe vulklan-1.exe > nul
4⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\basswebmss.dll basswebmss.dll > nul
4⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Users\%username%\Documents\AS098s01.exe AS098s01.exe > nul
4⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Users\%username%\Documents\DED0TTAMROs1FNSIW.exe DED0TTAMROs1FNSIW.exe > nul
4⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title
4⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\ldplayers.exe ldplayers.exe > nul
4⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\lddll.exe lddll.exe > nul
4⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\AsmResolve1-6r.dll AsmResolve1-6r.dll > nul
4⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\AsmResolve2r.PE.dll AsmResolve2r.PE.dll > nul
4⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\Sha3rprompt.dll Sha3rprompt.dll > nul
4⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1848
4⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1868
4⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1860
4⤵
- Program crash
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1920
4⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1312
4⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\nircmd.exe nircmd.exe > nul
4⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c cd C:\Windows && nircmd savescreenshot C:\Users\Admin\AppData\Local\Discord\packages\SquirrelTemp\Discord-1.0.9007.png && exit
4⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
cmd /c cd C:\Windows
5⤵
PID:1516

C:\Windows\nircmd.exe
nircmd savescreenshot C:\Users\Admin\AppData\Local\Discord\packages\SquirrelTemp\Discord-1.0.9007.png
5⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c cd C:\Windows && nircmd savescreenshotfull C:\Users\Admin\AppData\Local\Discord\packages\SquirrelTemp\Discord-1.0.9007-full.png && exit
4⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /c cd C:\Windows
5⤵
PID:1772

C:\Windows\nircmd.exe
nircmd savescreenshotfull C:\Users\Admin\AppData\Local\Discord\packages\SquirrelTemp\Discord-1.0.9007-full.png
5⤵
- Executes dropped EXE
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /Q /F "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" > nul
4⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1312
4⤵
- Program crash
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 732
4⤵
- Program crash
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1940
4⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1952
4⤵
- Program crash
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1876
4⤵
- Program crash
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1868
4⤵
- Program crash
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1312
4⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1876
4⤵
- Program crash
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1040
4⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1628
4⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1872
4⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1312
4⤵
- Program crash
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1876
4⤵
- Program crash
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1976
4⤵
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2004
4⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2012
4⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1896
4⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1992
4⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1996
4⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1968
4⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1964
4⤵
- Program crash
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 732
4⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1952
4⤵
- Program crash
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2000
4⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1964
4⤵
- Program crash
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1888
4⤵
- Program crash
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1848
4⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1892
4⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1964
4⤵
- Program crash
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1640
4⤵
- Program crash
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1824
4⤵
- Program crash
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1608
4⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1620
4⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4684 -ip 4684
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4684 -ip 4684
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4684 -ip 4684
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4684 -ip 4684
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4684 -ip 4684
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4684 -ip 4684
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4684 -ip 4684
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4684 -ip 4684
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4684 -ip 4684
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4684 -ip 4684
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4684 -ip 4684
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4684 -ip 4684
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4684 -ip 4684
1⤵
PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4684 -ip 4684
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4684 -ip 4684
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4684 -ip 4684
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4684 -ip 4684
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4684 -ip 4684
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4684 -ip 4684
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4684 -ip 4684
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4684 -ip 4684
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4684 -ip 4684
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4684 -ip 4684
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4684 -ip 4684
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4684 -ip 4684
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4684 -ip 4684
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4684 -ip 4684
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4684 -ip 4684
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4684 -ip 4684
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4684 -ip 4684
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4684 -ip 4684
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4684 -ip 4684
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4684 -ip 4684
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4684 -ip 4684
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4684 -ip 4684
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4684 -ip 4684
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4684 -ip 4684
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4684 -ip 4684
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4684 -ip 4684
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4684 -ip 4684
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4684 -ip 4684
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4684 -ip 4684
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4684 -ip 4684
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4684 -ip 4684
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4684 -ip 4684
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4684 -ip 4684
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4684 -ip 4684
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4684 -ip 4684
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4684 -ip 4684
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4684 -ip 4684
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4684 -ip 4684
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4684 -ip 4684
1⤵
PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JXO1ZP0L\appack[1].exe
Filesize
82KB

