Overview
overview
8Static
static
3loudplay-l...20.exe
windows7-x64
8loudplay-l...20.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1Loudplay.exe
windows7-x64
7Loudplay.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
3ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
3libGLESv2.dll
windows10-2004-x64
3resources/app.asar
windows7-x64
3resources/app.asar
windows10-2004-x64
3resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
3Analysis
-
max time kernel
145s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 17:53
Static task
static1
Behavioral task
behavioral1
Sample
loudplay-latest-null-248455720.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
loudplay-latest-null-248455720.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Loudplay.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Loudplay.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral18
Sample
ffmpeg.dll
Resource
win7-20240611-en
Behavioral task
behavioral19
Sample
ffmpeg.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
libEGL.dll
Resource
win7-20240508-en
Behavioral task
behavioral21
Sample
libEGL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
libGLESv2.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
resources/app.asar
Resource
win7-20240508-en
Behavioral task
behavioral25
Sample
resources/app.asar
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
resources/elevate.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
swiftshader/libEGL.dll
Resource
win7-20231129-en
Behavioral task
behavioral29
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral30
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240220-en
Behavioral task
behavioral31
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral32
Sample
vk_swiftshader.dll
Resource
win7-20240611-en
General
-
Target
loudplay-latest-null-248455720.exe
-
Size
90.8MB
-
MD5
f97b86e33d2bd2fd39c52e6e001ef1f6
-
SHA1
c78c9755fb3a9044958a1728adf291bb35efb0a4
-
SHA256
7d509913a3d07881ee762b496138ef59681d6ff9a2540b73385d8a686b120a5a
-
SHA512
9a46d9415107e35241ac14ba8e7639e22afb8b4aeecefe6a8ec382e572fd3bcfb2c215e747695e47d3ab3d651eba6e0e6f7856c39814f7d68ffaaad9f972b118
-
SSDEEP
1572864:nbW7RwoSmywEZpqAeWFixGiDyQM/5P8fIiateTbxLtjrLFWUXpMicwtYHXCE4h:n4woSxRqAni0iDyRp8fXam/rLAUXpM3Q
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 944 powershell.exe 2304 powershell.exe 2704 powershell.exe 3464 powershell.exe 2148 powershell.exe 2896 powershell.exe 2596 powershell.exe 1784 powershell.exe 1872 powershell.exe 660 powershell.exe 1072 powershell.exe 1152 powershell.exe 2296 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loudplay.exeLoudplay.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation Loudplay.exe Key value queried \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation Loudplay.exe -
Executes dropped EXE 5 IoCs
Processes:
Loudplay.exeLoudplay.exeLoudplay.exeLoudplay.exeLoudplay.exepid process 3020 Loudplay.exe 2524 Loudplay.exe 1312 Loudplay.exe 272 Loudplay.exe 1832 Loudplay.exe -
Loads dropped DLL 24 IoCs
Processes:
loudplay-latest-null-248455720.exeLoudplay.exeLoudplay.exeLoudplay.exeLoudplay.exeLoudplay.exepid process 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 3020 Loudplay.exe 2524 Loudplay.exe 1312 Loudplay.exe 272 Loudplay.exe 2524 Loudplay.exe 2524 Loudplay.exe 2524 Loudplay.exe 272 Loudplay.exe 1832 Loudplay.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Loudplay.exereg.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Loudplay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Loudplay.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Loudplay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Loudplay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Loudplay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Loudplay.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Loudplay.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEipconfig.exeipconfig.exepid process 1148 NETSTAT.EXE 1048 ipconfig.exe 2248 ipconfig.exe -
Modifies registry class 18 IoCs
Processes:
