Analysis
-
max time kernel
106s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 03:00
Static task
static1
Behavioral task
behavioral1
Sample
ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe
Resource
win7-20240220-en
General
-
Target
ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe
-
Size
161KB
-
MD5
bc1d715110d34c705944635aa9d31ea7
-
SHA1
61fe5b0107489bd36600dae217c3ef6863bfde23
-
SHA256
ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de
-
SHA512
d651965d279f22f5f3f57b7d5e4a356f12e67e3a77fa25389bd9abb260bbcd87d7607f89bfa6cccf67c92f97dc9923b171dcd889b5479dad3728ce4ea6b9d824
-
SSDEEP
3072:QiZUCzGvz/JqhqOeM3JohWsGZ1bRCXfS:Q6UCy/JdgpDZd0
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/files/0x000d000000023155-149.dat family_zgrat_v1 behavioral2/files/0x000d000000023155-150.dat family_zgrat_v1 behavioral2/memory/2972-153-0x00000000005B0000-0x0000000000D04000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/3176-19-0x0000000003CC0000-0x0000000003DDB000-memory.dmp family_djvu behavioral2/memory/1548-20-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1548-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1548-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1548-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1548-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2132-40-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2132-41-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2132-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 9 IoCs
resource yara_rule behavioral2/memory/3252-100-0x0000000004350000-0x0000000004C3B000-memory.dmp family_glupteba behavioral2/memory/3252-101-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/3252-102-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/3252-129-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/3252-168-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/3252-171-0x0000000004350000-0x0000000004C3B000-memory.dmp family_glupteba behavioral2/memory/2268-223-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/2268-226-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/2268-247-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows executables referencing non-Windows User-Agents 7 IoCs
resource yara_rule behavioral2/memory/3252-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3252-102-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3252-129-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3252-168-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2268-223-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2268-226-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2268-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables Discord URL observed in first stage droppers 7 IoCs
resource yara_rule behavioral2/memory/3252-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3252-102-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3252-129-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3252-168-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/2268-223-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/2268-226-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/2268-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 7 IoCs
resource yara_rule behavioral2/memory/3252-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3252-102-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3252-129-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3252-168-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/2268-223-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/2268-226-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/2268-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 7 IoCs
resource yara_rule behavioral2/memory/3252-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3252-102-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3252-129-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3252-168-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/2268-223-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/2268-226-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/2268-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables referencing many varying, potentially fake Windows User-Agents 7 IoCs