MD5
390a7337b163b819cb99eabe0e8825a4

SHA1
f34cc80fff864ffaa367be573420d8f5a8e2d341

SHA256
6b29a1de3d3d2cacd1200c3c1bd6fe5a7afdb4724aaba76b77965ae2a82836de

SHA512
d4502bb4ce045e350f814fc16445f4cf03adda5640a9dcfd1c1ea647fed724cf1540ac96d6e6b91de09e9bee78e5f86ea942a8852a9b8840511dd1808b900f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P8NMKCW2\DETTAMROFNIW[1].exe
Filesize
125KB

MD5
1c06063c8b264df1d6ad2b14ae7e5309

SHA1
77538cbb4e684dbe891cac50d811dbb7d3c26cec

SHA256
0c9b2b222cdd42a185f5abcff1e6672f981ed2a01c9149ea49f0cef0813ce864

SHA512
a2d8b01d0a63bdea2be7abd1080ac4a070457d637b081fdec91237284cac9e61fa7753b0a5637dc53ae96f694161e5437f52cbffbfea3df9357cf9572a7ab56a

Download Submit
C:\Windows\AsmResolve1-6r.dll
Filesize
1015KB

MD5
c4dfbbd29f479ff9d9fc482022fbc43a

SHA1
b41a7f08625508a15c1ac085fe9fa136a04f0ed3

SHA256
afbdedbe1ab06a4161fcf7b97de98862b7f7f553812eabb4c4566487511b6634

SHA512
13217a44961ffaf4d1ca1f956a579b2806c474a4552b8ae4f27b78ac48bf87804641647cc11506a2e9b5edc7f362de732070931fa44d1f6b997925c3a6860d0e

Download Submit
C:\Windows\AsmResolve1-6r.dll
Filesize
1015KB

MD5
c4dfbbd29f479ff9d9fc482022fbc43a

SHA1
b41a7f08625508a15c1ac085fe9fa136a04f0ed3

SHA256
afbdedbe1ab06a4161fcf7b97de98862b7f7f553812eabb4c4566487511b6634

SHA512
13217a44961ffaf4d1ca1f956a579b2806c474a4552b8ae4f27b78ac48bf87804641647cc11506a2e9b5edc7f362de732070931fa44d1f6b997925c3a6860d0e

Download Submit
C:\Windows\AsmResolve2r.PE.dll
Filesize
1015KB

MD5
c4dfbbd29f479ff9d9fc482022fbc43a

SHA1
b41a7f08625508a15c1ac085fe9fa136a04f0ed3

SHA256
afbdedbe1ab06a4161fcf7b97de98862b7f7f553812eabb4c4566487511b6634

SHA512
13217a44961ffaf4d1ca1f956a579b2806c474a4552b8ae4f27b78ac48bf87804641647cc11506a2e9b5edc7f362de732070931fa44d1f6b997925c3a6860d0e

Download Submit
C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.txt
Filesize
13KB

MD5
585999104065f6d0dfd2760fa0fa8d59

SHA1
8a495993ae4ae26d4997d1cbab36a187cc2c78ec

SHA256
7620bc46d02eeea8aa8456db507e4af2bfa6669fc36ee94e068a7aea1b3fe8ff

SHA512
d6ef99f1cf7ba2562efea80b6ee59bd09f6c158959f20ea96ba493cd2e36e1323be5bfa12c3ae85f52de36f86d2b9f7f930b547605ab4d7d2c5b6b81851e88d6

Download Submit
C:\Windows\Sha3rprompt.dll
Filesize
1.0MB

MD5
e3ff9908672ec666d3060fd41d7b8e42

SHA1
18b9806453a2251c3059a74e8fb1b87859835ea0

SHA256
4805eb11c3cfe443b506ceabdcd7267148aafea1bba3f9b39e0bc5ba2f896263

SHA512
df3775df8a18e0b1070a0d26adf77ab4c4596767ad2049107fe02ca0cb5344040a32853fa0ab1c8683a64d396cb89dda3f9accc4503f75695313a11d01c77b72