Loudplay.exeloudplay-latest-null-248455720.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\shell\open\command Loudplay.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell loudplay-latest-null-248455720.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open loudplay-latest-null-248455720.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open\command loudplay-latest-null-248455720.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay Loudplay.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\shell Loudplay.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\shell\open Loudplay.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay loudplay-latest-null-248455720.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\DefaultIcon loudplay-latest-null-248455720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open\ loudplay-latest-null-248455720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe %1" loudplay-latest-null-248455720.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\URL Protocol Loudplay.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" \"%1\"" Loudplay.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\URL Protocol loudplay-latest-null-248455720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\ loudplay-latest-null-248455720.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\ = "URL:loudplay" Loudplay.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\ = "URL:loudplay" loudplay-latest-null-248455720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe" loudplay-latest-null-248455720.exe -
Modifies registry key 1 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1672 reg.exe 2360 reg.exe 688 reg.exe 1836 reg.exe 1912 reg.exe 1760 reg.exe 2272 reg.exe 2300 reg.exe -
Processes:
Loudplay.exeloudplay-latest-null-248455720.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Loudplay.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Loudplay.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Loudplay.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 loudplay-latest-null-248455720.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 loudplay-latest-null-248455720.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Loudplay.exe -
NTFS ADS 1 IoCs
Processes:
Loudplay.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\loudplay\client\1.8.1.zip:Zone.Identifier Loudplay.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
loudplay-latest-null-248455720.exepowershell.exepowershell.exepowershell.exeLoudplay.exeLoudplay.exeLoudplay.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 2996 loudplay-latest-null-248455720.exe 660 powershell.exe 944 powershell.exe 944 powershell.exe 944 powershell.exe 2040 powershell.exe 3020 Loudplay.exe 3020 Loudplay.exe 272 Loudplay.exe 1312 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 272 Loudplay.exe 272 Loudplay.exe 272 Loudplay.exe 272 Loudplay.exe 272 Loudplay.exe 272 Loudplay.exe 272 Loudplay.exe 272 Loudplay.exe 2704 powershell.exe 1072 powershell.exe 1872 powershell.exe 2296 powershell.exe 2148 powershell.exe 2596 powershell.exe 1784 powershell.exe 1152 powershell.exe 2304 powershell.exe 2896 powershell.exe 3464 powershell.exe 3020 Loudplay.exe 3020 Loudplay.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
loudplay-latest-null-248455720.exepowershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exedescription pid process Token: SeSecurityPrivilege 2996 loudplay-latest-null-248455720.exe Token: SeDebugPrivilege 660 powershell.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeIncreaseQuotaPrivilege 2144 WMIC.exe Token: SeSecurityPrivilege 2144 WMIC.exe Token: SeTakeOwnershipPrivilege 2144 WMIC.exe Token: SeLoadDriverPrivilege 2144 WMIC.exe Token: SeSystemProfilePrivilege 2144 WMIC.exe Token: SeSystemtimePrivilege 2144 WMIC.exe Token: SeProfSingleProcessPrivilege 2144 WMIC.exe Token: SeIncBasePriorityPrivilege 2144 WMIC.exe Token: SeCreatePagefilePrivilege 2144 WMIC.exe Token: SeBackupPrivilege 2144 WMIC.exe Token: SeRestorePrivilege 2144 WMIC.exe Token: SeShutdownPrivilege 2144 WMIC.exe Token: SeDebugPrivilege 2144 WMIC.exe Token: SeSystemEnvironmentPrivilege 2144 WMIC.exe Token: SeRemoteShutdownPrivilege 2144 WMIC.exe Token: SeUndockPrivilege 2144 WMIC.exe Token: SeManageVolumePrivilege 2144 WMIC.exe Token: 33 2144 WMIC.exe Token: 34 2144 WMIC.exe Token: 35 2144 WMIC.exe Token: SeIncreaseQuotaPrivilege 2144 WMIC.exe Token: SeSecurityPrivilege 2144 WMIC.exe Token: SeTakeOwnershipPrivilege 2144 WMIC.exe Token: SeLoadDriverPrivilege 2144 WMIC.exe Token: SeSystemProfilePrivilege 2144 WMIC.exe Token: SeSystemtimePrivilege 2144 WMIC.exe Token: SeProfSingleProcessPrivilege 2144 WMIC.exe Token: SeIncBasePriorityPrivilege 2144 WMIC.exe Token: SeCreatePagefilePrivilege 2144 WMIC.exe Token: SeBackupPrivilege 2144 WMIC.exe Token: SeRestorePrivilege 2144 WMIC.exe Token: SeShutdownPrivilege 