Resubmissions
09-04-2024 08:32
240409-kfg77aaf85 1009-04-2024 08:32
240409-kfglnaaf84 1009-04-2024 08:32
240409-kffz5aea2y 1009-04-2024 08:32
240409-kffpcsaf79 1011-03-2024 08:03
240311-jxm94afe6y 1010-03-2024 15:15
240310-snee9sfd3y 10Analysis
-
max time kernel
140s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
09-04-2024 08:32
General
-
Target
FUCKER.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
quasar
1.4.1
KZ1
77.232.132.25:4999
8892f097-602a-41ca-8df2-0bf3fd113bd2
-
encryption_key
790BD6D1C1540AE1BFB811F2DC1E0185525C5DCB
-
install_name
LestaClient.exe
-
log_directory
LestaLogs
-
reconnect_delay
3000
-
startup_key
Lesta Game Center
-
subdirectory
Lesta
Signatures
-
Detect ZGRat V1 20 IoCs
-
Meduza
Meduza is a crypto wallet and info stealer written in C++.
-
Meduza Stealer payload 1 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 18 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\EchoNavigator.exe"C:\Users\Admin\AppData\Local\Temp\Files\EchoNavigator.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -nologo -noprofile -noninteractive -executionpolicy bypass -command .\serverBrowser.ps13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGCBAFCFIJ.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EGCBAFCFIJ.exe"C:\Users\Admin\AppData\Local\Temp\EGCBAFCFIJ.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\EGCBAFCFIJ.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30006⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe"C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 7483⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\control.exe"C:\Users\Admin\AppData\Local\Temp\Files\control.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Files\random.exe"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Wattyl.exe"C:\Users\Admin\AppData\Local\Temp\Files\Wattyl.exe"2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-3H3I1.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp"C:\Users\Admin\AppData\Local\Temp\is-3H3I1.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp" /SL5="$90226,1495449,832512,C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\servicedrive.exe"C:\Users\Admin\AppData\Local\Temp\Files\servicedrive.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\servicedrive.exe"3⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe"C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\TeamFour.exe"C:\Users\Admin\AppData\Local\Temp\Files\TeamFour.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ModelingTextbooks.exe"C:\Users\Admin\AppData\Local\Temp\Files\ModelingTextbooks.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Elder Elder.bat & Elder.bat & exit3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe"C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\cmon.exe"C:\Users\Admin\AppData\Local\Temp\Files\cmon.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Files\boomlumma.exe"C:\Users\Admin\AppData\Local\Temp\Files\boomlumma.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\current.exe"C:\Users\Admin\AppData\Local\Temp\Files\current.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ffffffffffbbbbb_crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\ffffffffffbbbbb_crypted.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 7523⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\dais.exe"C:\Users\Admin\AppData\Local\Temp\Files\dais.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\thost.exe"C:\Users\Admin\AppData\Local\Temp\Files\thost.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\mQxBvlTA.exe"C:\Users\Admin\AppData\Local\Temp\Files\mQxBvlTA.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Ljauypuypg.exe"C:\Users\Admin\AppData\Local\Temp\Files\Ljauypuypg.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\net.exe"C:\Users\Admin\AppData\Local\Temp\Files\net.