blackmoon | ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c

Analysis

max time kernel
134s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe
Size

1.1MB
MD5

ad42d7bc215d988b8bf99ef77bd45b32
SHA1

0e8f5841044f9d80b4a821dbfbea46597a560982
SHA256

ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c
SHA512

8e800d46f7557032c287b291f925d8f7e719ec8727ad79eb01a2d4310264b3e40f888fae3898bbcd17bdd82cf7686c390342a1ad71a32fe4691cf788f12b1c71
SSDEEP

24576:MJr8tE+GZeFW4zyw0CxHqiGOw0CN4zpaVXcpd6CBiC:MJ4UA3LPes

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 10 IoCs

resource	yara_rule
behavioral2/files/0x000800000002338b-75.dat	family_blackmoon
behavioral2/files/0x0008000000023389-74.dat	family_blackmoon
behavioral2/files/0x000800000002338f-79.dat	family_blackmoon
behavioral2/files/0x0008000000023393-81.dat	family_blackmoon
behavioral2/files/0x0008000000023396-90.dat	family_blackmoon
behavioral2/files/0x0008000000023397-91.dat	family_blackmoon
behavioral2/files/0x000800000002338e-78.dat	family_blackmoon
behavioral2/files/0x000700000002358c-97.dat	family_blackmoon
behavioral2/files/0x000700000002358e-99.dat	family_blackmoon
behavioral2/files/0x000700000002358f-101.dat	family_blackmoon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	wscriptandroid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe

Executes dropped EXE 50 IoCs

pid	Process
3264	wscriptandroid.exe
1416	rundll32android.exe
4968	rundll32android.exe
2976	rundll32android.exe
2704	rundll32android.exe
1732	rundll32android.exe
2608	rundll32android.exe
4796	rundll32android.exe
3248	rundll32android.exe
3876	rundll32android.exe
2284	rundll32android.exe
1340	rundll32android.exe
448	rundll32android.exe
5012	chxt.exe
1936	dlsy.exe
4336	jyss.exe
4364	ltss.exe
2008	pmmsk.exe
4916	pmpy.exe
4768	pmrh.exe
4644	pmss.exe
1048	pmsxx.exe
3268	tjpt.exe
3204	xhdd.exe
1256	xhgt.exe
1424	rundll32android.exe
2820	rundll32android.exe
4428	rundll32android.exe
3068	rundll32android.exe
1128	rundll32android.exe
1960	rundll32android.exe
1112	rundll32android.exe
4048	rundll32android.exe
4124	rundll32android.exe
1600	rundll32android.exe
5020	rundll32android.exe
1288	rundll32android.exe
3676	rundll32android.exe
2792	rundll32android.exe
1580	rundll32android.exe
3616	rundll32android.exe
3880	rundll32android.exe
4500	rundll32android.exe
3056	rundll32android.exe
4052	rundll32android.exe
4504	rundll32android.exe
3772	rundll32android.exe
3672	rundll32android.exe
5140	rundll32android.exe
5164	rundll32android.exe

