7d509913a3d07881ee762b496138ef59681d6ff9a2540b73385d8a686b120a5a

Analysis

max time kernel
145s
max time network
161s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loudplay-latest-null-248455720.exe
Size

90.8MB
MD5

f97b86e33d2bd2fd39c52e6e001ef1f6
SHA1

c78c9755fb3a9044958a1728adf291bb35efb0a4
SHA256

7d509913a3d07881ee762b496138ef59681d6ff9a2540b73385d8a686b120a5a
SHA512

9a46d9415107e35241ac14ba8e7639e22afb8b4aeecefe6a8ec382e572fd3bcfb2c215e747695e47d3ab3d651eba6e0e6f7856c39814f7d68ffaaad9f972b118
SSDEEP

1572864:nbW7RwoSmywEZpqAeWFixGiDyQM/5P8fIiateTbxLtjrLFWUXpMicwtYHXCE4h:n4woSxRqAni0iDyRp8fXam/rLAUXpM3Q

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
944	powershell.exe
2304	powershell.exe
2704	powershell.exe
3464	powershell.exe
2148	powershell.exe
2896	powershell.exe
2596	powershell.exe
1784	powershell.exe
1872	powershell.exe
660	powershell.exe
1072	powershell.exe
1152	powershell.exe
2296	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loudplay.exeLoudplay.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation	Loudplay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\International\Geo\Nation	Loudplay.exe

Executes dropped EXE 5 IoCs

Processes:

Loudplay.exeLoudplay.exeLoudplay.exeLoudplay.exeLoudplay.exe

pid process

3020 Loudplay.exe
2524 Loudplay.exe
1312 Loudplay.exe
272 Loudplay.exe
1832 Loudplay.exe

pid	process
3020	Loudplay.exe
2524	Loudplay.exe
1312	Loudplay.exe
272	Loudplay.exe
1832	Loudplay.exe

Loads dropped DLL 24 IoCs

Processes:

loudplay-latest-null-248455720.exeLoudplay.exeLoudplay.exeLoudplay.exeLoudplay.exeLoudplay.exe

pid	process
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
3020	Loudplay.exe
2524	Loudplay.exe
1312	Loudplay.exe
272	Loudplay.exe
2524	Loudplay.exe
2524	Loudplay.exe
2524	Loudplay.exe
272	Loudplay.exe
1832	Loudplay.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loudplay.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Loudplay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Loudplay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Loudplay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Loudplay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Loudplay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Loudplay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Loudplay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exeipconfig.exe

pid process

1148 NETSTAT.EXE
1048 ipconfig.exe
2248 ipconfig.exe

pid	process
1148	NETSTAT.EXE
1048	ipconfig.exe
2248	ipconfig.exe

Modifies registry class 18 IoCs

Processes:

Loudplay.exeloudplay-latest-null-248455720.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\shell\open\command	Loudplay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell	loudplay-latest-null-248455720.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open	loudplay-latest-null-248455720.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open\command	loudplay-latest-null-248455720.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay	Loudplay.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\shell	Loudplay.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\shell\open	Loudplay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay	loudplay-latest-null-248455720.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\DefaultIcon	loudplay-latest-null-248455720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open\	loudplay-latest-null-248455720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe %1"	loudplay-latest-null-248455720.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\URL Protocol	Loudplay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" \"%1\""	Loudplay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\URL Protocol	loudplay-latest-null-248455720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\	loudplay-latest-null-248455720.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\loudplay\ = "URL:loudplay"	Loudplay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\ = "URL:loudplay"	loudplay-latest-null-248455720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe"	loudplay-latest-null-248455720.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1672 reg.exe
2360 reg.exe
688 reg.exe
1836 reg.exe
1912 reg.exe
1760 reg.exe
2272 reg.exe
2300 reg.exe

pid	process
1672	reg.exe
2360	reg.exe
688	reg.exe
1836	reg.exe
1912	reg.exe
1760	reg.exe
2272	reg.exe
2300	reg.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Loudplay.exeloudplay-latest-null-248455720.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Loudplay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Loudplay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Loudplay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	loudplay-latest-null-248455720.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	loudplay-latest-null-248455720.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Loudplay.exe

