Analysis
-
max time kernel
86s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
08-03-2024 19:26
General
-
Target
https://cdn.discordapp.com/attachments/1149469239963562126/1179827307142197278/H.UNBAN.rar?ex=65fc65ce&is=65e9f0ce&hm=25656e5edaecf764bb1819fa455683eccc742089880b3aa5d5b45fef24f0e52d&
Malware Config
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Nirsoft 1 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 20 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 48 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 20 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1149469239963562126/1179827307142197278/H.UNBAN.rar?ex=65fc65ce&is=65e9f0ce&hm=25656e5edaecf764bb1819fa455683eccc742089880b3aa5d5b45fef24f0e52d&1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe08dc46f8,0x7ffe08dc4708,0x7ffe08dc47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5408 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\H.UNBAN\" -ad -an -ai#7zMap15510:76:7zEvent26781⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\H.UNBAN\hassoon\activate.bat" "1⤵
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "activate.bat"2⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXE"C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXE"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXE"C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXE"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exe"C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exe"C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DeviceCleanupCmd.exe"C:\Users\Admin\Downloads\H.UNBAN\hassoon\DeviceCleanupCmd.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\H.UNBAN\hassoon\Taskkill_clean.bat" "1⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat_Setup.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicWebHelper.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService_x64.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop BEService2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat2⤵
- Launches sc.exe
-
C:\Windows\system32\PING.EXEping www.google.com -n 12⤵
- Runs ping.exe
-
C:\Windows\system32\find.exefind "Reply"2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f2⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v "ComputerName" /t REG_SZ /d 2451 /f2⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v "ComputerName" /t REG_SZ /d 8848 /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\Volumeid64.exe"C:\Users\Admin\Downloads\H.UNBAN\hassoon\Volumeid64.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\H.UNBAN\hassoon\woofr.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tzautoupdate" /v Start /t reg_dword /d 4 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" /v Type /t reg_sz /d NoSync /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t reg_dword /d 0 /f2⤵
-
C:\Windows\system32\choice.exeCHOICE /C 123 /M "Enter your choice:"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "Spoofer.bat"2⤵
-
C:\Windows\system32\PING.EXEping www.google.com -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\find.exefind "="3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat_Setup.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicWebHelper.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService_x64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop BEService3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat3⤵
- Launches sc.exe
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "SWD\MS*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DeviceCleanupCmd.exeDeviceCleanupCmd.exe * -s3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DriveCleanup.exeDriveCleanup.