Download Submit
C:\Windows\Sha3rprompt.dll
Filesize
1.0MB

MD5
e3ff9908672ec666d3060fd41d7b8e42

SHA1
18b9806453a2251c3059a74e8fb1b87859835ea0

SHA256
4805eb11c3cfe443b506ceabdcd7267148aafea1bba3f9b39e0bc5ba2f896263

SHA512
df3775df8a18e0b1070a0d26adf77ab4c4596767ad2049107fe02ca0cb5344040a32853fa0ab1c8683a64d396cb89dda3f9accc4503f75695313a11d01c77b72

Download Submit
C:\Windows\Tasks\SA.txt
Filesize
1KB

MD5
c7435c74a647b69a8618961bc27401fc

SHA1
52acfc3de5fbabe7c17ab7f726e29f121a8b5f14

SHA256
7175e4a95e3d6b4d1f52f098cdb9e486136f17ff027912731e0b6597fe10ef48

SHA512
42d52d9b5fb193d260db856b11fd130e3f68ecf4c6b7e1d85c5ccfc7ecfcfabf5f49a090fb5166fadeb3184df33eb848d307cde37647cc751a8a826b73a3633c

Download Submit
C:\Windows\Temp\WinSAT-334.txt
Filesize
516B

MD5
c92a9aba1638ccc0e0929a681e871975

SHA1
850f774032c316836d006e0c45fb1987c4a08a15

SHA256
d26fe295390aa2d6068440b072327800faf0d15a9121e167a02a9aa9bbc93506

SHA512
c05b813a4b2d857725c5a1a353f131eab9f473af44f79daaa66ac806162604a87002f46a2df177ea6c3399ea88df03acf95e3fdb5ddf208fd653407d05decef4

Download Submit
C:\Windows\Temp\WinSAT-334.txt
Filesize
12B

MD5
71d587e911373f62d72a158eceb6e0e7

SHA1
68d81a1a4fb19c609288a94f10d1bbb92d972a68

SHA256
acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8

SHA512
a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060

Download Submit
C:\Windows\basswebmss.dll
Filesize
198KB

MD5
30abd72a6d7ec19ce9d76a176728e039

SHA1
d50f09e30fb2f8e953f1322aa39d70a6fff9e418

SHA256
ac62d72d9c27bf2371c1faf44f622083162eeca362ba54748f793b74cc1cadcd

SHA512
b384a0f3b0c02bf7769bc5ef47667e21a03c22a641ae050567712303309bdce46816cb94b4aac50cfb6227712019fd311e67ba3deba5c8a374accce2f189ec2b

Download Submit
C:\Windows\cguuiM.exe
Filesize
82KB

MD5
390a7337b163b819cb99eabe0e8825a4

SHA1
f34cc80fff864ffaa367be573420d8f5a8e2d341

SHA256
6b29a1de3d3d2cacd1200c3c1bd6fe5a7afdb4724aaba76b77965ae2a82836de

SHA512
d4502bb4ce045e350f814fc16445f4cf03adda5640a9dcfd1c1ea647fed724cf1540ac96d6e6b91de09e9bee78e5f86ea942a8852a9b8840511dd1808b900f4d

Download Submit
C:\Windows\dpp.dll
Filesize
1.9MB

MD5
692026ff118997f30b9c314df54bce25

SHA1
a09c770f410ad4df8e78c6d0723f70521cfb63f1

SHA256
75c5725344092eb7a9f0c2c74c85a98f73d7d4c8201a677b206c35655c2e33d8

SHA512
60d5b1b29e19150636a0b7c593e95bac2bc42c0cc2dd6335cc45794f64fc5f64044f64365a9ef742616ffc025e121f2455425808a44add02bb28173394b87e36

Download Submit
C:\Windows\dpp.dll
Filesize
1.9MB

MD5
692026ff118997f30b9c314df54bce25

SHA1
a09c770f410ad4df8e78c6d0723f70521cfb63f1

SHA256
75c5725344092eb7a9f0c2c74c85a98f73d7d4c8201a677b206c35655c2e33d8

SHA512
60d5b1b29e19150636a0b7c593e95bac2bc42c0cc2dd6335cc45794f64fc5f64044f64365a9ef742616ffc025e121f2455425808a44add02bb28173394b87e36