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe"C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 12603⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe"C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe"C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\cry.exe"C:\Users\Admin\AppData\Local\Temp\Files\cry.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Crypto.exe"C:\Users\Admin\AppData\Local\Temp\Files\Crypto.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exe"C:\Users\Admin\AppData\Local\Temp\Files\native.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\alex12341.exe"C:\Users\Admin\AppData\Local\Temp\Files\alex12341.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe"C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe"C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe'3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Yellow%20Pages%20Scraper.exe"C:\Users\Admin\AppData\Local\Temp\Files\Yellow%20Pages%20Scraper.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\appdata.exe"C:\Users\Admin\AppData\Local\Temp\Files\appdata.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Props.exe"C:\Users\Admin\AppData\Local\Temp\Files\Props.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11163⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\DemagogicAlewife.exe"C:\Users\Admin\AppData\Local\Temp\Files\DemagogicAlewife.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe"C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\swizzyyyy.exe"C:\Users\Admin\AppData\Local\Temp\Files\swizzyyyy.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\amert.exe"C:\Users\Admin\AppData\Local\Temp\Files\amert.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"2⤵
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3fc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
2KB
MD5f9c40426d3ae3c029d3decd2a245b5ff
SHA1dbb9d2958775b077a719c8226fb4befc73e66d1e
SHA25687538301f3ec0d132aeb234a2f9690f711b740fb7648258dfd60db5a9868f6e5
SHA5127be9ec0f8aba70be99ec826ee907afe955c63fb0348f5ef15655ea72d147cb1964df2a602429d0ddf32c561d1d049c115c3f0879bb37edab517414be52bf5460
-
Filesize
4.2MB
MD543b4b9050e5b237de2d1412de8781f36
SHA1125cd51af3ca81d4c3e517b8405b9afae92b86f2
SHA25697bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d
SHA51224e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
125KB
MD5581ef78d54af26c5f1e7321929ddf10e
SHA1c368969b4aa6d7124e61229408d6362a4e84168b
SHA25652adeb5afa0f4e92914cb7f65ba44e0283ec44dbac9dc88920850e84f5a5f1fe
SHA5129d42f077853e97f40cdb45d99ecf7b79e6378983e22ffab65463288a0266a6807a78d6bd2af4be9136268b5eed9afbccb1b0d329f91252dcced4778d26684da4
-
Filesize
19KB
MD5b5d2f4e32195be913bf7bb05050616db
SHA1aee9fcd2db09c875f7137c9b1ddd9a8de4ee1daf
SHA2562d14b4668f2d8baf5d7f06fe402f3b68b40bb99fffa660b2b0be289af9dfd8e4
SHA5123af474495f0db89a285ab6bdd0710f9555b020160b76fa6512c81b5e08724e9e7720f56980fa6f1552c4f85e835f05eb3a0adb0f19a11cb83fad0e070f84b2b1
-
Filesize
2.2MB
MD5825d33a659673c01085a56e787a26660
SHA176ff37ab68882bb538ed82ead5a8cfbb209da1ef
SHA2563a6cc772d828a3581880b772e9ec2bdce35ee7204d5bbaaf8a08e278676d96dd
SHA51221050f35fb210e7fa95aea1cf3081549a512276aa1b47c2abdcbf7bbe8102376be60831a2d2abb1e2386312704decf2ce371e33f4398520ddbe7c0af5eb0caef
-
Filesize
4.7MB
MD5ba354d029f0e09cb6b02a4c196524da4
SHA1d8a3c4115cc46bc9a7b5216232c87d1a6471f09d
SHA256e70dcf3f915087251224a7db3850669c000a6da68ef2b55e3e2eda196cb01fc3
SHA512d27e3f6045f2915ed692d36f4152fc4dd7d1e6029e254d8e4fe4ce1d9dc5db8c6cb98cd7fab4c5762d6d2ad4c61dc5179486e70ebca5ce29ac5fc895daba4aed
-
Filesize
9.3MB
MD55df01f9e45f5e3c30a3534a4be701aed
SHA12260bda07a9f49da7cf8fd79a8c9f3ed1e823cff
SHA256be569b1dc8758a791c81d7a4d9d653018e02f1206bc6e18d246a9d4dade25d39
SHA512e20fd9ce0deecb9f0e3c98b590dc0d10f720dcd541c97360cac807efcdea50ee9fec0e40ab3660ca90e0492664d2c12ab9f7ccf56eaedad7f19e253fb3bc1d9b
-
Filesize
797KB
MD5bd15134c5a5187705599dc5958855753
SHA19782f2d27bc52bc0210c26106a78ded7fa98f5e1