2144 WMIC.exe Token: SeDebugPrivilege 2144 WMIC.exe Token: SeSystemEnvironmentPrivilege 2144 WMIC.exe Token: SeRemoteShutdownPrivilege 2144 WMIC.exe Token: SeUndockPrivilege 2144 WMIC.exe Token: SeManageVolumePrivilege 2144 WMIC.exe Token: 33 2144 WMIC.exe Token: 34 2144 WMIC.exe Token: 35 2144 WMIC.exe Token: SeIncreaseQuotaPrivilege 2356 WMIC.exe Token: SeSecurityPrivilege 2356 WMIC.exe Token: SeTakeOwnershipPrivilege 2356 WMIC.exe Token: SeLoadDriverPrivilege 2356 WMIC.exe Token: SeSystemProfilePrivilege 2356 WMIC.exe Token: SeSystemtimePrivilege 2356 WMIC.exe Token: SeProfSingleProcessPrivilege 2356 WMIC.exe Token: SeIncBasePriorityPrivilege 2356 WMIC.exe Token: SeCreatePagefilePrivilege 2356 WMIC.exe Token: SeBackupPrivilege 2356 WMIC.exe Token: SeRestorePrivilege 2356 WMIC.exe Token: SeShutdownPrivilege 2356 WMIC.exe Token: SeDebugPrivilege 2356 WMIC.exe Token: SeSystemEnvironmentPrivilege 2356 WMIC.exe Token: SeRemoteShutdownPrivilege 2356 WMIC.exe Token: SeUndockPrivilege 2356 WMIC.exe Token: SeManageVolumePrivilege 2356 WMIC.exe Token: 33 2356 WMIC.exe Token: 34 2356 WMIC.exe Token: 35 2356 WMIC.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Loudplay.exepid process 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Loudplay.exepid process 3020 Loudplay.exe 3020 Loudplay.exe 3020 Loudplay.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
loudplay-latest-null-248455720.exepowershell.exeLoudplay.exedescription pid process target process PID 2996 wrote to memory of 1756 2996 loudplay-latest-null-248455720.exe findstr.exe PID 2996 wrote to memory of 1756 2996 loudplay-latest-null-248455720.exe findstr.exe PID 2996 wrote to memory of 1756 2996 loudplay-latest-null-248455720.exe findstr.exe PID 2996 wrote to memory of 1756 2996 loudplay-latest-null-248455720.exe findstr.exe PID 2996 wrote to memory of 660 2996 loudplay-latest-null-248455720.exe powershell.exe PID 2996 wrote to memory of 660 2996 loudplay-latest-null-248455720.exe powershell.exe PID 2996 wrote to memory of 660 2996 loudplay-latest-null-248455720.exe powershell.exe PID 2996 wrote to memory of 660 2996 loudplay-latest-null-248455720.exe powershell.exe PID 2996 wrote to memory of 944 2996 loudplay-latest-null-248455720.exe powershell.exe PID 2996 wrote to memory of 944 2996 loudplay-latest-null-248455720.exe powershell.exe PID 2996 wrote to memory of 944 2996 loudplay-latest-null-248455720.exe powershell.exe PID 2996 wrote to memory of 944 2996 loudplay-latest-null-248455720.exe powershell.exe PID 944 wrote to memory of 2040 944 powershell.exe powershell.exe PID 944 wrote to memory of 2040 944 powershell.exe powershell.exe PID 944 wrote to memory of 2040 944 powershell.exe powershell.exe PID 944 wrote to memory of 2040 944 powershell.exe powershell.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 2524 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 1312 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 1312 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 1312 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 1312 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 272 3020 Loudplay.exe Loudplay.exe PID 3020 wrote to memory of 272 3020 Loudplay.exe Loudplay.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\loudplay-latest-null-248455720.exe"C:\Users\Admin\AppData\Local\Temp\loudplay-latest-null-248455720.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\findstr.exefindstr exe-file "C:\Users\Admin\AppData\Local\Temp\latest.x86.yml"2⤵PID:1756
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "Set-ExecutionPolicy Bypass -Scope CurrentUser -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "Start-Process powershell -Wait -WindowStyle Hidden -Verb RunAs -ArgumentList 'C:\Users\Admin\AppData\Local\Temp\loudplay_firewall_rules.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\AppData\Local\Temp\loudplay_firewall_rules.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=gpu-process --field-trial-handle=1992,4314687701814338948,18424885000033166976,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2008 /prefetch:22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,4314687701814338948,18424885000033166976,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=2348 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1312 -
