Overview
overview
10Static
static
10@_136 @828...SM.exe
windows7-x64
7@_136 @828...SM.exe
windows10-2004-x64
7TrashMalwa...in.exe
windows7-x64
8TrashMalwa...in.exe
windows10-2004-x64
8AdStRkJ.exe
windows7-x64
8AdStRkJ.exe
windows10-2004-x64
8Anatralier.exe
windows7-x64
7Anatralier.exe
windows10-2004-x64
7TrashMalwa...er.exe
windows7-x64
3TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows7-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows7-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows7-x64
6TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows7-x64
7TrashMalwa...de.exe
windows10-2004-x64
7TrashMalwa...20.exe
windows7-x64
4TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows7-x64
7TrashMalwa...ll.exe
windows10-2004-x64
7TrashMalwa...le.exe
windows7-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows7-x64
8TrashMalwa...oe.bat
windows10-2004-x64
8TrashMalwa....0.exe
windows7-x64
6TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
8TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
7TrashMalwa....0.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:26
Behavioral task
behavioral1
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/AcidRain.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
AdStRkJ.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
AdStRkJ.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Anatralier.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
Anatralier.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/FaZoN.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/Fizz.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/Ginxide.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20240226-en
General
-
Target
TrashMalwares-main/Dro trojan. Virus prank.exe
-
Size
1.8MB
-
MD5
af483a4c67d358dd807194ef89484f1e
-
SHA1
4aefb5884e289fb85af3f5a5bec344b738073603
-
SHA256
480ca2097e13abb1444b69b0d984961702f8ee8122fc0f0acc5bff217d253854
-
SHA512
e5739841097828a7789e7a3317a0efa1ce4c109490df1d1ce62e559fa555affc7aee69d389bb50d5dbb4bf5d1d87d94a22cf4a5b9a0e3d7da3b48813c1c75917
-
SSDEEP
49152:ysNjxEmz1dG6HOMlDTsBQL/difgzGSe5Wa6IQ:yYymicDT2C/EfyuUl
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 9 IoCs
Processes:
START.exeKiller.exeShaking_horizontally.exeR_O_13-27.exeDraw_cursor.exeError_icons.exeInversion_and_oil.exeNew_Names.exeShaking_horizontally.exepid process 2452 START.exe 840 Killer.exe 2292 Shaking_horizontally.exe 448 R_O_13-27.exe 620 Draw_cursor.exe 664 Error_icons.exe 3000 Inversion_and_oil.exe 2832 New_Names.exe 2716 Shaking_horizontally.exe -
Loads dropped DLL 20 IoCs
Processes:
Dro trojan. Virus prank.exeSTART.exeKiller.execmd.exeShaking_horizontally.exeR_O_13-27.exeDraw_cursor.exeError_icons.exeInversion_and_oil.exeShaking_horizontally.exepid process 2804 Dro trojan. Virus prank.exe 2804 Dro trojan. Virus prank.exe 2804 Dro trojan. Virus prank.exe 2452 START.exe 2452 START.exe 840 Killer.exe 2632 cmd.exe 2292 Shaking_horizontally.exe 2452 START.exe 448 R_O_13-27.exe 2452 START.exe 620 Draw_cursor.exe 2452 START.exe 664 Error_icons.exe 2452 START.exe 3000 Inversion_and_oil.exe 2452 START.exe 2452 START.exe 2452 START.exe 2716 Shaking_horizontally.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 324 timeout.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1048 taskkill.exe 1456 taskkill.exe 916 taskkill.exe 2184 taskkill.exe 596 taskkill.exe 2936 taskkill.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2DB21D11-D8D4-11EE-83C2-E25BC60B6402} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 2416 regedit.