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "C:\"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "F:\"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "C:\"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Disk drive*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Disk"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "disk"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Disk&*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "USBSTOR*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "SCSI\Disk*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "STORAGE*" /use_wildcard3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Motherboard*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Volume*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Microsoft*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "System*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "ACPI\*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Remote*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Standard*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /SU AUTO3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /BS 2507277313889267243⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /CS 296551409231918323063⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /SS 1686081741777994463⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /PSN 104881592316415173303⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /IVN 2928531160108593803⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /IV 18754127221292166893⤵
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\PING.EXEPING localhost -n 153⤵
- Runs ping.exe
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exedevcon rescan3⤵
-
C:\Windows\system32\PING.EXEping www.google.com -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\find.exefind "="3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "MAC_change.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid5⤵
-
C:\Windows\system32\findstr.exefindstr [0-9]5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\014⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00014⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 067E41BCDB35 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid5⤵
-
C:\Windows\system32\findstr.exefindstr [0-9]5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\014⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00014⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv5⤵
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Ethernet" disable4⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3d4 0x2f41⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56163b0fa2d4ff6d705b9fea8ebcf4adc
SHA1aa7c018318e76d1bffcd711142c1f3b6f74959b3
SHA256b366a67c1a98b53698a1fd36c2f4127bd8da12ff8fcc504e8a7f8cfde6b8c83f
SHA5126f3194ab8c92229cca1b79c0c8d26db296798c44eb72c708ac1b347ede5d42a92614a51fbf950a94b42340083faad96b2444fc4df9b7f2c8f95c8124c3ae648b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5365c64268d9fab36de5a116b253332bf
SHA17bee9eb7e3e338d768551626ea6c6691440f0c0c
SHA256f58c90592de3eb71e15b11984ac5f52829406e34987794c93f37b2ab2b0d2219
SHA512e69d56d7cbacfa7e2b61987de69e0edf2d1bb2c266e631cfbaf58212b3a16af69c0de15da12850cf678202536b5df774b1be5871506069c5e20b95f85b197d1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cb849447fb6a531ac79ba9c9f0d9cc4b
SHA115be358a435c6e3948111c3f564ac5b2f276f55e
SHA256d62cfc577d595cdb546651848c51a519c908a50b17dd544fcddc9ab3b2fd4a32
SHA512abf4e9b2b947b8c2d345996ba0b0c4f011cd6fdbbbfdb55190eccecd65e39857f2e82e9ed4418679568026f324d9dd6af1f4f8b56c5a0f2677855f7c7a425cd8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59e89acc9a04a2c40727c18cfc10195c7
SHA1860cbb87d5d3fa5c44c7cf4df48b2755f8747070
SHA2564efe6f784c1eae8321ee81be82de06eb40be44e47fd0da62be35888d614d97a2
SHA512886de5983d898e96af8eedc2e3fca83be3e8c8c831e8029ba7461e79d3fb7db44634e2479fa2b25e549329acd4030a11c60309d4c84b15efdbd28af6cf0f51b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e5e615d3e470581f7b365a5b2c05ff37
SHA19c97fa79fb354eb3f4c87e527aebf35098b5709d
SHA256613431ce766de22fd0be8ab30d62766536f40d88eba415e3420df9370f80ba12
SHA51217efe8611b8aa35978075287d8c3c1b0661740d506bb942ca2e337f9794e2f861ce105fd242a23e9aa467abeb7de0b76ce9302d9fd1fbe8447fc336e18314aab
-
C:\Users\Admin\Downloads\H.UNBAN.rarFilesize
1.4MB
MD52cb4bd68a80f76e8f52291ea89fd102e
SHA1f5de6e6b1f03e4578c2abb83809ce4df359b5bf7
SHA256f104186d24b5a10262a656778faf81cd17c13f43f29b9bc51a98fffc587a95c9
SHA51246a8c21ae490b5670b3daad1a397e207cd46983e03384bd1e6734e522205c8335f029cd9879af5318922bcebf1b260a94428e66e4b1c9131d8657b306fe2e3d1