Loads dropped DLL 47 IoCs

pid	Process
1416	rundll32android.exe
4968	rundll32android.exe
2976	rundll32android.exe
2704	rundll32android.exe
1732	rundll32android.exe
2608	rundll32android.exe
4796	rundll32android.exe
3248	rundll32android.exe
3876	rundll32android.exe
2284	rundll32android.exe
1340	rundll32android.exe
448	rundll32android.exe
2688	rundll32.exe
2708	rundll32.exe
4564	rundll32.exe
2952	rundll32.exe
2148	rundll32.exe
1368	rundll32.exe
1424	rundll32android.exe
2820	rundll32android.exe
4428	rundll32android.exe
3068	rundll32android.exe
4436	rundll32.exe
1128	rundll32android.exe
4712	rundll32.exe
1960	rundll32android.exe
1112	rundll32android.exe
4560	rundll32.exe
4048	rundll32android.exe
404	rundll32.exe
4124	rundll32android.exe
1600	rundll32android.exe
5020	rundll32android.exe
1288	rundll32android.exe
3676	rundll32android.exe
2792	rundll32android.exe
1580	rundll32android.exe
3616	rundll32android.exe
3880	rundll32android.exe
4500	rundll32android.exe
3056	rundll32android.exe
4052	rundll32android.exe
4504	rundll32android.exe
3772	rundll32android.exe
3672	rundll32android.exe
5140	rundll32android.exe
5164	rundll32android.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3264	wscriptandroid.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2924	AUDIODG.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3264	4372	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe	89
PID 4372 wrote to memory of 3264	4372	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe	89
PID 4372 wrote to memory of 3264	4372	ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe	89
PID 3264 wrote to memory of 1416	3264	wscriptandroid.exe	92
PID 3264 wrote to memory of 1416	3264	wscriptandroid.exe	92
PID 3264 wrote to memory of 1416	3264	wscriptandroid.exe	92
PID 3264 wrote to memory of 4968	3264	wscriptandroid.exe	93
PID 3264 wrote to memory of 4968	3264	wscriptandroid.exe	93
PID 3264 wrote to memory of 4968	3264	wscriptandroid.exe	93
PID 3264 wrote to memory of 2976	3264	wscriptandroid.exe	94
PID 3264 wrote to memory of 2976	3264	wscriptandroid.exe	94
PID 3264 wrote to memory of 2976	3264	wscriptandroid.exe	94
PID 3264 wrote to memory of 2704	3264	wscriptandroid.exe	95
PID 3264 wrote to memory of 2704	3264	wscriptandroid.exe	95
PID 3264 wrote to memory of 2704	3264	wscriptandroid.exe	95
PID 3264 wrote to memory of 1732	3264	wscriptandroid.exe	96
PID 3264 wrote to memory of 1732	3264	wscriptandroid.exe	96
PID 3264 wrote to memory of 1732	3264	wscriptandroid.exe	96
PID 3264 wrote to memory of 2608	3264	wscriptandroid.exe	97
PID 3264 wrote to memory of 2608	3264	wscriptandroid.exe	97
PID 3264 wrote to memory of 2608	3264	wscriptandroid.exe	97
PID 3264 wrote to memory of 4796	3264	wscriptandroid.exe	99
PID 3264 wrote to memory of 4796	3264	wscriptandroid.exe	99
PID 3264 wrote to memory of 4796	3264	wscriptandroid.exe	99
PID 3264 wrote to memory of 3248	3264	wscriptandroid.exe	100
PID 3264 wrote to memory of 3248	3264	wscriptandroid.exe	100
PID 3264 wrote to memory of 3248	3264	wscriptandroid.exe	100
PID 3264 wrote to memory of 3876	3264	wscriptandroid.exe	101
PID 3264 wrote to memory of 3876	3264	wscriptandroid.exe	101
PID 3264 wrote to memory of 3876	3264	wscriptandroid.exe	101
PID 3264 wrote to memory of 2284	3264	wscriptandroid.exe	102
PID 3264 wrote to memory of 2284	3264	wscriptandroid.exe	102
PID 3264 wrote to memory of 2284	3264	wscriptandroid.exe	102
PID 3264 wrote to memory of 1340	3264	wscriptandroid.exe	103
PID 3264 wrote to memory of 1340	3264	wscriptandroid.exe	103
PID 3264 wrote to memory of 1340	3264	wscriptandroid.exe	103
PID 3264 wrote to memory of 448	3264	wscriptandroid.exe	104
PID 3264 wrote to memory of 448	3264	wscriptandroid.exe	104
PID 3264 wrote to memory of 448	3264	wscriptandroid.exe	104
PID 3264 wrote to memory of 5012	3264	wscriptandroid.exe	105
PID 3264 wrote to memory of 5012	3264	wscriptandroid.exe	105
PID 3264 wrote to memory of 5012	3264	wscriptandroid.exe	105
PID 3264 wrote to memory of 1936	3264	wscriptandroid.exe	106
PID 3264 wrote to memory of 1936	3264	wscriptandroid.exe	106
PID 3264 wrote to memory of 1936	3264	wscriptandroid.exe	106
PID 3264 wrote to memory of 4336	3264	wscriptandroid.exe	108
PID 3264 wrote to memory of 4336	3264	wscriptandroid.exe	108
PID 3264 wrote to memory of 4336	3264	wscriptandroid.exe	108
PID 3264 wrote to memory of 4364	3264	wscriptandroid.exe	109
PID 3264 wrote to memory of 4364	3264	wscriptandroid.exe	109
PID 3264 wrote to memory of 4364	3264	wscriptandroid.exe	109
PID 3264 wrote to memory of 2008	3264	wscriptandroid.exe	112
PID 3264 wrote to memory of 2008	3264	wscriptandroid.exe	112
PID 3264 wrote to memory of 2008	3264	wscriptandroid.exe	112
PID 3264 wrote to memory of 4916	3264	wscriptandroid.exe	114
PID 3264 wrote to memory of 4916	3264	wscriptandroid.exe	114
PID 3264 wrote to memory of 4916	3264	wscriptandroid.exe	114
PID 3264 wrote to memory of 4768	3264	wscriptandroid.exe	117
PID 3264 wrote to memory of 4768	3264	wscriptandroid.exe	117
PID 3264 wrote to memory of 4768	3264	wscriptandroid.exe	117
PID 1936 wrote to memory of 2688	1936	dlsy.exe	116
PID 1936 wrote to memory of 2688	1936	dlsy.exe	116
PID 1936 wrote to memory of 2688	1936	dlsy.exe	116
PID 4336 wrote to memory of 2708	4336	jyss.exe	118