C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=renderer --field-trial-handle=1992,4314687701814338948,18424885000033166976,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\loudplay\resources\app.asar" --node-integration --node-integration-in-worker --no-sandbox --no-zygote --enable-remote-module --background-color=#000 --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵PID:1144
-
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:2264
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- Modifies registry key
PID:2360 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- Modifies registry key
PID:1672 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- Modifies registry key
PID:2300 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- Modifies registry key
PID:2272 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:1760 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:1912 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:688 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:1836 -
C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1992,4314687701814338948,18424885000033166976,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=904 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netstat -r"2⤵PID:880
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r3⤵
- Gathers network information
PID:1148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print4⤵PID:2264
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print5⤵PID:1872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"2⤵PID:1708
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵PID:1500
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"2⤵PID:2364
-
C:\Windows\SysWOW64\netsh.exenetsh lan show profiles3⤵PID:972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"2⤵PID:1672
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"2⤵PID:1776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"2⤵PID:3032
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid3⤵PID:1444
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid4⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "openssl version"2⤵PID:1752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "npm -v"2⤵PID:2320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pm2.cmd -v"2⤵PID:2032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "yarn --version"2⤵PID:2920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gulp.cmd --version"2⤵PID:1576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tsc.cmd --version"2⤵PID:1596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "grunt.cmd --version"2⤵PID:1692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "git --version"2⤵PID:2076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "apachectl -v 2>&1"2⤵PID:884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "nginx -v 2>&1"2⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mysql -V"2⤵PID:1600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "php -v"2⤵PID:2964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "redis-server --version"2⤵PID:2068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "docker --version"2⤵PID:2912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "postconf -d | grep mail_version"2⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mongod --version"2⤵PID:2720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "perl -v"2⤵PID:2760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "python -V 2>&1"2⤵PID:2696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "python3 -V 2>&1"2⤵PID:2684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pip -V 2>&1"2⤵PID:2520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pip3 -V 2>&1"2⤵PID:2632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "java -version 2>&1"2⤵PID:2644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gcc -dumpversion"2⤵PID:2476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" -v 2>&1"2⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "bash --version"2⤵PID:2176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "zsh --version"2⤵PID:1608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "fish --version"2⤵PID:1112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"2⤵PID:1188
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet3⤵
- Checks processor information in registry
PID:2300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"2⤵PID:1500
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get /value3⤵PID:1552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵PID:972
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵PID:892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"2⤵PID:1672