Download Submit
C:\Windows\lddll.exe
Filesize
123KB

MD5
f3a820ed62ff4b46f4c784bb9a30ea35

SHA1
1c6509dd11d4309dd16a82b5fd547fe897528d48

SHA256
6b053331bde2c3d55d8bfb7d3a4d761cec3fb076b46c4b4c9e8f7022eae01b80

SHA512
cae640fff1608222601d52da19f902f6c6b7d92f5bed11b5a91ac9f9f923f96c442cbe415dc06eaa4233642eaa5314d4c2ca2c3612b88e3dce7575b4e5100358

Download Submit
C:\Windows\ldplayers.exe
Filesize
125KB

MD5
1c06063c8b264df1d6ad2b14ae7e5309

SHA1
77538cbb4e684dbe891cac50d811dbb7d3c26cec

SHA256
0c9b2b222cdd42a185f5abcff1e6672f981ed2a01c9149ea49f0cef0813ce864

SHA512
a2d8b01d0a63bdea2be7abd1080ac4a070457d637b081fdec91237284cac9e61fa7753b0a5637dc53ae96f694161e5437f52cbffbfea3df9357cf9572a7ab56a

Download Submit
C:\Windows\libcrypto-1_1.dll
Filesize
2.5MB

MD5
31643a6540ba24cf98a97cef42634048

SHA1
0206d691eaa40885713327c11e000cb771a21703

SHA256
e36557189986f864b35c4f3d66b3356ce242c73217ec9ec5c3d66453c480633f

SHA512
5f5c74fecacb723126ff099ad7303af500b5125ecef2966fb3104d3668d07e836266680a7628a63a5a26200f6139bed77e7f5c7533a9934cb81be9857800de41

Download Submit
C:\Windows\libcrypto-1_1.dll
Filesize
2.5MB

MD5
31643a6540ba24cf98a97cef42634048

SHA1
0206d691eaa40885713327c11e000cb771a21703

SHA256
e36557189986f864b35c4f3d66b3356ce242c73217ec9ec5c3d66453c480633f

SHA512
5f5c74fecacb723126ff099ad7303af500b5125ecef2966fb3104d3668d07e836266680a7628a63a5a26200f6139bed77e7f5c7533a9934cb81be9857800de41

Download Submit
C:\Windows\libsodium.dll
Filesize
329KB

MD5
be8a4636d7dd224ef4774065189ce7ff

SHA1
6aadb8d601333a3136647cb8a96480e277798d9e

SHA256
84fa23e1bd52d64265d6eb31b72fb40bb539856110633a6e0583003290e5f61a

SHA512
2fe3b94f473f81e6e8834455789d9401dcd4650b66a24a57d9f923ca9487e3cccbaf9caeb9033ef63bbb287a4c41776587776b2acf3281fa99d7f285d0bf27a9

Download Submit
C:\Windows\libsodium.dll
Filesize
329KB

MD5
be8a4636d7dd224ef4774065189ce7ff

SHA1
6aadb8d601333a3136647cb8a96480e277798d9e

SHA256
84fa23e1bd52d64265d6eb31b72fb40bb539856110633a6e0583003290e5f61a

SHA512
2fe3b94f473f81e6e8834455789d9401dcd4650b66a24a57d9f923ca9487e3cccbaf9caeb9033ef63bbb287a4c41776587776b2acf3281fa99d7f285d0bf27a9

Download Submit
C:\Windows\libssl-1_1.dll
Filesize
523KB

MD5
46c50a365a8a11627137ad52e4ab2f94

SHA1
6d02dc794a756c077233f074bd85c4b8241c24df

SHA256
187b33ab7a95d4722ff7dc6e2a0e6f121f68fd034b708a946b76748ec2a39b83

SHA512
3e2bdb912e77c249950d3dac3d3937d716e982fa9dfa3aeb48760219e53e99e70292294cc80992095bb18ee62329aac69c253dea2ae6037c9e80e1500a32b1c0

Download Submit
C:\Windows\libssl-1_1.dll
Filesize
523KB

MD5
46c50a365a8a11627137ad52e4ab2f94

SHA1
6d02dc794a756c077233f074bd85c4b8241c24df

SHA256
187b33ab7a95d4722ff7dc6e2a0e6f121f68fd034b708a946b76748ec2a39b83

SHA512
3e2bdb912e77c249950d3dac3d3937d716e982fa9dfa3aeb48760219e53e99e70292294cc80992095bb18ee62329aac69c253dea2ae6037c9e80e1500a32b1c0