C:\Users\Admin\AppData\Local\Temp\ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe
"C:\Users\Admin\AppData\Local\Temp\ec496f1f26f8a345a685296006d64696d41895848c499c831f30e7b370a7584c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\wscriptandroid.exe
  "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\wscriptandroid.exe" 3.vbs
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadSound1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadColor
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4968
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadCopyCur
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadDrawError
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadEllipse
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1732
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadGray
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadMoveDesk
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4796
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadSquare
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3248
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadStretch
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3876
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadTriangle
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2284
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadTunnel
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1340
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" lframe32.dll,payloadWave
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:448
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\chxt.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\chxt.exe"
    3⤵
    - Executes dropped EXE
    PID:5012
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\dlsy.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\dlsy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 8
      4⤵
      Loads dropped DLL
      PID:2688
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\jyss.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\jyss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 9
      4⤵
      Loads dropped DLL
      PID:2708
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\ltss.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\ltss.exe"
    3⤵
    - Executes dropped EXE
    PID:4364
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 2
      4⤵
      Loads dropped DLL
      PID:2148
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmmsk.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmmsk.exe"
    3⤵
    - Executes dropped EXE
    PID:2008
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 3
      4⤵
      Loads dropped DLL
      PID:4564
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmpy.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmpy.exe"
    3⤵
    - Executes dropped EXE
    PID:4916
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 4
      4⤵
      Loads dropped DLL
      PID:2952
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmrh.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmrh.exe"
    3⤵
    - Executes dropped EXE
    PID:4768
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmss.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmss.exe"
    3⤵
    - Executes dropped EXE
    PID:4644
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 1
      4⤵
      Loads dropped DLL
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmsxx.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmsxx.exe"
    3⤵
    - Executes dropped EXE
    PID:1048
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 10
      4⤵
      Loads dropped DLL
      PID:4436
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\tjpt.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\tjpt.exe"
    3⤵
    - Executes dropped EXE
    PID:3268
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 5
      4⤵
      Loads dropped DLL
      PID:4712
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\xhdd.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\xhdd.exe"
    3⤵
    - Executes dropped EXE
    PID:3204
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 7
      4⤵
      Loads dropped DLL
      PID:404
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\xhgt.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\xhgt.exe"
    3⤵
    - Executes dropped EXE
    PID:1256
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\AdvPL.dll,payload 6
      4⤵
      Loads dropped DLL
      PID:4560
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadFault
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1424
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadGlitches
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadGlitchdick
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadCircling
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadCirclingColor
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadMelt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadIcon
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadFireworks
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4048
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadFireworksIco
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4124
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadFlashbang
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1600
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadReverse
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5020
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadCircular
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadColours
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3676
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadTunnel
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadCopyCur
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadWave
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3616
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadDrawLine
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3880
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadFlower
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadJelly
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadRedraw
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadStartAddress
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4504
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadTunnelcircling
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3772
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadGrass
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadPuzzle
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5140
- - C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe" SCEMLKG.dll,payloadScreenp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:1624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc 0x4dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvPL.dll

Filesize
97KB

MD5
e5a7cbb094c291d435a87a14768f383f

SHA1
c2ef445a71f68bcd4c4d6e3cf7b8ba2e3be4738a

SHA256
733016a7438480b16859a60ba5ebf83eb2f864a5665a558e1269b95eda122be4

SHA512
8ce34280856a90e5a60aecb3fd17b8a4bfb2ee348a35de37ca5bab969d2da69e5d4ca582b5e156d8b113d2ad2d1167b7c152e08d75675df77a73bde0d9d8e71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\3.vbs