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2936 taskkill.exe Token: SeDebugPrivilege 1048 taskkill.exe Token: SeDebugPrivilege 1456 taskkill.exe Token: SeDebugPrivilege 916 taskkill.exe Token: SeDebugPrivilege 2184 taskkill.exe Token: SeDebugPrivilege 596 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WScript.exeiexplore.exepid process 2320 WScript.exe 2576 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2576 iexplore.exe 2576 iexplore.exe 2804 IEXPLORE.EXE 2804 IEXPLORE.EXE 2804 IEXPLORE.EXE 2804 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dro trojan. Virus prank.exeSTART.exeWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 2804 wrote to memory of 2452 2804 Dro trojan. Virus prank.exe START.exe PID 2804 wrote to memory of 2452 2804 Dro trojan. Virus prank.exe START.exe PID 2804 wrote to memory of 2452 2804 Dro trojan. Virus prank.exe START.exe PID 2804 wrote to memory of 2452 2804 Dro trojan. Virus prank.exe START.exe PID 2452 wrote to memory of 2488 2452 START.exe WScript.exe PID 2452 wrote to memory of 2488 2452 START.exe WScript.exe PID 2452 wrote to memory of 2488 2452 START.exe WScript.exe PID 2452 wrote to memory of 2488 2452 START.exe WScript.exe PID 2452 wrote to memory of 840 2452 START.exe Killer.exe PID 2452 wrote to memory of 840 2452 START.exe Killer.exe PID 2452 wrote to memory of 840 2452 START.exe Killer.exe PID 2452 wrote to memory of 840 2452 START.exe Killer.exe PID 2488 wrote to memory of 2888 2488 WScript.exe cmd.exe PID 2488 wrote to memory of 2888 2488 WScript.exe cmd.exe PID 2488 wrote to memory of 2888 2488 WScript.exe cmd.exe PID 2488 wrote to memory of 2888 2488 WScript.exe cmd.exe PID 2888 wrote to memory of 2920 2888 cmd.exe reg.exe PID 2888 wrote to memory of 2920 2888 cmd.exe reg.exe PID 2888 wrote to memory of 2920 2888 cmd.exe reg.exe PID 2888 wrote to memory of 2920 2888 cmd.exe reg.exe PID 2888 wrote to memory of 2936 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 2936 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 2936 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 2936 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 1048 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 1048 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 1048 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 1048 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 1456 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 1456 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 1456 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 1456 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 916 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 916 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 916 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 916 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 2184 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 2184 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 2184 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 2184 2888 cmd.exe taskkill.exe PID 2888 wrote to memory of 548 2888 cmd.exe reg.exe PID 2888 wrote to memory of 548 2888 cmd.exe reg.exe PID 2888 wrote to memory of 548 2888 cmd.exe reg.exe PID 2888 wrote to memory of 548 2888 cmd.exe reg.exe PID 2452 wrote to memory of 2320 2452 START.exe WScript.exe PID 2452 wrote to memory of 2320 2452 START.exe WScript.exe PID 2452 wrote to memory of 2320 2452 START.exe WScript.exe PID 2452 wrote to memory of 2320 2452 START.exe WScript.exe PID 2452 wrote to memory of 2844 2452 START.exe WScript.exe PID 2452 wrote to memory of 2844 2452 START.exe WScript.exe PID 2452 wrote to memory of 2844 2452 START.exe WScript.exe PID 2452 wrote to memory of 2844 2452 START.exe WScript.exe PID 2844 wrote to