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEFilesize
451KB
MD5f17ecf761e70feb98c7f628857eedfe7
SHA1b2c1263c641bdaee8266a05a0afbb455e29e240d
SHA256311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf
SHA512e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeFilesize
163KB
MD5d22ceb6b43f721fe4e892fea6c8990e6
SHA13ad25b431280a0056579aeaacdf687bd8c3aa901
SHA2569abdc7cdc19548ada451aee6caabe296957c050062991892e7d9787ff6e0bdef
SHA5128c37d941c108172340697887529f3fdc430cdee31d1ff7501d4da7fa21183e8f02832651a99daa30908820b935798ae85e046374e70c1ea4802763edbe47ebc1
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DeviceCleanupCmd.exeFilesize
47KB
MD58eae1aec5f34e4a8e04a60075bcfb0f8
SHA1a9af1c4eb6fb61a17a813b3bc788fce10c920007
SHA2565ad34a00b0e6d471e4e0684f9ac996aa82cf837735053de0da72c1137c18115d
SHA512a7ff2c81eb0cd757885bf767a1dcaef6681180cdabe0d477c680bef77312c25f102964931e8d3708d85cbca92a02b00eb0e35203a25b0ce4a16712e455fc68ff
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DriveCleanup.exeFilesize
52KB
MD5e7d7c120c21de434eb123392b515edd7
SHA1bc54596c75064dd02ec95987075c0cc896cfbc73
SHA256dfd1f048cf9eefe96a1266139d3683de86ed25346300a0392eb5b2c10f4c78d1
SHA512a7c4e493f2aa08aec76ed0797664d9e2ae0f7d263f53d459b5561f0cec7f8d79ea309beac3c8c15638afd3027368da78497660e6b14794619719bdb377186148
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\MAC_change.batFilesize
1KB
MD5707c798832f76eb383a0501b2773ec32
SHA13ebd0413af9929109ea0eb0045a2d26a256e771f
SHA256940f3e68e62ad73c0668e854d821d88eacc8ea8fb8e130e42a34368ae9f5852e
SHA51213e92ef958cfcc5686a2886b4a011f2287ec261028db0c6816d738eb715490d69ca37f8232e7bb3bebd5d49ce65bf4b9f55ae12d4af056bf569e5a1dba2f3da9
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\Spoofer.batFilesize
3KB
MD5f0b3b45759aca115f31f2aa16a942b6d
SHA15b0dbbfee935549167f2c89bdf8877ec61fb403d
SHA25648ecb46f509169a6ab5a4c967fa8d9955b026478f3ab124c494b4eca1f79078b
SHA5124f2a480c531385da8bf761ebc6c82b82ba9e293e770558c353b931009ba9bf57af184bb5b8de3df23fb1e707c06d431e0ada447c92b04214f5d6c92b3173089d
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\Taskkill_clean.batFilesize
5KB
MD56393a0289b9433f86d7662aed91d5530
SHA171ccdaa7bc095221413dbe0ecdf6b91cee266f9c
SHA256acfdb643c84ba2c9f95eb5e19690f3167a435b6500ca7d1abfc31b69a292e468
SHA512f657c7dd117100b223d79f644e0dc19ead310bfb17cc7bbde218029792df3013a041c1aaaa82e20b51b5afcdee3db05a0925cd819d991f3872263f24b5065569
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\Volumeid64.exeFilesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\activate.batFilesize
48KB
MD57247693f4236683d94e7d5b867f69972
SHA16a290acb81301bf84b39558cb1abd84e196dc8fe
SHA256477d70fbb9351a6aeea658c73ef35a4a53e09cb671d7b759e116a450239eaa87
SHA512f8cbcfc1c5bad08bd99a27fdf2a643c846b82eef600da63e6279026d68e3c31b8ade9e5ee2faf6ba029874c05c6357f4514b2faf49b6ea3208e1b708374e9d64
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\amifldrv64.sysFilesize
29KB
MD5f22740ba54a400fd2be7690bb204aa08
SHA15812387783d61c6ab5702213bb968590a18065e3
SHA25665c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exeFilesize
80KB
MD5d153a0bc6f0476457b56fc38795dea01
SHA1eb3c25afab996b84c52619c6f676d0663c241e01
SHA256df048df347a738b6addec6f3fd65c73e371d0e11e2dc02f88f8ef307b964e1b7
SHA5126322d98b356cfa9a4bc8559959de01cdd4d9c038a9d0d506d2211d9e329c6b938f5bccb5459217a4c471cf200287bdbf7068393ce6f69b37a103e5ae6e758414
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\doh.txtFilesize
117B
MD5a627a5d62c1262e703458c27e542d4af
SHA1354d900ca41e86e593c0706df4667b1db7da4c0b
SHA2562d3a93ac80bad2c26b372ce26ff2877b6c877cce76cf8b97304717881d73dedd
SHA51207ca857337c04364128c0ad4fc10b629c0352da2a52e1a064b5657586a844957b4383289596eb92396ca40fda82b80202a41107e4f3edcc3916822983fe053a8
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\woofr.batFilesize
3KB
MD50c3caee233fca2588514c1af719fa577
SHA10c3436441e3c9e42e5aeb112143a20d14655dbf4
SHA2569c8d13731f3d75c8762e188a6980f72580fdba7109e7db22cf3bd300dd6c88fa
SHA5129dfc9c9c6cac8f1651168d60d8acf5b8850ea60f65fa86b29ee455498ae9dc7547461b6f1006b89fa7ce5afabe1aaaedfdad923fb8b4c7c3c566d46de2d2a26f
-
\??\pipe\LOCAL\crashpad_1708_OJWIROKEWAAONCYLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e