Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240220-en -
resource tags
arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2024, 16:00
Static task
static1
Behavioral task
behavioral1
Sample
Swift 19022024.bat
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Swift 19022024.bat
Resource
win10v2004-20240220-en
General
-
Target
Swift 19022024.bat
-
Size
2.2MB
-
MD5
6dc5aa35800875f5e06a20da26286f13
-
SHA1
b9fbf17b8a2aeae452050b2f660ef8cff024a433
-
SHA256
db5c362b0b4ec0a9bbc7b2c5a186a22019c82c2a96a7c326fad2e1f095de22db
-
SHA512
a51120e0800a2694ae14267faf667dc5f37be76bf17bcc042931ef8a1f7f8b38237bf12f441ce3eec7eb4aba15428e3ddcbaa2f23a2944b7f8adbe9c9a5649ab
-
SSDEEP
24576:RLM2LFX2P6Qv1hhxfAswo1eoKHMX+mIi8g1CLbGBi3oucj+9OtOT+a0sloBJCpDo:RYQSv1fxfAsJ1eoVuSDW0YXEx
Malware Config
Extracted
remcos
RemoteHost
swjurf.work.gd:9231
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
hgjbhk
-
mouse_option
false
-
mutex
Rmc-BM92FA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/1960-7-0x00000000049D0000-0x00000000059D0000-memory.dmp modiloader_stage2 -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4424-88-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/4424-95-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2560-85-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2560-98-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/2560-85-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4424-88-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/3080-94-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4424-95-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/3080-96-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3080-90-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2560-98-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 1960 pointer.com 1476 easinvoker.exe 3364 easinvoker.exe -
Loads dropped DLL 2 IoCs
pid Process 1476 easinvoker.exe 3364 easinvoker.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts SndVol.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Soxqluzt = "C:\\Users\\Public\\Soxqluzt.url" pointer.com -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF dxdiag.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2184 set thread context of 2560 2184 SndVol.exe 120 PID 2184 set thread context of 4424 2184 SndVol.exe 121 PID 2184 set thread context of 3080 2184 SndVol.exe 122 -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2964 sc.exe 3540 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1216 2184 WerFault.exe 116 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID dxdiag.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Modifies registry class 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2097088205-1470669305-146258644-1000\{19F0054F-A60F-4EF9-95A9-B09BE819DC77} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2097088205-1470669305-146258644-1000\{A8B1C8DB-E7FB-48D9-9A9C-054EE56AE456} dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 dxdiag.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3856 PING.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe 1476 easinvoker.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2184 SndVol.exe 2184 SndVol.exe 2184 SndVol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3172 powershell.exe Token: SeDebugPrivilege 3080 SndVol.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2184 SndVol.exe 4372 dxdiag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3768 wrote to memory of 208 3768 cmd.exe 86 PID 3768 wrote to memory of 208 3768 cmd.exe 86 PID 208 wrote to memory of 1648 208 cmd.exe 87 PID 208 wrote to memory of 1648 208 cmd.exe 87 PID 3768 wrote to memory of 3856 3768 cmd.exe 89 PID 3768 wrote to memory of 3856 3768 cmd.exe 89 PID 3768 wrote to memory of 1960 3768 cmd.exe 92 PID 3768 wrote to memory of 1960 3768 cmd.exe 92 PID 3768 wrote to memory of 1960 3768 cmd.exe 92 PID 1960 wrote to memory of 2996 1960 pointer.com 93 PID 1960 wrote to memory of 2996 1960 pointer.com 93 PID 1960 wrote to memory of 2996 1960 pointer.com 93 PID 2996 wrote to memory of 540 2996 cmd.exe 95 PID 2996 wrote to memory of 540 2996 cmd.exe 95 PID 2996 wrote to memory of 540 2996 cmd.exe 95 PID 2996 wrote to memory of 4252 2996 cmd.exe 97 PID 2996 wrote to memory of 4252 2996 cmd.exe 97 PID 2996 wrote to memory of 4252 2996 cmd.exe 97 PID 2996 wrote to memory of 828 2996 cmd.exe 98 PID 2996 wrote to memory of 828 2996 cmd.exe 98 PID 2996 wrote to memory of 828 2996 cmd.exe 98 PID 2996 wrote to memory of 4496 2996 cmd.exe 99 PID 2996 wrote to memory of 4496 2996 cmd.exe 99 PID 2996 wrote to memory of 4496 2996 cmd.exe 99 PID 2996 wrote to memory of 624 2996 cmd.exe 100 PID 2996 wrote to memory of 624 2996 cmd.exe 100 PID 2996 wrote to memory of 624 2996 cmd.exe 100 PID 2996 wrote to memory of 1128 2996 cmd.exe 101 PID 2996 wrote to memory of 1128 2996 cmd.exe 101 PID 2996 wrote to memory of 1128 2996 cmd.exe 101 PID 2996 wrote to memory of 1436 2996 cmd.exe 102 PID 2996 wrote to memory of 1436 2996 cmd.exe 102 PID 2996 wrote to memory of 1436 2996 cmd.exe 102 PID 2996 wrote to memory of 5092 2996 cmd.exe 103 PID 2996 wrote to memory of 5092 2996 cmd.exe 103 PID 2996 wrote to memory of 5092 2996 cmd.exe 103 PID 2996 wrote to memory of 4508 2996 cmd.exe 104 PID 2996 wrote to memory of 4508 2996 cmd.exe 104 PID 2996 wrote to memory