Download Submit
C:\Windows\nircmd.exe
Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Windows\nircmd.exe
Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Windows\nircmd.exe
Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Windows\opus.dll
Filesize
307KB

MD5
a4c7c50ebed6a72ead1baa4cb3057c81

SHA1
21ae7d92ce5f6684c2bb091a780830fb7e2263c0

SHA256
0d518b2def8d3e2d6a1d221ddc6d66a338ab1ba6068461d1cf5f3b7d39c97793

SHA512
1d679f5d0805907ada13a79b5d673ff1262334fbed6bdda2812a4c183aea7dd1d775f847048d5c5d06aa920b76936b61ad7426e77502807935a93ec953e03071

Download Submit
C:\Windows\opus.dll
Filesize
307KB

MD5
a4c7c50ebed6a72ead1baa4cb3057c81

SHA1
21ae7d92ce5f6684c2bb091a780830fb7e2263c0

SHA256
0d518b2def8d3e2d6a1d221ddc6d66a338ab1ba6068461d1cf5f3b7d39c97793

SHA512
1d679f5d0805907ada13a79b5d673ff1262334fbed6bdda2812a4c183aea7dd1d775f847048d5c5d06aa920b76936b61ad7426e77502807935a93ec953e03071

Download Submit
C:\Windows\vulklan-1.exe
Filesize
125KB

MD5
1c06063c8b264df1d6ad2b14ae7e5309

SHA1
77538cbb4e684dbe891cac50d811dbb7d3c26cec

SHA256
0c9b2b222cdd42a185f5abcff1e6672f981ed2a01c9149ea49f0cef0813ce864

SHA512
a2d8b01d0a63bdea2be7abd1080ac4a070457d637b081fdec91237284cac9e61fa7753b0a5637dc53ae96f694161e5437f52cbffbfea3df9357cf9572a7ab56a

Download Submit
C:\Windows\winhlp64.exe
Filesize
368KB

MD5
ec88a477340500a675d3d488ff1a8aa1

SHA1
58ae48ed1da866ec5a55e6d9baad7817813936f6

SHA256
322570b200015030b63f1605bfc0580c3aaa5e68a104ffc683f67001923c4bf4

SHA512
1b3afc68ee0ae029b926f2cab707eeed659cd72bf344e2765f384a2acdc7404a5a4a578586a5876eb4a17f5b78a343cf68495b10db0c29a19c8312f5c4b28c25

Download Submit
C:\Windows\winhlp64.exe
Filesize
368KB

MD5
ec88a477340500a675d3d488ff1a8aa1

SHA1
58ae48ed1da866ec5a55e6d9baad7817813936f6

SHA256
322570b200015030b63f1605bfc0580c3aaa5e68a104ffc683f67001923c4bf4

SHA512
1b3afc68ee0ae029b926f2cab707eeed659cd72bf344e2765f384a2acdc7404a5a4a578586a5876eb4a17f5b78a343cf68495b10db0c29a19c8312f5c4b28c25

Download Submit
C:\Windows\zlib1.dll
Filesize
73KB

MD5
05bf83777d5b6c7bf74a512f51f34a7b

SHA1
5c177218220a9c1df6eff2fc46bf3dd512986222

SHA256
0d2a785476bf5ab1906f4738e92df18a2c438e27225c1c1cac9afe77417c0b46

SHA512
0249ac76f843b3d46120da665ebe3b361f120477997f3809b88188d1afeffa2a789f5a990930441f54729d1e806c2ce005893ac77a88dd87d302e2ee49eba941

Download Submit
C:\Windows\zlib1.dll
Filesize
73KB

MD5
05bf83777d5b6c7bf74a512f51f34a7b

SHA1
5c177218220a9c1df6eff2fc46bf3dd512986222

SHA256
0d2a785476bf5ab1906f4738e92df18a2c438e27225c1c1cac9afe77417c0b46

SHA512
0249ac76f843b3d46120da665ebe3b361f120477997f3809b88188d1afeffa2a789f5a990930441f54729d1e806c2ce005893ac77a88dd87d302e2ee49eba941

Download Submit
memory/4800-275-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

pid	process
4684	winhlp64.exe
4800	nircmd.exe
824	nircmd.exe