105137f7201a737456f865513fbf14e64ac16facad90b4cb6c314ac765ea302f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ab925e1b611041799e0eb3e123ff2c6.exe
Size

3.8MB
MD5

2ab925e1b611041799e0eb3e123ff2c6
SHA1

24828bee2c9f911a62dd07d085059436fcda7866
SHA256

105137f7201a737456f865513fbf14e64ac16facad90b4cb6c314ac765ea302f
SHA512

573e951cc2bb591c8529a70ba84a9e2c535c4d8e31b04bc31e7d81795e2ad404241b910344127535f616c5415c271a8166cbfc455df2a4e018110f568ef052b8
SSDEEP

98304:pqFbd9jWsKXaLj33cbC7p68b0GDaCoPTEt0NcQGojg:wFbd9jWPAjMbIbVDMTEtOclB

Score

9^/10

discovery evasion

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Executes dropped EXE 3 IoCs

pid	Process
2308	2ab925e1b611041799e0eb3e123ff2c6.tmp
2168	gentlemjmp_ieu.exe
552	gentlemjmp_ieu.tmp

Loads dropped DLL 10 IoCs

pid	Process
2144	2ab925e1b611041799e0eb3e123ff2c6.exe
2308	2ab925e1b611041799e0eb3e123ff2c6.tmp
2308	2ab925e1b611041799e0eb3e123ff2c6.tmp
2308	2ab925e1b611041799e0eb3e123ff2c6.tmp
2168	gentlemjmp_ieu.exe
552	gentlemjmp_ieu.tmp
552	gentlemjmp_ieu.tmp
552	gentlemjmp_ieu.tmp
552	gentlemjmp_ieu.tmp
552	gentlemjmp_ieu.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	2ab925e1b611041799e0eb3e123ff2c6.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2ab925e1b611041799e0eb3e123ff2c6.tmp

Enumerates processes with tasklist 1 TTPs 21 IoCs

Process Discovery

T1057

pid	Process
2944	tasklist.exe
2912	tasklist.exe
2940	tasklist.exe
2668	tasklist.exe
1656	tasklist.exe
376	tasklist.exe
2436	tasklist.exe
1532	tasklist.exe
2592	tasklist.exe
2168	tasklist.exe
1652	tasklist.exe
1480	tasklist.exe
1660	tasklist.exe
1492	tasklist.exe
2040	tasklist.exe
2688	tasklist.exe
2696	tasklist.exe
2184	tasklist.exe
488	tasklist.exe
884	tasklist.exe
1628	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	2ab925e1b611041799e0eb3e123ff2c6.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	2ab925e1b611041799e0eb3e123ff2c6.tmp

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2804	NETSTAT.EXE
2056	NETSTAT.EXE
1576	NETSTAT.EXE
2780	NETSTAT.EXE
2564	NETSTAT.EXE