NTFS ADS 1 IoCs

Processes:

Loudplay.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\loudplay\client\1.8.1.zip:Zone.Identifier Loudplay.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\loudplay\client\1.8.1.zip:Zone.Identifier	Loudplay.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

loudplay-latest-null-248455720.exepowershell.exepowershell.exepowershell.exeLoudplay.exeLoudplay.exeLoudplay.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
2996	loudplay-latest-null-248455720.exe
660	powershell.exe
944	powershell.exe
944	powershell.exe
944	powershell.exe
2040	powershell.exe
3020	Loudplay.exe
3020	Loudplay.exe
272	Loudplay.exe
1312	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
272	Loudplay.exe
272	Loudplay.exe
272	Loudplay.exe
272	Loudplay.exe
272	Loudplay.exe
272	Loudplay.exe
272	Loudplay.exe
272	Loudplay.exe
2704	powershell.exe
1072	powershell.exe
1872	powershell.exe
2296	powershell.exe
2148	powershell.exe
2596	powershell.exe
1784	powershell.exe
1152	powershell.exe
2304	powershell.exe
2896	powershell.exe
3464	powershell.exe
3020	Loudplay.exe
3020	Loudplay.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

loudplay-latest-null-248455720.exepowershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeSecurityPrivilege	2996	loudplay-latest-null-248455720.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Loudplay.exe

pid process

3020 Loudplay.exe
3020 Loudplay.exe
3020 Loudplay.exe
3020 Loudplay.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Loudplay.exe

pid process

3020 Loudplay.exe
3020 Loudplay.exe
3020 Loudplay.exe

pid	process
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe

pid	process
3020	Loudplay.exe
3020	Loudplay.exe
3020	Loudplay.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

loudplay-latest-null-248455720.exepowershell.exeLoudplay.exe

description	pid	process	target process
PID 2996 wrote to memory of 1756	2996	loudplay-latest-null-248455720.exe	findstr.exe
PID 2996 wrote to memory of 1756	2996	loudplay-latest-null-248455720.exe	findstr.exe
PID 2996 wrote to memory of 1756	2996	loudplay-latest-null-248455720.exe	findstr.exe
PID 2996 wrote to memory of 1756	2996	loudplay-latest-null-248455720.exe	findstr.exe
PID 2996 wrote to memory of 660	2996	loudplay-latest-null-248455720.exe	powershell.exe
PID 2996 wrote to memory of 660	2996	loudplay-latest-null-248455720.exe	powershell.exe
PID 2996 wrote to memory of 660	2996	loudplay-latest-null-248455720.exe	powershell.exe
PID 2996 wrote to memory of 660	2996	loudplay-latest-null-248455720.exe	powershell.exe
PID 2996 wrote to memory of 944	2996	loudplay-latest-null-248455720.exe	powershell.exe
PID 2996 wrote to memory of 944	2996	loudplay-latest-null-248455720.exe	powershell.exe
PID 2996 wrote to memory of 944	2996	loudplay-latest-null-248455720.exe	powershell.exe
PID 2996 wrote to memory of 944	2996	loudplay-latest-null-248455720.exe	powershell.exe
PID 944 wrote to memory of 2040	944	powershell.exe	powershell.exe
PID 944 wrote to memory of 2040	944	powershell.exe	powershell.exe
PID 944 wrote to memory of 2040	944	powershell.exe	powershell.exe
PID 944 wrote to memory of 2040	944	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 2524	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 1312	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 1312	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 1312	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 1312	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 272	3020	Loudplay.exe	Loudplay.exe
PID 3020 wrote to memory of 272	3020	Loudplay.exe	Loudplay.exe