-
C:\Windows\SysWOW64\netsh.exenetsh lan show profiles3⤵PID:2088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"2⤵PID:2592
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "WHERE smartctl 2>nul"2⤵PID:872
-
C:\Windows\SysWOW64\where.exeWHERE smartctl3⤵PID:2112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"2⤵PID:1444
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:560
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe csproduct get /value3⤵PID:1856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get /value"2⤵PID:1044
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2612
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe bios get /value3⤵PID:548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe baseboard get /value"2⤵PID:2636
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2472
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe baseboard get /value3⤵PID:320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value"2⤵PID:2352
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1124
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value3⤵PID:2324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value"2⤵PID:1676
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:520
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value3⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe os get /value"2⤵PID:928
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1904
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe os get /value3⤵PID:2092
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2148 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe service get /value"2⤵PID:1172
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2344
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe service get /value3⤵PID:1772
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value"2⤵PID:932
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1032
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value3⤵PID:1760
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value"2⤵PID:2200
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2780
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value3⤵PID:3332
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memorychip get /value"2⤵PID:1144
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:828
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe memorychip get /value3⤵PID:3248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe diskdrive get /value"2⤵PID:948
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1532
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe diskdrive get /value3⤵PID:3368
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"2⤵PID:1416
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet3⤵
- Checks processor information in registry
PID:3256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gcc --version"2⤵PID:1768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"2⤵PID:2248
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1604
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe csproduct get /value3⤵PID:3360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value"2⤵PID:3224
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:3488
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value3⤵PID:3796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe cpu get /value"2⤵PID:3444
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:3668
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe cpu get /value3⤵PID:3780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose"2⤵PID:3456
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:3716
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose3⤵PID:3788
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""2⤵PID:4072
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"3⤵PID:2664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion"2⤵PID:2472
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2972
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion3⤵PID:1804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage"2⤵PID:2612
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2932
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage3⤵PID:944
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-34235418465161750417883371502005110311-1526883166213258443914366794901411927846"1⤵PID:2264