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1412	powershell.exe
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2184	tasklist.exe
Token: SeDebugPrivilege	2668	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	1656	tasklist.exe
Token: SeDebugPrivilege	2168	gentlemjmp_ieu.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	1532	tasklist.exe
Token: SeDebugPrivilege	2436	tasklist.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeDebugPrivilege	488	tasklist.exe
Token: SeDebugPrivilege	1480	tasklist.exe
Token: SeDebugPrivilege	376	tasklist.exe
Token: SeDebugPrivilege	1660	tasklist.exe
Token: SeDebugPrivilege	1628	tasklist.exe
Token: SeDebugPrivilege	884	tasklist.exe
Token: SeDebugPrivilege	2696	tasklist.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	1576	NETSTAT.EXE
Token: SeDebugPrivilege	2056	NETSTAT.EXE
Token: SeDebugPrivilege	2804	NETSTAT.EXE
Token: SeDebugPrivilege	2564	NETSTAT.EXE
Token: SeDebugPrivilege	2780	NETSTAT.EXE
Token: SeDebugPrivilege	2688	tasklist.exe
Token: SeDebugPrivilege	2944	tasklist.exe
Token: SeDebugPrivilege	2040	tasklist.exe
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2308	2144	2ab925e1b611041799e0eb3e123ff2c6.exe	17
PID 2144 wrote to memory of 2308	2144	2ab925e1b611041799e0eb3e123ff2c6.exe	17
PID 2144 wrote to memory of 2308	2144	2ab925e1b611041799e0eb3e123ff2c6.exe	17
PID 2144 wrote to memory of 2308	2144	2ab925e1b611041799e0eb3e123ff2c6.exe	17
PID 2144 wrote to memory of 2308	2144	2ab925e1b611041799e0eb3e123ff2c6.exe	17
PID 2144 wrote to memory of 2308	2144	2ab925e1b611041799e0eb3e123ff2c6.exe	17
PID 2144 wrote to memory of 2308	2144	2ab925e1b611041799e0eb3e123ff2c6.exe	17
PID 2308 wrote to memory of 2044	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	91
PID 2308 wrote to memory of 2044	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	91
PID 2308 wrote to memory of 2044	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	91
PID 2308 wrote to memory of 2044	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	91
PID 2044 wrote to memory of 1412	2044	cmd.exe	15
PID 2044 wrote to memory of 1412	2044	cmd.exe	15
PID 2044 wrote to memory of 1412	2044	cmd.exe	15
PID 2044 wrote to memory of 1412	2044	cmd.exe	15
PID 2308 wrote to memory of 2732	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	20
PID 2308 wrote to memory of 2732	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	20
PID 2308 wrote to memory of 2732	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	20
PID 2308 wrote to memory of 2732	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	20
PID 2732 wrote to memory of 2792	2732	cmd.exe	87
PID 2732 wrote to memory of 2792	2732	cmd.exe	87
PID 2732 wrote to memory of 2792	2732	cmd.exe	87
PID 2732 wrote to memory of 2792	2732	cmd.exe	87
PID 2792 wrote to memory of 2184	2792	cmd.exe	21
PID 2792 wrote to memory of 2184	2792	cmd.exe	21
PID 2792 wrote to memory of 2184	2792	cmd.exe	21
PID 2792 wrote to memory of 2184	2792	cmd.exe	21
PID 2308 wrote to memory of 2876	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	25
PID 2308 wrote to memory of 2876	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	25
PID 2308 wrote to memory of 2876	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	25
PID 2308 wrote to memory of 2876	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	25
PID 2876 wrote to memory of 2628	2876	cmd.exe	22
PID 2876 wrote to memory of 2628	2876	cmd.exe	22
PID 2876 wrote to memory of 2628	2876	cmd.exe	22
PID 2876 wrote to memory of 2628	2876	cmd.exe	22
PID 2628 wrote to memory of 2668	2628	cmd.exe	23
PID 2628 wrote to memory of 2668	2628	cmd.exe	23
PID 2628 wrote to memory of 2668	2628	cmd.exe	23
PID 2628 wrote to memory of 2668	2628	cmd.exe	23
PID 2308 wrote to memory of 2920	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	52
PID 2308 wrote to memory of 2920	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	52
PID 2308 wrote to memory of 2920	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	52
PID 2308 wrote to memory of 2920	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	52
PID 2920 wrote to memory of 2716	2920	cmd.exe	41
PID 2920 wrote to memory of 2716	2920	cmd.exe	41
PID 2920 wrote to memory of 2716	2920	cmd.exe	41
PID 2920 wrote to memory of 2716	2920	cmd.exe	41
PID 2716 wrote to memory of 2940	2716	cmd.exe	50
PID 2716 wrote to memory of 2940	2716	cmd.exe	50
PID 2716 wrote to memory of 2940	2716	cmd.exe	50
PID 2716 wrote to memory of 2940	2716	cmd.exe	50
PID 2308 wrote to memory of 1636	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	49
PID 2308 wrote to memory of 1636	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	49
PID 2308 wrote to memory of 1636	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	49
PID 2308 wrote to memory of 1636	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	49
PID 1636 wrote to memory of 1996	1636	cmd.exe	42
PID 1636 wrote to memory of 1996	1636	cmd.exe	42
PID 1636 wrote to memory of 1996	1636	cmd.exe	42
PID 1636 wrote to memory of 1996	1636	cmd.exe	42
PID 1996 wrote to memory of 1656	1996	cmd.exe	47
PID 1996 wrote to memory of 1656	1996	cmd.exe	47
PID 1996 wrote to memory of 1656	1996	cmd.exe	47
PID 1996 wrote to memory of 1656	1996	cmd.exe	47
PID 2308 wrote to memory of 812	2308	2ab925e1b611041799e0eb3e123ff2c6.tmp	46