Filesize
5KB

MD5
7b5fe664d51a76e79fecb7d211fc8904

SHA1
78c2255d7fff268ebe11740b9568499186acb32b

SHA256
1d294d2d2cf0c4ee8c844d548b1eae098b140fd6628b322662d15738d1cc59ad

SHA512
f526835803c2ee354817ef540137feb3f7a31ab938c6594b4b2b031af24b3229b9253f3c9389932686eccf75b0f9fe1a3d6c4710d91f373fbe700a6fadece5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\SCEMLKG.dll

Filesize
110KB

MD5
48ba185852c5c2ece25a871ed06e1132

SHA1
68cd4226e1bef85792e4a6b821382756f72d1846

SHA256
9a159ea83a6842807223d836eda601ba71938872e481aca6f004a11a2ce09176

SHA512
00af079d6485f3eaadcfb1ace8446bcca880d9d63bda51711c5ca8d7957cfcc2e0a1c9667fe555e50057ad777d6cba42b8be63218e762114c96a2e905ccf6979

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\chxt.exe

Filesize
75KB

MD5
170dc4584d22f2ec5583f239b4b79c0e

SHA1
55f5bfe000050e45d110f8e17a2c3c0f554c7484

SHA256
c0381273b45137e8a1aae2795a68c84cb9d661ebda18afa10dd5a10d3827a499

SHA512
ab699a681c14bd4a691613c77c588d01a484c6516b8f0b16cb7caa85bc455b5801383efd01c6c87b4d357f2e681576634efe115efc98cbd430eef66557a3129a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\dlsy.exe

Filesize
113KB

MD5
ed4eb30cf0b298cce1fce3fbc2787c4b

SHA1
bc9e8f03500d802588b4634a267befe019d55bcc

SHA256
6e65755e26d854fd86fa5e0c7070b20363dc1f8b1c819b7bbc3f19d674442be9

SHA512
9089bd1cb8ff49ca9df66b814c1745bc604128249c51653122b6fc3de89486e2f38bd52e016039c27b4869c30909edbfe68c68db9363867b53cce0804dbe4f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\jyss.exe

Filesize
113KB

MD5
081ec9ec241a71349d2be4fe0789420e

SHA1
236ffe4870842cbd7de60a7cc3471146fb4a1a80

SHA256
9c4c15b124cff253572165faf29340f35e1b011b7065ff0090ac29688e42b835

SHA512
b35c40660b2ea1d8c675b6d693e5455ea4184bb50b6bdd1053c4c284c541bfb4dc6def1626712a07c5fb8d4b319019ad496fcd5b55ce08b59898744fa75f1e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\lframe32.dll

Filesize
104KB

MD5
cea881999b654dd37b181c96b471986c

SHA1
329eda71abd3981a54fdf1c6b090f35de3f050aa

SHA256
ee60b78b92c179038c72c8b2c7c38a52e2cab8c3c1e7d96d49b62dffdf96ab7a

SHA512
c9d35a802d5be5ef3005eb5a75f5cba06b3b5ee8524a80f070c4b56f729008a43e6a7a76460dacf5a461fbab0e74eb33157b60bef2e8b1afc7a981bc9f839b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\ltss.exe

Filesize
113KB

MD5
e6e04903d25451ed140e5ecb3bc18c01

SHA1
57dc61799d4cc0812fd1adb58354fb77d35c143d

SHA256
da6f359cfe66e1dcdd67329916e25d3171d4053cf503597f8dc59b854a4b5b57

SHA512
cecc7d577e6d12687bbef5fffdd57a3cd210d31103c6d6eb1dac4da38d5ae656bad48b6bcffcc6a1c0a24b613578a6960d2a2a00605ce5ce4cc364d800d7eb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmmsk.exe

Filesize
113KB

MD5
a9c9bb148946b21b9050af0a0c552adb

SHA1
a88bd7f621a5cf318e58ad23774df35dcf00b641

SHA256
e0a395483ab641ed3babcb6c2643431f511cdbd0d19c486090b850b039e61064

SHA512
d50dbaf99a13d3f0c708a692ae03c4d8fffc6a175ccf242d8032f3b19ef76b567dfc9b7b6dd8105bc7b07bfca79a9749fbe57161b8ea874db595a27edaa80507

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmpy.exe

Filesize
113KB

MD5
3bb6a28f2528ad6d4f1e4a2667a0b70f

SHA1
09a11dc35aeab0527d78a34f14114e8bf0d8034c

SHA256
aad6f855f1f8045d8b396f15d94da75c291d7c3afbf38ad22af60f9ebb2c0b16

SHA512
97dee28a3ac3d3b245b95761b87c4051e9bd12e89f2d6862d2345f4888e730faa594af4b1c72cd68516572f6b2d4ae60f66995c5bb237c0832103267c17f2d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmrh.exe