resource yara_rule behavioral2/memory/3252-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3252-102-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3252-129-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3252-168-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/2268-223-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/2268-226-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/2268-247-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 560 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation E56E.exe -
Deletes itself 1 IoCs
pid Process 3496 Process not Found -
Executes dropped EXE 7 IoCs
pid Process 3176 E56E.exe 1548 E56E.exe 3992 E56E.exe 2132 E56E.exe 1560 BBF9.exe 3252 C755.exe 3880 E1E3.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1096 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4293000e-4e43-4c2d-a04c-6ae7c45d2264\\E56E.exe\" --AutoStart" E56E.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 77 api.2ip.ua 80 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3176 set thread context of 1548 3176 E56E.exe 97 PID 3992 set thread context of 2132 3992 E56E.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4676 2132 WerFault.exe 102 3796 3700 WerFault.exe 133 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4588 ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe 4588 ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found 3496 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4588 ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3496 Process not Found Token: SeCreatePagefilePrivilege 3496 Process not Found Token: SeShutdownPrivilege 3496 Process not Found Token: SeCreatePagefilePrivilege 3496 Process not Found Token: SeShutdownPrivilege 3496 Process not Found Token: SeCreatePagefilePrivilege 3496 Process not Found Token: SeShutdownPrivilege 3496 Process not Found Token: SeCreatePagefilePrivilege 3496 Process not Found -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 3496 wrote to memory of 3176 3496 Process not Found 96 PID 3496 wrote to memory of 3176 3496 Process not Found 96 PID 3496 wrote to memory of 3176 3496 Process not Found 96 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 3176 wrote to memory of 1548 3176 E56E.exe 97 PID 1548 wrote to memory of 1096 1548 E56E.exe 98 PID 1548 wrote to memory of 1096 1548 E56E.exe 98 PID 1548 wrote to memory of 1096 1548 E56E.exe 98 PID 1548 wrote to memory of 3992 1548 E56E.exe 99 PID 1548 wrote to memory of 3992 1548 E56E.exe 99 PID 1548 wrote to memory of 3992 1548 E56E.exe 99 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3992 wrote to memory of 2132 3992 E56E.exe 102 PID 3496 wrote to memory of 1560 3496 Process not Found 113 PID 3496 wrote to memory of 1560 3496 Process not Found 113 PID 3496 wrote to memory of 1560 3496 Process not Found 113 PID 3496 wrote to memory of 2872 3496 Process not Found 114 PID 3496 wrote to memory of 2872 3496 Process not Found 114 PID 2872 wrote to memory of 5100 2872 cmd.exe 116 PID 2872 wrote to memory of 5100 2872 cmd.exe 116 PID 3496 wrote to memory of 3252 3496 Process not Found 117 PID 3496 wrote to memory of 3252 3496 Process not Found 117 PID 3496 wrote to memory of 3252 3496 Process not Found 117 PID 3496 wrote to memory of 3880 3496 Process not Found 118 PID 3496 wrote to memory of 3880 3496 Process not Found 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe"C:\Users\Admin\AppData\Local\Temp\ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4588
-
C:\Users\Admin\AppData\Local\Temp\E56E.exeC:\Users\Admin\AppData\Local\Temp\E56E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\E56E.exeC:\Users\Admin\AppData\Local\Temp\E56E.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\4293000e-4e43-4c2d-a04c-6ae7c45d2264" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\E56E.exe"C:\Users\Admin\AppData\Local\Temp\E56E.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\E56E.exe"C:\Users\Admin\AppData\Local\Temp\E56E.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 5685⤵
- Program crash
PID:4676
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2132 -ip 21321⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\BBF9.exeC:\Users\Admin\AppData\Local\Temp\BBF9.exe1⤵
- Executes dropped EXE