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-390D0.tmp\ex.bat""
1⤵
PID:2044
- C:\Windows\SysWOW64\NETSTAT.EXE
  netstat -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SysWOW64\findstr.exe
  findstr /C:"ESTABLISHED"
  2⤵
  PID:2892
- C:\Windows\SysWOW64\findstr.exe
  findstr /C:":5904 "
  2⤵
  PID:2752

C:\Users\Admin\AppData\Local\Temp\is-81565.tmp\2ab925e1b611041799e0eb3e123ff2c6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-81565.tmp\2ab925e1b611041799e0eb3e123ff2c6.tmp" /SL5="$30130,3271290,56832,C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
      4⤵
      PID:2680
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
    3⤵
    PID:2100
- C:\Users\Admin\AppData\Local\Temp\is-390D0.tmp\gentlemjmp_ieu.exe
  "C:\Users\Admin\AppData\Local\Temp\is-390D0.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:2932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:2612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"
  2⤵
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"
  2⤵
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"
  2⤵
  PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"
  2⤵
  PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-390D0.tmp\cmd.bat""
  2⤵
  PID:876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"
  2⤵
  PID:640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
  2⤵
  PID:1684

C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe
"C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\tasklist.exe
  tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\tasklist.exe
  tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\tasklist.exe
  tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
1⤵
- Enumerates processes with tasklist
PID:2168
- C:\Users\Admin\AppData\Local\Temp\is-DFHH7.tmp\gentlemjmp_ieu.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DFHH7.tmp\gentlemjmp_ieu.tmp" /SL5="$1E01AC,2871969,56832,C:\Users\Admin\AppData\Local\Temp\is-390D0.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
1⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
1⤵
PID:2368
- C:\Windows\SysWOW64\tasklist.exe
  tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\find.exe
find "PID"
1⤵
PID:636

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
1⤵
PID:1336
- C:\Windows\SysWOW64\tasklist.exe
  tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1628

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\findstr.exe
findstr /C:":5900 "
1⤵
PID:1720

C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
1⤵
PID:3040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-SLPL0.tmp\ex.bat""
1⤵
PID:1332

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
1⤵
PID:2340

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
1⤵
PID:1632

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
1⤵
PID:1292

C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
1⤵
PID:2124

C:\Windows\SysWOW64\findstr.exe
findstr /C:":5903 "
1⤵
PID:2624

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
1⤵
PID:2816

C:\Windows\SysWOW64\findstr.exe
findstr /C:":5902 "
1⤵
PID:2740

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\findstr.exe
findstr /C:":5901 "
1⤵
PID:1324

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
1⤵
PID:3020

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
1⤵
PID:1648

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
1⤵
PID:3012

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
1⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
1⤵
PID:2356

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "WINDOWTITLE eq Process Monitor*"
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
1⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
1⤵
PID:700

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
1⤵
PID:2596

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

Software Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-96-0x00000000005C0000-0x00000000005FC000-memory.dmp

Filesize
240KB

Download
memory/552-84-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/552-117-0x00000000005C0000-0x00000000005FC000-memory.dmp

Filesize
240KB

Download
memory/552-118-0x00000000003D0000-0x00000000003E5000-memory.dmp

Filesize
84KB

Download
memory/552-116-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/552-100-0x00000000003D0000-0x00000000003E5000-memory.dmp

Filesize
84KB

Download
memory/1412-21-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1412-23-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1412-20-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1412-22-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1412-19-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-110-0x0000000002BC0000-0x0000000002C00000-memory.dmp

Filesize
256KB

Download
memory/1516-112-0x0000000002BC0000-0x0000000002C00000-memory.dmp

Filesize
256KB

Download
memory/1516-113-0x00000000731C0000-0x000000007376B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-111-0x00000000731C0000-0x000000007376B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-109-0x00000000731C0000-0x000000007376B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2144-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2144-119-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2144-124-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2144-125-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2168-78-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2168-75-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2168-121-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2308-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2308-120-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2308-122-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2308-123-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download