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1286701076-57895615-1923576957-7659752261555408613-582911371-2036032354633368378"1⤵PID:1148
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-403460769-1240709906-1766318261-1701620062-468839015478951431658677324-1026609006"1⤵PID:880
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "119202522663029557-965322558-94940565-1193755000-14372908055052524951541637605"1⤵PID:2144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD52dff469992b068db065b5639d9d90ba7
SHA1b0d885c9abde66acb4f88f694455d8a7fa1a15bc
SHA2569ae6c0f69f2c8dee5e3aaecc8ef0a14363792be4a49950ae56fe9dfc6dcf3f7b
SHA512468968e52e9dc37128cafb0ed2dbd220da57bf17c51425c198ca5c192c22ca567fba763d3820013b3fdae8a61b9c4874923dfa0f92da889f4979a42394c08cdb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f87fb6632489addca82013ad1066aee
SHA10168a2a72ceeb9032dd0768704487e09b9be5160
SHA256c47e0174ed774a9cc1ef0d489fff51925c74de8823e12fa5c62f61cbd5e38263
SHA5128a98c16b9cf2a2a13aa8f6e1dee64829acb17ba1e110fd1f8eb334b876f774d184e1d9c01f00b9844d85178ef0d1aba945d6b50895c39778cc2d71236e158c01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5812521f11c6565997d55e29a4cdf0239
SHA1c341b4e70da14bbac9d84a8df50e54699b1c42a8
SHA2564ee7ab5bdb57c1ceddfd4bdba6143c13495b7d453c434c25ca1097c0fcb0b511
SHA51285cff9908afc66918030e99782dbe1a9edb9dd48e7d1b130015963e1adebd431857a160d4f5b82d08fc3d15ba8fb766a5015110802d68bff6e0b7acc192e14fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3011eb95add654b262c32de0cb854ef
SHA1d9d304cd29dec560449d7b6a26055eb8c17fd51d
SHA25673af0152d7527f5eee0196ef9df3c87c1b116cc1f324ac312a7a124e9c4e1b0c
SHA51268f4b2b73389820ee372625dc19669ba0e42c53d52cd6a0e96600073171de9d3665c1936d7ce98311d65fa4187eb70727d713bd350dabe928b1a34722b8957d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fcbc9d58aecb1405054d28a205434c7
SHA1ac58d3240a3b27085f519e7bea8b6429bb38e6d5
SHA25661c3258dd77c38afbe11f2207205f4409fe35395d8daaeb622270bc14279db07
SHA512535258c38228a00ec77f2db213444c62bac87949ae60e8ad8de6b54684afa9ebc92aa0d125e829fde9ff99f9eaa01bd80965ab64a4a6d095d58d8b51f66c0017
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f6bcda2a357f06a372328c58826476a
SHA1de4e8236ff35b755ba924bf4276dbcf178ac769d
SHA256d75e30b7cf0b59c25ce14bbd1d1a9f9344bff738c911487ae955f3b1c9781653
SHA51264764797295e06c7c4aa058e726df9a390220658c6bfa3bed330fda7760613643f4a5bf11f61ef1d22667970d44cb28dc1a33288b45d7b5698addf47a9a6c630
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD515714387a785bc5d8469624d85b8ee71
SHA133a5a043c037dd1a115d268991c001dea376a436
SHA2563a5066e2c3d983bc02c2583d9feb1396fb640d3b07c38765afc723193dcbadaa
SHA51208c9a55efa4f72eb83125c81f01415a234de8350c7a0491cf5d7980c4ea253c619968928e3f90c37527d0839c7718a122df45dd28165b669b9e9ff1f784dcda8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD568ff19bf0cdbaac90ebb42c18bbda670
SHA1ce889709ed08fd3863eaee3b509da8c4d14a868a
SHA256e14d685ef64ee3b00fe1e12a439f472122ba83bdde0ed335fdc5ddf7e6c969ce
SHA5126b34a123c01f009e2debc462bec03a3081bd573444bfc8ca574946978a11001faed99e1332f7515436b69e50c9c81b75921755bec87c5946df99406aa834edc1
-
Filesize
121KB
MD506baf0ad34e0231bd76651203dba8326
SHA1a5f99ecdcc06dec9d7f9ce0a8c66e46969117391
SHA2565ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189
SHA512aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91
-
Filesize
181KB
MD557c27201e7cd33471da7ec205fe9973c
SHA1a8e7bce09c4cbdae2797611b2be8aeb5491036f9
SHA256dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b
SHA51257258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4
-
Filesize
2.5MB
MD5594100c352317c2027cbccb5b8c0e54e
SHA117d1df60cd4e7aedd3801c4e55be1d7afaf13487
SHA2561b2fbefaf3f4c503621374b191aee676a6457e4dd12931e020ce8d6700692b78
SHA512a21248c9b7862aa3ff09ca5a7db3cbf45fc255d60c214b5018e0968027e5f4e2cd1baacda210f673238eefbf1fa4d3bdfa3d9ffc25073c7195cbe2a0bccfb492
-
Filesize
10.0MB
MD5ad2988770b8cb3281a28783ad833a201
SHA194b7586ee187d9b58405485f4c551b55615f11b5
SHA256df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108
SHA512f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01
-
Filesize
83KB
MD5bd8f7b719110342b7cefb16ddd05ec55
SHA182a79aeaa1dd4b1464b67053ba1766a4498c13e7
SHA256d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de
SHA5127cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e
-
Filesize
4.8MB
MD5d13873f6fb051266deb3599b14535806
SHA1143782c0ce5a5773ae0aae7a22377c8a6d18a5b2
SHA2567b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506