SHA2561e71bcb4133949eaa1bead27b4e01f03f7802c6b92f61acbb6b8d7c8faf419d7
SHA512cc5fe526fecfc87cd04110f72c8e26bae786494e0ee7a29a7d241d83f6eb3ee189a85ec05b436c1a2f927ebff185c52737745b9cf04c22afec67a7d24ab386a9
-
Filesize
51KB
MD58647ffb0d889ea1933f7a4e7771094c0
SHA15c20b6cf56287c18566e50b0249e6cd9285f3ca3
SHA2566570e239d47518afaf8baeed1da31b475ec07ee1256e85bd0318d397f40d4e5c
SHA51226c47cf2ceb3a6e7d3d3b7f7d8934d6d769d31d9d279479a141df6ae2057e8b2644e12a225f56e5306529133e1a793b9500e5633732ef586464ea2c8fd43957c
-
Filesize
541KB
MD53b069f3dd741e4360f26cb27cb10320a
SHA16a9503aaf1e297f2696482ddf1bd4605a8710101
SHA256f63bdc068c453e7e22740681a0c280d02745807b1695ce86e5067069beca533e
SHA512bda58c074f7bd5171d7e3188a48cbdc457607ff06045e64a9e8e33fcb6f66f941d75a7bf57eb0ef262491622b4a9936342384237fa61c1add3365d5006c6d0d9
-
Filesize
16.5MB
MD521f57e534a0adc7765d6eeb22ec5bd74
SHA143baaefa89366a2ab42e1ad30fdffcebeb81d00a
SHA2568487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a
SHA51218bc9254f1d15dee4863be12ae862cd46c5c341ef72601500eab1d99d4ed38a34cff33587940f58885f327f8408644c5deb5c86dd274ffec3e0dcf69d1b8a83a
-
Filesize
477KB
MD534e03669773d47d0d8f01be78ae484e4
SHA14b0a7e2af2c28ae191737ba07632ed354d35c978
SHA2562919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572
SHA5128d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f
-
Filesize
351KB
MD5059e591f9dda7d3ee0de23f64d791cb1
SHA155e1be730e1426d00354e994f3596764d40634a6
SHA2569550addd57ac80afc9a177a5e7c9e961892d96593296bac79ec7a6ea65cc12d9
SHA512c67663ee4b68cdee2d834b9ef8e29af6e39926c547efbe02568adb7eb5e37c6a933205592888b0716936635a9e6e60673f12599778a5196e5fdafcfb262af629
-
Filesize
2.7MB
MD52bae8753475af921d7258f9b1e9fccd4
SHA10da0ad8fbea157d468e4ccbf66575808103246f7
SHA2569df4aaa956d54f55f1bb038f3e8f086169983e094ef8432cd71df928a888a2d0
SHA5120a346f1dc1771f4e049d04eda7bfc021120cf3797011f89b3a6e2b5ad2fb6bb88d6218d8c6383d8a98bc9eaef2797a01632e7a2526005b04a5000c2889cdd12d
-
Filesize
3.1MB
MD57b9d9f41d274ddd8fac0544e188ade4a
SHA120050de536fbf27cdbfbdd0671af913e04106363
SHA25650684cb3400e3cd4959c2ccd2dd900a157ef3163179adcf8da15ed5b7b41694b
SHA512c102873fa15ffd776ab17b16cd39d6ac95c8412dc8c4a0c8c28e1579dd0d03f9fa4f4985d419a76cd4853c5769ea4e95a24c4c1a9c61c98b7508d97c13b345af
-
Filesize
11KB
MD52a872ae7aa325dab4fd6f4d2a0a4fa21
SHA1f55588b089b75606b03415c9d887e1bdbb55a0a0
SHA256693fbe27170b14efde45d627cf3e0af36143762d2ef70a52a8402f121f6d6ae4
SHA512fa88a7540f6fea6d487ebc29a8a83cb8e1e2e1d94b5343b0b9aba45741bd3ab5f66b86dbe549eceafaa922a70c360b0ade8d72b22a9fc6bd31a94b8d416ec5e7
-
Filesize
5.3MB
MD5de08b70c1b36bce2c90a34b9e5e61f09
SHA11628635f073c61ad744d406a16d46dfac871c9c2
SHA256432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67
SHA51218a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5
-
Filesize
2.2MB
MD5c4c25694f502a6ebeee98c85731126d4
SHA13596c6d1b06114a9fb29206499af878307446cc5
SHA256e696fceb57c0eb026917377129e99e53cb1a7be745eb7dd51a3fa58ca5b3fb2f
SHA51281877d8132d953cb0d247f4b5e917d84d4791bec3b4c68d25934be3feff8f2f8cc645bf139f9303776b5b6236439ffe72d72840216fe68cdbe40c0a0e2671ac2
-
Filesize
1.5MB
MD50842c1a1d5fe5c7cc934fc5021b0885b
SHA1057cc72a78d78b126fe0fc5f05498ceb9b7da2c6
SHA2562ab767ed95da57611db4f66990f750d981fdabce02b606e6910e2690a2b5acef
SHA512d0d5eae46c621e752b4ffc59aff24b70d6229ddf30239def128ce62a7f77c0e223591dc4a4a8abb84630c7905851dfdcc7b644e45c06991674d287ec98ebae4d
-
Filesize
272KB
MD5f46eb7b82a0ee6ffbd0a48dd120f0802
SHA13241e2cb73acf8c80c12af2864d59ad0a24acc3d
SHA256cf995f855bb296ca2744bf6fbf0e9d01009dcf580c98324a2424893394447e4e
SHA512c2135243ed4b6d516891c81ac7b29914aa42bdd3a34e7902c3c6c072352063a2012c151dcc9a134b344a9c311c3d6857e03bd566d7b79f7baa280ce83c725e02
-
Filesize
464KB
MD544f814be76122897ef325f8938f8e4cf
SHA15f338e940d1ee1fa89523d13a0b289912e396d23
SHA2562899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6
SHA512daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79