of 4508 2996 cmd.exe 104 PID 2996 wrote to memory of 1476 2996 cmd.exe 105 PID 2996 wrote to memory of 1476 2996 cmd.exe 105 PID 1476 wrote to memory of 4060 1476 easinvoker.exe 106 PID 1476 wrote to memory of 4060 1476 easinvoker.exe 106 PID 4060 wrote to memory of 412 4060 cmd.exe 108 PID 4060 wrote to memory of 412 4060 cmd.exe 108 PID 4060 wrote to memory of 2964 4060 cmd.exe 110 PID 4060 wrote to memory of 2964 4060 cmd.exe 110 PID 4060 wrote to memory of 3540 4060 cmd.exe 111 PID 4060 wrote to memory of 3540 4060 cmd.exe 111 PID 412 wrote to memory of 3172 412 cmd.exe 112 PID 412 wrote to memory of 3172 412 cmd.exe 112 PID 1960 wrote to memory of 4044 1960 pointer.com 113 PID 1960 wrote to memory of 4044 1960 pointer.com 113 PID 1960 wrote to memory of 4044 1960 pointer.com 113 PID 4044 wrote to memory of 3364 4044 cmd.exe 115 PID 4044 wrote to memory of 3364 4044 cmd.exe 115 PID 1960 wrote to memory of 2184 1960 pointer.com 116 PID 1960 wrote to memory of 2184 1960 pointer.com 116 PID 1960 wrote to memory of 2184 1960 pointer.com 116 PID 1960 wrote to memory of 2184 1960 pointer.com 116 PID 2184 wrote to memory of 4372 2184 SndVol.exe 118 PID 2184 wrote to memory of 4372 2184 SndVol.exe 118 PID 2184 wrote to memory of 4372 2184 SndVol.exe 118 PID 2184 wrote to memory of 2560 2184 SndVol.exe 120
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\system32\cmd.execmd /c certutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 32⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\system32\certutil.execertutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 33⤵PID:1648
-
-
-
C:\Windows\system32\PING.EXEPING -n 3 127.0.0.12⤵
- Runs ping.exe
PID:3856
-
-
C:\Users\Public\pointer.comC:\Users\Public\pointer.com2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\SoxqluztO.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "4⤵PID:540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵PID:4252
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
PID:828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵PID:4496
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
PID:624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵PID:1128
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
PID:1436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵PID:5092
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
PID:4508
-
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""5⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\system32\cmd.execmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
-
C:\Windows\system32\sc.exesc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel6⤵
- Launches sc.exe
PID:2964
-
-
C:\Windows\system32\sc.exesc.exe start truesight6⤵
- Launches sc.exe
PID:3540
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\easinvoker.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3364
-
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt4⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4372
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\szzfmowqxmk"4⤵PID:2560
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ubexmhhjlvcuid"4⤵
- Accesses Microsoft Outlook accounts
PID:4424
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\fvsinzrlhduhsrbrps"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 14884⤵
- Program crash
PID:1216
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2184 -ip 21841⤵PID:2340
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD50621ad6776991df31093616bf84a3513
SHA16c95c5d56d7f683dae921223b2816441be61aed0
SHA2562789b42f1d95d6d2da3b14c59d7a9de9e5bd76a057ff0921c47f618a04ae1001
SHA5124a0e583c3fa8c048bff9228b8e584dc5eeef55b3d8916fe2dc5a0f43ec9318c42f32a353ea47b5b9021d57cab0668d941429a17f45362924c7225e427ea069bd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5b805d06f8bede1285ec01cb150f9c5c4
SHA1fd4b8b35239cd368ee3c1ee0fd1b5ca4513c5438
SHA256a6382180e89f890e6dcdd14a80e5a21fcd4c10d54b76309482b2e579d0d067a2
SHA512dcfc370d9cd5933340c68874499dc34e5d77e959be3eba5826446ab3bf7bb576add68a9ae68838cf304bdf5c7fdce55113f28bd436a6b0ed6e43247e73234625
-
Filesize
4KB
MD5785e8193007bcd7858b9df41c9d45f89
SHA129b206de05ab075138ca9e0b9fccdddf3c30cdfe
SHA256c8e1912a3328802e98563e32eb053ae3e28249b701054af227e9f1ba6bfe24d9
SHA512a4d6fd586800f27939d8c152e89d2a231dc9fd8466e715dfeba22e2aa0428509095e12e6e66f2cb5e40ff5c998b439dc3f6792e20c179f41ac9cae31ada9d45f
-
Filesize
7KB
MD50d0d24b46d4bb0e4962595d455020d48
SHA148b247c1cb2577b28aabd7dfa999e0642b5dc6de
SHA256f46e0cc2c119a32dd87edf97bfc73d985ee97d2c9dc00274b6b20d641e29deea
SHA512d5a8779e1cfd2a284173ce8a205cacb41fc7c744fa84e55682ac50b327c676ff50f668ecd176e0ab84420d143a8023d8b4590362b223704c55f5b0d7e116ba2c
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
115KB
MD5ecb0b0d16112f27c57e4048a02802fd5
SHA1f7d1c76802d3948c55114fc0ea82c928936de944
SHA256ae33f291a6f2011ca147c2b48035743aba3c507dcef86e1fa6acb4dee47cbf43
SHA512a18a6cde621274f42e20b4b897df2df984a8e6d420d65198fd6d4193a3a91b8c3ca6905120ac299acd8758da72654e7a650e872425677763894b11c98f03c421
-
Filesize
1.3MB
MD55e14df714a090c430526a6a3f5ae14a9
SHA19d30febbb7666626c8c3a917aeccdda79d39f18a
SHA256699a27d39fd0baa6dee651adf1995ca6eb168657b41235fd0d2cd74c738a8cac
SHA512d20540378cf8e76b39beff338de024d9e061a1c84ab5ac2a0033b2b76f5d845234016b35fcdcabb03c049d65f279101a9993a145b369591b4821c880efb70e34