memory of 2632 2844 WScript.exe cmd.exe PID 2844 wrote to memory of 2632 2844 WScript.exe cmd.exe PID 2844 wrote to memory of 2632 2844 WScript.exe cmd.exe PID 2844 wrote to memory of 2632 2844 WScript.exe cmd.exe PID 2632 wrote to memory of 2292 2632 cmd.exe Shaking_horizontally.exe PID 2632 wrote to memory of 2292 2632 cmd.exe Shaking_horizontally.exe PID 2632 wrote to memory of 2292 2632 cmd.exe Shaking_horizontally.exe PID 2632 wrote to memory of 2292 2632 cmd.exe Shaking_horizontally.exe PID 2632 wrote to memory of 324 2632 cmd.exe timeout.exe PID 2632 wrote to memory of 324 2632 cmd.exe timeout.exe PID 2632 wrote to memory of 324 2632 cmd.exe timeout.exe PID 2632 wrote to memory of 324 2632 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\START.exe"C:\Users\Admin\AppData\Local\Temp\START.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZbDz.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZbDz.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 15⤵PID:2920
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 15⤵PID:548
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Killer.exe"C:\Users\Admin\AppData\Local\Temp\Killer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Collapse_all.js"3⤵
- Suspicious use of FindShellTrayWindow
PID:2320
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHK.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SHK.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exeShaking_horizontally.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15⤵
- Delays execution with timeout.exe
PID:324
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Shaking_horizontally.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe"C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:1156
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:1328
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵PID:2192
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:1592
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:2712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://neave.tv/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2576 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe"C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620
-
-
C:\Users\Admin\AppData\Local\Temp\Error_icons.exe"C:\Users\Admin\AppData\Local\Temp\Error_icons.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:664
-
-
C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe"C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\New_Names.exe"C:\Users\Admin\AppData\Local\Temp\New_Names.exe"3⤵
- Executes dropped EXE
PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe"C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD517dabc8408bbc690943f932394ff9ecb
SHA120887b99f05f4489036827176631117894f3ae5d
SHA256b7dd6529ed59f3e9930b89375aac9aa32c64936b37abb3c7467cb4ca80a20ca6
SHA5123c5c16ba760fa717c686a30c618e3ca34285065da75b5255e6a3de8316396b22ed2d77d388623223a5fd82f262f78ae1495e4896c6685fa32d81fafccb3d6ca7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fd05cf6cf5b14d5874b2184097ca99bf
SHA12979f669088da868602bf5d474c7d12b4f1729d8
SHA256577c6371fd783e78a82e5f5581b61ea98fd52b65c2a01ac557be9c690c5e66b3
SHA512aa7e7cf2bedd3685a31ce7596a747fe08b9edccdc4ac85b21f923e9ceeb03274f61a8ac8a04cb18f03a0fd84fcdb6107771adedb7379d976b71abf98fd72f187
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5df4154af4451615fed7dc3f5ea1bd0fe
SHA1b8efd3bc6f5c77731abca5d447b63957bb930e54
SHA2562d431860517211ff3db9b940e954ad4b02ba2be21f5b41e9991ed2145c3737cb
SHA512070bb9e1b77466dd2deff32c78af73c9d25f45e9ced070bf75436204ec517711c37b90f1d64c29b2cf96210b0e387428adfa15a6913359893dc4d4fda4b917a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51895f8ccf169e9111b5494ff871c240d