PID:1560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BF75.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\C755.exeC:\Users\Admin\AppData\Local\Temp\C755.exe1⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\C755.exe"C:\Users\Admin\AppData\Local\Temp\C755.exe"2⤵PID:2268
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4412
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:560
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E1E3.exeC:\Users\Admin\AppData\Local\Temp\E1E3.exe1⤵
- Executes dropped EXE
PID:3880
-
C:\Users\Admin\AppData\Local\Temp\1EDE.exeC:\Users\Admin\AppData\Local\Temp\1EDE.exe1⤵PID:2972
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:3700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 4283⤵
- Program crash
PID:3796
-
-
-
C:\Users\Admin\AppData\Local\Temp\439D.exeC:\Users\Admin\AppData\Local\Temp\439D.exe1⤵PID:4560
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit2⤵PID:3224
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1560
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4656
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"1⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3700 -ip 37001⤵PID:4392
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD54bdddca26964ebf7db04944823b76b22
SHA1fc74dd75953341f476feebf6f4e15aed9a38ab12
SHA25644db6c5c0c1c681a0a46a14aad0a9338298c1df198160858a633add2ad20acf4
SHA512d6833140d952ec5d50bc5ae84e0dac602894deec77c52017ec27bd1ba523269f55ba013c276ae92bdb98aaee07d3528f4868c84dcda6b79dd4aebdf693701d57
-
Filesize
3.3MB
MD5305b03b1affc757d7d694ac1aefa4d7a
SHA18ef5d1b8d96e689e6441ed2dc837df2539728ec4
SHA256bc68d05161bca03f8fc6598927984cc2aecc35c8702b205ff46ab33ab8928bb9
SHA51249905711ad6031bc714053f0841d71df38dcd8ed2e78f385bc45e1d54a4ff32020efb29f332d3d994ff3fdf6d63e05bacbac76832f5ef651850d1bf1bebfde1c
-
Filesize
448KB
MD5941922de71ef0175259f4afc6739de4a
SHA19e87a6f8bc0d1a3801fe4764803baa0183b0bb59
SHA256381537e181d9c0236af7120b5956a26734b81dfa13454d0de60adc2347f1b38d
SHA512a83b3cdda1f8f7f1e86f99f27ae483c0d2d50eec707b69825ec53af0070eaafa880e79a3d62cc488d0e9d3caf898b9ff7e3248552f9e8250932d2a651b6e841c
-
Filesize
3.4MB
MD5e252be2be6afb746895d560da2699210
SHA105f58f7aba19f5d328c53852d23a71e5366143bb
SHA25687d0479906dbddae464d3da737681cfb5ec5b477670ad80e0e6dbe44c8d3c3e1
SHA512b40c8d29c8e2aeed5bce282a8dc8e5cfdb27269be6bfd0e7b5df363a1539568227036578760aa7a18d11dfb1cb9ea9edcedf68fbbac6a14f2df1f2701d72cfa6
-
Filesize
6.7MB
MD574cf066c5c492eb825b36550b1e38326
SHA18f211213fbd6905b5e44bf2af07e481832198a7f
SHA25624201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4
SHA51224ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
4.1MB
MD51047d7617f162d488920965b0a8b876c
SHA1059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA25658b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac
-
Filesize
1.9MB
MD5556785c0390c81c38e08e889cfd0485d
SHA13b9962afde889041276ff430548ff02989ec9c6b
SHA2561b3bb7aa1e3ec19768b56999110cb50ea42fd19f8304cbb6c5fb320acb1c092e
SHA512bb36c058a39c7cdb81f06a308dd521d2e8846c17f56c33c4f7d91636523cc74e61cad0f33915aee15bc6b091bececa3fad19233b98c7d363271bbd7eef777a59
-
Filesize
768KB
MD5bb197f6eb72e40010025d12ac608ddea
SHA14868b3b545c5caf616af500b6ec529670b0ad24e
SHA2561cd1197d6b185a20815b956ccd8823365337b3bdd4cb31c2d98b15cf5d85b42d
SHA512ced47870f023791544a0307cbf1389dcb70beee247e37c3ee6b41b31a52b872d3118953f79df688fb6bbb5622d99a31a42308e2ef3f82a2cfc34cbe4c64092ff
-
Filesize
4.4MB
MD588e2be2a31fa1edbf72d57f197bbeb99
SHA11dadb395d1265a1b7d576c82da9164a07be0f76c
SHA25680074ca72e0f554cb8a2dcd0d6998af2f5e3f4915f7fd7afb3ef085210c9f22c
SHA5126194ae59bdb357279bc16a2abde5f2c548c215496609fea3cbae1e9ac3be5dbbf5e3009436ddd866fbefd50d8612a0a4dfc3109cdb7c121f66e2e33b7b8a62e7
-
Filesize
3.9MB
MD5e7d666062e3b9ab2df33f7e5d47e4193
SHA145ade9ed13efabdf0fd3251e249809421b8cfa20
SHA256744a01db8c79463e2825b8641312febfb3728a2fc431a04ee9c0ccdc42bfaf3b
SHA5124d302f31b423da76e98560f3f173ff2cd067c3cbd9695b26a0974d710b23dac104e80439c89c800a2cb6904b031b8ef57261bf9b82457fda39c98f96a49127cd
-
Filesize
709KB
MD5b4496d2224777403415440dfe5f13a86
SHA15c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA5120bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158
-
Filesize
15KB
MD5e121db542d18a526f078c32fd2583af5
SHA169e677442ccb6d6fe1d2a3029cf44aac473f5f55
SHA256fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2
SHA5129d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82