SHA5121ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939
-
Filesize
167KB
MD52c28ffbe331f4a32c7799bcb941dcca1
SHA1d572497341ac1e8079531616f0bef7611dd12243
SHA25696d85880d161bd37a28ad13777337e5121189a6ac45b9232c74e052d6d1e27f2
SHA512f18ca45dbd04499bb3ea74cb59414ae4bf497be0cedd96d9f3693591198a1afeaf48ae4e7c7a0c31e31c1a128a34c990f2837fb576e0ffb288edc860b27563ae
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
243B
MD52ae555faff123f9cf21a5ed6d3e9fc6a
SHA1435c264a68fc678c52c2b2affda1348f764f8c5e
SHA256aa91d174a8fc92a5ac6ba0c4d42b5c885337f52d8a4982e3c262c0db015f9711
SHA51222e44b9008cfe84727305fa6e5a0c782c5688d342c47bef22169a6eb331b208285a318093e7d65094280613cd37da22f4bca500916b0dcfa3e20d0b65ed4ca3c
-
Filesize
351B
MD56aa91f00a13fab945c252a692647b133
SHA119199e35c8480b650d78e83a3004caf412743e4b
SHA25692c5edea86640aff77fd145ad836fc0044fae718d380538dbf09b9495e74e942
SHA512cc7fafb169c5b5e17ca5da5585aa5ba0266a0987bc2d38dda2953f083e26a40f9385e41240f671c7579a21f500a20e59e0a606b9656ba245f9e1e7a19e9c844e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD572dcc9edc1ea8fdad48287cff85a1828
SHA13912705983d5db05a95c0c4be68d6cc6dc18ee2e
SHA2567ab625dd6b8e85cc28032050436969c2c5111b0e388d2148b2f1f5fee261072c
SHA512de0655a7e0f9896a4260d99c3ff68151cf637f84297ac278434c921197f2be6bc24b32c2c5474cf06f0ac566541bf6ec17e279edd7dc11bfbe0df0fee9b61a26
-
Filesize
441KB
MD5a78ad14e77147e7de3647e61964c0335
SHA1cecc3dd41f4cea0192b24300c71e1911bd4fce45
SHA2560d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa
SHA512dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
Filesize
34B
MD557a1759e974ed6896d33194634129a74
SHA13addb71b8a93c7605bc04e265dc4f1bccd83c660
SHA2569eb61312d68d4f6882aac0c83cf06546ec31e1a219437a280c0f224026c984ff
SHA51219fd200e4d9d7a6ef47a99b671c9fc9e0bd4b3d8dc696d5bb22d88a7fe98ffeaad925007a9ab3d5c5f5d4be1d6a5dcb4f52cc4be19cdb4509c765816b480730d
-
Filesize
14B
MD5ad1349f4cbb010aa91e6eed62058adf7
SHA15a5a038d2de90ad0c035ccbe803b356a63b4437f
SHA256c7be080774685391938566a9784dda7763a4c63ff9e7a1e92cc862ae9fb9ff07
SHA51283e4067cd8d39470ff7befa66f265de9710a7900901a91a19b382524db2fad72edb3c9e3d329f718ac28a4e355e6764d2c64a2f5ea3dc6973e7a3faab643d3bb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3.5MB
MD52f2e363c9a9baa0a9626db374cc4e8a4
SHA117f405e81e5fce4c5a02ca049f7bd48b31674c8f
SHA2562630f4188bd2ea5451ca61d83869bf7068a4f0440401c949a9feb9fb476e15df
SHA512e668a5d1f5e6f821ebfa0913e201f0dfd8da2f96605701f8db18d14ea4fdeac73aeb9b4fe1f22eaeffcdd1c0f73a6701763727d5b09775666f82b678404e4924
-
Filesize
379KB
MD5d4cf83f1825f90d8874064f320869a9f
SHA1af77ddbea239a75793e02faf664ab8d2f76b30e0
SHA256381becc89734be051b4acf30b3bb29fe07895b6f148b4e9cbcdca167cdb6d071
SHA512d90cb37b01199c800016c55e0879b8049876fafbf3148a73fd18af8a63092b1e8c6439643789e2ca5a56ca55893844b3e301ab5c35bfe5ea31bbdbda727bede9
-
Filesize
2.7MB
MD5f82e1f3e89414d5b632c15e747f17087
SHA10d66035f1cb4526be2493915c55b005c20b88c8a
SHA2567c81336f390c55a5b04841e835051ca2701bf7ab3e6316d73c968e30bfcd4be7
SHA512d4826e2636e26bb1335406c4823a03465f2469de2951b5c5837290687f1796c6457c06036a18e1ce935b3aa80d8e909e19b3ddac60bb7e93dbd7770fe42a3cf8
-
Filesize
1.2MB
MD5c71f33dabbd487ddafc767470395f346
SHA1f9954b8c6d9ee39758316b170fcd925632fa886f
SHA2563ee841cf169376d85484520c908b51cbd01fba2623409efb348242dfe32ded3f
SHA5120307db845d059b5b72701c55db9b2632d9882de4749735cddd9100076b513df3fd2ec49d5ee7f5a0e3dafb39d772d6f5f05b8727df624ab514c212352031b6fb
-
Filesize
238KB
MD538caa11a462b16538e0a3daeb2fc0eaf
SHA1c22a190b83f4b6dc0d6a44b98eac1a89a78de55c
SHA256ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a
SHA512777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1
-
Filesize
9KB
MD517309e33b596ba3a5693b4d3e85cf8d7
SHA17d361836cf53df42021c7f2b148aec9458818c01
SHA256996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA5121abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
3KB
MD51cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA10b9519763be6625bd5abce175dcc59c96d100d4c
SHA2569be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA5127acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
-
Filesize
6KB
MD5ec0504e6b8a11d5aad43b296beeb84b2
SHA191b5ce085130c8c7194d66b2439ec9e1c206497c
SHA2565d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA5123f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
Filesize
424KB
MD580e44ce4895304c6a3a831310fbf8cd0
SHA136bd49ae21c460be5753a904b4501f1abca53508
SHA256b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df