SHA1400cc5b342b8bb47c2a1276bca1687c8bfd5a720
SHA2567d705cb0a3bc83bc3a35edddf8e0b4cde2c0431fae40582ecfdc81685238f89e
SHA51226ba75157584ab5664dc6222c3153601cee39d15b8e4a0db724e3d1a851c0f53f49d3130f87443e27c1ab9e0c6475b678e527ae86b729ff69314e26e8bc8dbde
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a7fd5b331c4127ce292405a22e5cc69c
SHA14621909193dbe4fc8f2d57de381f8d02c6e4a1e3
SHA256d378f3cb73a92fa57532b771d0839a6d3cfd21be1e33d0a152841c1e637b7b79
SHA5121c26168e3c3c4dc2820e06976323d18bf5f7e186daa6ce5257c24ccc7661aa3fb27af04f1539ca34d949931394770c8128450536e868254842cad3341a69e4a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58e520369a3faea274df9586f9e4f7036
SHA12f8163893f6bb46de54e102d49e21f454f015274
SHA256bfeb219b36522872b66dee4a6c8f433536b9162d51432d41155371ea3feb62a7
SHA5125c458b0ab4cf578ccf7f402d97da9307afcf9b8ea4dc2b59d1dca9b23b303c6ad4a96012236fd76efcb64f1ffd54a247e600ba37700559e5283a8f400947d160
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD542b0a82735dfb2391168a5a386bb1020
SHA14734858a964272de6623581156e32ffc1fb97961
SHA25640ec337e8776506fb4808db2c3b64a128bea3c0510bf3c9d8fa65b21134e20d2
SHA51297d6804eabc875fb676e3e48608563eb715abb21ca00a272bd8985407d8712ec7333b527f936d97ec3f1f5afdb38ddea21d06f197f2968d8281653b9c1a1c308
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f8c5c68cf8ae6c4ece3d970702788390
SHA1e01b2e8c14daf8b8976d21a3464dbc3285908a34
SHA2568fecc21b7d4425ed4589941118473489072167b751dde8e06524f6e63122ffa6
SHA5126fd4d85be61437a443adbbc4191707a1f0efa50217f465f6059e5149361b4e86c322d455572bc24c59bc3100050801cc9e0cb8e82f8dbd7d8fa9be748ac4a02a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bab66cc84696e571760552c47eac63e1
SHA131fe1b2cede624d432c7c24c538d8333199a845f
SHA2563da9aa3bc766280d87b95b646d22a883f1debcd0f9194e7f2529d8df20391be6
SHA512000781e326c65d76643730adf46b43d016755fda34dfdfbf33fa4cfc38d0e20bc412c5671c87acc7f9171c81fbc47be70f69be35c8154ce7d68ff6029969058b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a49c611a8ee9e98b5d2577b12b04fda2
SHA1b72a54c186b97739ea8d2842c995db8f0fd294e5
SHA25680fe5beac9e9b621445d3d36e7208ef2c0a8a2b493753c7705e3be70cc5f6c93
SHA512bac584865b17c203edb57165ecd86bda530f279422d71b304f63d592815299c675e30f2108ad2193f3e8c7ccd092ad90eae45dafa107fcf08ec215519889c737
-
Filesize
1KB
MD52d59812bd22138c95e1a86a61d46e5ae
SHA1bafec6bdfbff08d61a09f096df4b07d1aa58fce3
SHA2567ed1a5b247df580d06efbc9f7c9e7577f7dadfcca81f179ad8f8b358c6f66fb0
SHA512506ee57bf2c6326cb8ba1a1021b3366d219543df13ecdbc4d0b4d8f0c5be46225c66eaf8413d055a645babaeb17aa249c3278cf8b49128dd81c69aef39abdb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\icon-32[1].png
Filesize983B
MD5161e12c343ad30aee3bfac354658e4f1
SHA12951751e5f6f01e237dc0565d41c35d7040a29ce
SHA256270582c227f5a93d8ff4a659a0075ea2af8952f0f73d24ba4d8c6a512a6465bf
SHA512e14f4b34b1d7f85b8a8674e0c9c87a9318de70fbb2aa46f0eecb7a033cdd84770d1afc3fc891482a278254ec671db8a7faf18c181b2a7aba034148b9460fec33
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
58B
MD5f60e1a46f1e7301a7eb36f723cdec4b3
SHA15e46742927659e3fb0cef6c67542cb5ec2b0926d
SHA2565fdab6a87288b929290f603f813a254efa019d8fe6c73d8757ebc543ba6949eb
SHA512945f7f053700cf18a80553e09c3d64c8481aeb70d871dd00106bf66fcb33b4360b4412cb4bf9391e4dfd8e6df92d11ffe896bee6f864bdbdddedc1877714ee16
-
Filesize
27KB
MD5d9c07b7bc1a4df56ecb73941aafa2d78
SHA19d64ca9262852e3ee4b5e098e2762401364e80e8
SHA256506b80e8f8551e29fa1e93082fefc99ce6613ad7abae895d61bdda92f4dce8c3
SHA512ca282eedf7851df48e0ae001684ca4400b6a43e14893610972496e7c4c7002c508b95278896176ef4d49d371d95b6cc759609313a833bcdbc010a064cb28170f
-
Filesize