C:\Users\Admin\AppData\Local\Temp\loudplay-latest-null-248455720.exe
"C:\Users\Admin\AppData\Local\Temp\loudplay-latest-null-248455720.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\findstr.exe
findstr exe-file "C:\Users\Admin\AppData\Local\Temp\latest.x86.yml"
2⤵
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Set-ExecutionPolicy Bypass -Scope CurrentUser -Force"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process powershell -Wait -WindowStyle Hidden -Verb RunAs -ArgumentList 'C:\Users\Admin\AppData\Local\Temp\loudplay_firewall_rules.ps1'"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\AppData\Local\Temp\loudplay_firewall_rules.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=gpu-process --field-trial-handle=1992,4314687701814338948,18424885000033166976,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2008 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,4314687701814338948,18424885000033166976,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=2348 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=renderer --field-trial-handle=1992,4314687701814338948,18424885000033166976,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\loudplay\resources\app.asar" --node-integration --node-integration-in-worker --no-sandbox --no-zygote --enable-remote-module --background-color=#000 --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
2⤵
PID:1144

C:\Windows\SysWOW64\chcp.com
chcp
3⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay
2⤵
- Modifies registry key
PID:2360

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay
2⤵
- Modifies registry key
PID:1672

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay
2⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay
2⤵
- Modifies registry key
PID:2272

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:1760

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:1912

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:688

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:1836

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1992,4314687701814338948,18424885000033166976,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=904 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netstat -r"
2⤵
PID:880

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -r
3⤵
- Gathers network information
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
4⤵
PID:2264

C:\Windows\SysWOW64\ROUTE.EXE
C:\Windows\system32\route.exe print
5⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"
2⤵
PID:1708

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nic get /value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"
2⤵
PID:1500

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"
2⤵
PID:2364

C:\Windows\SysWOW64\netsh.exe
netsh lan show profiles
3⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"
2⤵
PID:1672

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
2⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
2⤵
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
3⤵
PID:1444

C:\Windows\System32\reg.exe
C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
4⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "openssl version"
2⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "npm -v"
2⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pm2.cmd -v"
2⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "yarn --version"
2⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "gulp.cmd --version"
2⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tsc.cmd --version"
2⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "grunt.cmd --version"
2⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "git --version"
2⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "apachectl -v 2>&1"
2⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "nginx -v 2>&1"
2⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "mysql -V"
2⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "php -v"
2⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "redis-server --version"
2⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "docker --version"
2⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "postconf -d | grep mail_version"
2⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "mongod --version"
2⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "perl -v"
2⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "python -V 2>&1"
2⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "python3 -V 2>&1"
2⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pip -V 2>&1"
2⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pip3 -V 2>&1"
2⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "java -version 2>&1"
2⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "gcc -dumpversion"
2⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" -v 2>&1"
2⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "bash --version"
2⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "zsh --version"
2⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "fish --version"
2⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
2⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
3⤵
- Checks processor information in registry
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"
2⤵
PID:1500

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nic get /value
3⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"
2⤵
PID:972

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value
3⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"
2⤵
PID:1672

C:\Windows\SysWOW64\netsh.exe
netsh lan show profiles
3⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"
2⤵
PID:2592

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "WHERE smartctl 2>nul"
2⤵
PID:872

C:\Windows\SysWOW64\where.exe
WHERE smartctl
3⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"
2⤵
PID:1444

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:560

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe csproduct get /value
3⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get /value"
2⤵
PID:1044

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2612

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe bios get /value
3⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe baseboard get /value"
2⤵
PID:2636

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2472

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe baseboard get /value
3⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value"
2⤵
PID:2352

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:1124

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value
3⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value"
2⤵
PID:1676

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:520

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value
3⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe os get /value"
2⤵
PID:928

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:1904

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe os get /value
3⤵
PID:2092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe service get /value"
2⤵
PID:1172

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2344

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe service get /value
3⤵
PID:1772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value"
2⤵
PID:932

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:1032

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value
3⤵
PID:1760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value"
2⤵
PID:2200

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2780

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value
3⤵
PID:3332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memorychip get /value"
2⤵
PID:1144

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:828

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe memorychip get /value
3⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe diskdrive get /value"
2⤵
PID:948