Filesize
79KB

MD5
95ced108cc929aa2be3eda4bea660076

SHA1
f05e3d28dfdae4785072ab0993fc537b86f0f027

SHA256
5487da3e9ad00242b5f389ad52c74ea82432997d8f3cdbb20f6aa86f9c12bbf6

SHA512
31bd5fffd2e758922c23a79079c49acbe7f786985dbb3c09a61aca354a548c26939b6e70d032594d235d4f0751dd23619930a6c75fa300cb0047bb5c9abb44c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmss.exe

Filesize
113KB

MD5
323b5952be1d284b1ea8552ec8e9f44b

SHA1
3de9cbe877e89ac204449fdee14b656e1b9eaf44

SHA256
80850eabd033a8f5b1ff2c6c1f93f8ef6812a7d8c1a4b24b015f1a3cbff60744

SHA512
dec9556a9d9aadb8ea7b7ea9d6d15a1a21c6218a2eee649d80ba944f15ce962fa0d8e0fa2f0af0c52d497dc5c39b0d51e4ca93c86f2d67dbd0170622d9477418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\pmsxx.exe

Filesize
113KB

MD5
0b6bb5eb9170112816f5c9f6bc3a40ec

SHA1
0f73908fe75ce6f20c2d6e4c7e4b24df34ad12a9

SHA256
fb69ca928471e440717a83016965deea908822f0a0cd4ccd7bf132513170ec17

SHA512
4c666bc3db06fb35f45e33503d57de81bdab90b61d4e9919290b9d0e9a41817851f277d622c179073520f3d877c9c84e1228215931a7303a1c7bc76a6b4bc8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\rundll32android.exe

Filesize
43KB

MD5
ff7cadf8d0db2d507a599f2d76e0e859

SHA1
00eeacc602e413f937a0ec675fb6244f2a866215

SHA256
9929b8e2242232dea1a251d7c4cc3a233f6a82f0a03bcd75f1a42a3a76260ec0

SHA512
1864984fb2f1501584a1dfc2574493d6fa72495f592765906ea3389a12abe3fa4e91106c05ac7032777488da8e06735596f218673330420c1f19971ce6f78d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\tjpt.exe

Filesize
113KB

MD5
068b8af4066247f472666ede6f39d516

SHA1
36f628c49e1e4c11ec52b72734d3e91fdd49361b

SHA256
e3eb82df03e02f3c2f48996afe89e7b2233e330517a6929b411479979c0615e0

SHA512
d1d02edc3e1732f81d8e57ce7cf941e850c20d7ab9ae412bd1e342ccf74468568e11657d2794810a5f20ce5efb5dc2c643fa8ed7e16b5ee3bf73f77895d53ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\wscriptandroid.exe

Filesize
132KB

MD5
3d27d125a2d16510665a69522fe3143c

SHA1
e7907467144b2655062093be7c2bee8ce419eb7c

SHA256
6454da055ac4123540e89e7b5d650e388951a43ccda30b91e1985425ceeae113

SHA512
01bfd59602e3cbd6a7f5d3a3f97d782740164be494ff8c213bd696d28845409fcb3b9527389b7191b8ea7f02dfdff9e029a7fd96afa78bd4bcc7bbbefd690704

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\xhdd.exe

Filesize
113KB

MD5
c2fc1fd5bd88c2d609b1ad18b4343d38

SHA1
5d6c4185f417200e0f3ab56344536026c8ec3641

SHA256
e6031da452883d7d62b5e0f1896970de6e93e8fc6e0d70ae578a654c26101f4c

SHA512
dbc1d69a504fc08e62ea02bc6781f043f0e4e05f9024b3928705685a2fb257169eff9572b2728c9ea0df89835c51bb61de1a9acf9a1e9a67bda1c52ddcbe14ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Android Icon Virus\xhgt.exe

Filesize
113KB

MD5
54e4c9560c62efe43686a05051938041

SHA1
7f8d78f078f1dfadfe7bcc06ea2eb2b1ccfb1101

SHA256
ad0712df697c92db4cbe89540211d28f5f728b2549bc1ce4eb06adafbbed99ef

SHA512
a9923ca2fe8a1770d0e8d9433abbf4c84b014415f833ba425e4ebce7a913a0fd74e43267d325a99d8632cda20edfc879a4cefa1e3e0bcdc1442757fbc63344f3

Download Submit