27KB
MD57cfd733ea3aedb94f04013881f8a9f14
SHA194642432fd416ec32f1cd17dfd9b23922432dcea
SHA256fceb50190c036057c6386387ed115b83a9fec153332b80be4d891cb9ef8f624a
SHA5128c2b83a6aa96bed630e950cb66cd3a50e4789f303b9f2f3f2f6043f16a3a26d7dc9a56aa43cb3af0e548b207d5a228b88eaacb0b1872fc8abd4e1191f465e323
-
Filesize
186KB
MD532c1a77891071523637345563fcda855
SHA1d582fa0290b7c04c99ded56c8ebc6e45df981300
SHA256c8cb8941b2ebe27ba69600b8cb5725b9630fb631bd7c7e88dea9eebd8bd3bef3
SHA51261c6e7eddb5d8e880952c0fec6382082cbd33d0463ac556527598aaa6cf9bdb3755f395639d28be1a0cf4efa9f699cfdae06ecb5068b5f43b08b65354580704a
-
Filesize
389KB
MD5dd799cfa99ea38299f32a744b4a9864c
SHA1850457eea90f64bb760d078008f17799f8eb4843
SHA256f9f469026252b2c7084755430c9b0d8939a8547b23a5bb32371102d7a3578ed1
SHA5129c74976ea217276bf5b291d629aa21ace989a45697748cb449eeba8d8c846e77e7ab66c1b701243ceb207db364d1abc376950c6b5f4cb92db068922ae41dcef3
-
Filesize
27KB
MD57c3647e86215919ec06437d9a5fce95d
SHA17bc1a0582e03bd9d7ee5ba1d66268d800d66c596
SHA25639e30df6628702de8a548ff031383c360dfc63a9399169bb93838f7eef57a6ed
SHA512d0a4991ad1cff73dbd0425e9f7190101f27811daa622c0fa5ba620566a9f95caae4430b0386a6ea9a7575a56931a45ca821f5274f8d2798c73d5154c8fe7e33d
-
Filesize
94B
MD5ab921b5b6a2b7232c8d2fd2f0dc78790
SHA1fe0c9c4e5255f903bf9b006f27a913f39a115a54
SHA256dfd827c3e9bb39c84ca90001a7718c55458145fcf035b4dba1001b201422a8da
SHA51247d8ded63fd55f4490d0cd64c8f688fc5bb5814018a09e46f1eae0e36228589f4097f88f2f42e92d02cc068fd3e807aae219a4c4162474a561b3767331e8f98e
-
Filesize
115B
MD52643272752b857cbc69d843d92ff4879
SHA110f1f87652b5747dd37ed141734e5af39af19ef2
SHA25653c3cd2ed0f6184b2cf0304acfbef726c3415528c903c69a86f3f9405b52179c
SHA5123e7d2548ccbe96599b94a585c6a02e2ee2820ac6a8aec1ede270c8089623c3c41fd779fdf5a93b2cd1b9fca3ef2d2b915703f3438c7abd6e27f5a59626f01282
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
375B
MD590716ec6d805a3e478c0a26477138efd
SHA1ceae2264e1c3c6a0bf715cf54237c3f763cd5799
SHA256f185b92c729b011a051d2d8775eee998da9e71ba6156a8da81b0fc1b25c90a77
SHA512fbda3613b691e83299077b1378aa845ab59befd61bc177e54b950f55c857c8e2b208012c026c24489f354c88404172ba25d7584f1b825ccd6880598bcc65cc56
-
Filesize
116B
MD58a25126b21c1f849b719999cb5d85e11
SHA1714fb5a246721c3117868c2229e7598ef7dfb2eb
SHA2568ee9f21dd968d66fb71be502c6f2b96f3e0ee1954a4bcf2e7fffa45477fb7f38
SHA5128ea3d56e58410e369c42f6e16381ee802c8df58ee7f60ab937a19417e9a86f6877241ee7472df898bb85765d0bd3a5df2a58f97c717f5da8d32e7c8acf638c84
-
Filesize
27KB
MD54f5d56501b68860d79846d1c4a567459
SHA1548a514797c85e982a0f636030a18566895efaaa
SHA2560df880855797fb52bcaac0e11074869ed409b9daaabfe8939ecd4039962292cd
SHA5125efc549dcef528f0f5b09758ce18686106781788c0e78467d02fb12b7b138c0ca301d68e81305e7053f5471fa6c9c192d6bad81067fe70803e237b8dbf7d1f41
-
Filesize
28KB
MD5b9e9b7fbd019b7e09e77bdec78ade264
SHA10cdeda0e10d1f754d2171596d82e97e347089e01
SHA256227e8953a11d22ea948fe3b2426753a435993336ae1f49a6fe3c1dd0b70bf3b7
SHA512d2e5dadb63d0ff75e48504720186483877ecde0354fe56d88255a079c116eef5b5c59eaef6ccc99217acce5d5755fd0a50fcf93b115f9408962535a572960a85
-
Filesize
27KB
MD5d2404ad25ee623edb58a175d4bb0c7a1
SHA14ca3589e630abebffe46782f5941f6253001bea9
SHA25635ee2069ddde1c079b1890eafd7041f59eb5170063f3f308b0b808dcc24623ce
SHA51226758e01881ccbfa5f124fb8fa15e1712d228ea1aa9e552dd5020436f55e4e83d450128e799aff829e6215eacfcb284133fdf3ca952696cadfe061477b8d0b8c
-
Filesize
1.4MB
MD5440e9fd9824b8e97d3ca2f34bd1bfbd1
SHA16852b2c592b3794da114d6ac5ea9d083317bf5af
SHA256eddaa890ac6470692f76eee9586c06d727a1caf7a242170ab1a3947523927396
SHA512b458a0838159367727a63e417bba7c12b196f4d4af56703fe77ddcb2c28c3b6aab1d62335c513398f92c225f204e32b437fb49316b7c2b537c1cf877653c2ef8