-
Filesize
1.7MB
MD5c02b1b28775aa757d008b2b0e52a4943
SHA1f5c12fa0eddb3a4127bd0866714bdcf10a7abead
SHA256eb71c75ad9fa6aba6e8b793948a96029a190b612bb289c780621757d90c08577
SHA51258ae35c802ef81da05e9aeef0f16e9b27d6391e9dffb8aa77ea8406497201766d9fd7834d40a167485f452f57b51066988afc344c733129d1e4fad78b8dcf1c5
-
Filesize
65KB
MD57442c154565f1956d409092ede9cc310
SHA1c72f9c99ea56c8fb269b4d6b3507b67e80269c2d
SHA25695086ac060ffe6933ac04a6aa289b1c7d321f14380315e24ba0d6c4adfa0842b
SHA5122bf96828534bcdf71e48d1948b989011d8e3ba757c38cc17905a13d3021ea5deb57e2c68d79507a6acbb62be009cfc85b24d14543958dba1d3bc3e4ca7d4f844
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3.0MB
MD525a216e64ef305c97444182fb2440316
SHA15b2d808def3398b73d0085b6a4a7ceccf960b014
SHA256033382ec20598a624f624aa427168b1415786fe1d4e6848ed579e5728e7f67be
SHA512713218496b28ff397ec6ea908a99318040672fcfcd10637918dfc3ca85ef6fd591e67599aa24095a23278fde795dbcee022fa27f73a58ee192d615be65541f42
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
41KB
MD50f38a17bbaa7b6f75f51c671be981097
SHA1ee95e5225cfb623b6ddd58902bf72504993e2030
SHA25603f4d293b34e18f429d34282179a04a705d448f3b88b88982486997f6cd51f39
SHA512429100ae213ea857fa3fefea7b512bb616219f76cf2a55a4735776650806d42582ff886cd4779a1406d2bc9d0f514c93e40c3d12d9e764ffa8b880067bd704a2
-
Filesize
18KB
MD56990a376736feafb4de6bcaf112d2b80
SHA1324a2f51351beb01b6157e57f5dcfe75a49bc134
SHA256fc636b5481df443931ce2b815ad291b673081834c98660e7ac836bf87edcf154
SHA512744e85aedec1b86e2da44e41f3ec89744710101f5f2f1cf9db511d12e5af2cb7f917f6bb4a055d54346c22e06f95ea487abfe80cfad1009169da392fd3ee40d7
-
Filesize
18KB
MD515980c8fba2997a8d6c3551f92217600
SHA1a4374969850e1089a1cc6f264a92fbf6b36a9c3f
SHA256bd43410c1abb46d9528e258746fc37bd2b37bcb05d4026253a51674b1d60772c
SHA5127e7e5f97e6773c1e4a91f5f4b1c951ac940dcf70d2112e61adb36ff2b1de2a6f452f5ad422cd523e3091b5827dc599b40ab2f7b0c50905f4d66e157802d4db07
-
Filesize
17KB
MD5ba6b6d39b4bab98af8cf84b6a3ffb075
SHA10e570b8acf4446f146e47050f96bd1ba3dbe1d5e
SHA2566a8a464af76e40fb8ff67eafc7849ba67dc0e9099524a6ed7d3264b7aa1602cb
SHA51269d39b9980bd73a3caab579b700ac3c2464c5480135a335948025982b72f3da83983f3411ff568fc43c7e2f5f2f15f291371cdfe3b60d6d182f7457a21042688
-
Filesize
17KB
MD595a4eda49d88cf21d18e73361666fb8e
SHA1c53178d492c1670098773e59b2cdc256ce5c0cf0
SHA2569d4f81b99cc58e3982506016c0bec57e6a52accf73ee94abe1813d5a74642f50
SHA5127113d095a846315873fbfd9b6cb4758d08be03656c4942f79148de3a834213de8f66996412aa603342f4d032351260c27e666546a2dbcd618ac38be9a67ff281
-
Filesize
141KB
MD5e7cfc403f37bbe1ef81cef47bc01036d
SHA1672a8711a1d6dc6ab38b48d88f3f2a671c3f378a
SHA25611e415ef1484c25ac6fea93c8f13d1429a0061a8ca692d0697afe01211f2ab35
SHA5127a06890aedd7a4cb7df4f8b411ac0eeb03cceb8faea2084575a265c76cf7377ba6f17af494fe9035c97a211528ddb2fa02ed28f6d277d59928ab571893a2da9b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
Filesize
120KB
MD59b344f8d7ce5b57e397a475847cc5f66
SHA1aff1ccc2608da022ecc8d0aba65d304fe74cdf71
SHA256b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf
SHA5122b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
5.5MB
MD5e2bd5ae53427f193b42d64b8e9bf1943
SHA17c317aad8e2b24c08d3b8b3fba16dd537411727f
SHA256c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400
SHA512ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
9.3MB
-
Filesize
72KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
3.1MB
-
Filesize
41.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.9MB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
1.8MB
-
Filesize
3.3MB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
5.2MB
-
Filesize
592KB
-
Filesize
136KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
5.0MB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
41.1MB
-
Filesize
1024KB
-
Filesize
156KB
-
Filesize
41.1MB
-
Filesize
41.1MB
-
Filesize
972KB
-
Filesize
864KB
-
Filesize
864KB
-
Filesize
864KB
-
Filesize
564KB