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:1532

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe diskdrive get /value
3⤵
PID:3368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
2⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
3⤵
- Checks processor information in registry
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "gcc --version"
2⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"
2⤵
PID:2248

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:1604

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe csproduct get /value
3⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value"
2⤵
PID:3224

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:3488

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value
3⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe cpu get /value"
2⤵
PID:3444

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:3668

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe cpu get /value
3⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose"
2⤵
PID:3456

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:3716

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose
3⤵
PID:3788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
2⤵
PID:4072

C:\Windows\SysWOW64\findstr.exe
findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
3⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion"
2⤵
PID:2472

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2972

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion
3⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage"
2⤵
PID:2612

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2932

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage
3⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-34235418465161750417883371502005110311-1526883166213258443914366794901411927846"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1286701076-57895615-1923576957-7659752261555408613-582911371-2036032354633368378"
1⤵
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-403460769-1240709906-1766318261-1701620062-468839015478951431658677324-1026609006"
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "119202522663029557-965322558-94940565-1193755000-14372908055052524951541637605"
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
2dff469992b068db065b5639d9d90ba7

SHA1
b0d885c9abde66acb4f88f694455d8a7fa1a15bc

SHA256
9ae6c0f69f2c8dee5e3aaecc8ef0a14363792be4a49950ae56fe9dfc6dcf3f7b

SHA512
468968e52e9dc37128cafb0ed2dbd220da57bf17c51425c198ca5c192c22ca567fba763d3820013b3fdae8a61b9c4874923dfa0f92da889f4979a42394c08cdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f87fb6632489addca82013ad1066aee

SHA1
0168a2a72ceeb9032dd0768704487e09b9be5160

SHA256
c47e0174ed774a9cc1ef0d489fff51925c74de8823e12fa5c62f61cbd5e38263

SHA512
8a98c16b9cf2a2a13aa8f6e1dee64829acb17ba1e110fd1f8eb334b876f774d184e1d9c01f00b9844d85178ef0d1aba945d6b50895c39778cc2d71236e158c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
812521f11c6565997d55e29a4cdf0239

SHA1
c341b4e70da14bbac9d84a8df50e54699b1c42a8

SHA256
4ee7ab5bdb57c1ceddfd4bdba6143c13495b7d453c434c25ca1097c0fcb0b511

SHA512
85cff9908afc66918030e99782dbe1a9edb9dd48e7d1b130015963e1adebd431857a160d4f5b82d08fc3d15ba8fb766a5015110802d68bff6e0b7acc192e14fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3011eb95add654b262c32de0cb854ef

SHA1
d9d304cd29dec560449d7b6a26055eb8c17fd51d

SHA256
73af0152d7527f5eee0196ef9df3c87c1b116cc1f324ac312a7a124e9c4e1b0c

SHA512
68f4b2b73389820ee372625dc19669ba0e42c53d52cd6a0e96600073171de9d3665c1936d7ce98311d65fa4187eb70727d713bd350dabe928b1a34722b8957d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fcbc9d58aecb1405054d28a205434c7

SHA1
ac58d3240a3b27085f519e7bea8b6429bb38e6d5

SHA256
61c3258dd77c38afbe11f2207205f4409fe35395d8daaeb622270bc14279db07

SHA512
535258c38228a00ec77f2db213444c62bac87949ae60e8ad8de6b54684afa9ebc92aa0d125e829fde9ff99f9eaa01bd80965ab64a4a6d095d58d8b51f66c0017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f6bcda2a357f06a372328c58826476a

SHA1
de4e8236ff35b755ba924bf4276dbcf178ac769d

SHA256
d75e30b7cf0b59c25ce14bbd1d1a9f9344bff738c911487ae955f3b1c9781653

SHA512
64764797295e06c7c4aa058e726df9a390220658c6bfa3bed330fda7760613643f4a5bf11f61ef1d22667970d44cb28dc1a33288b45d7b5698addf47a9a6c630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15714387a785bc5d8469624d85b8ee71

SHA1
33a5a043c037dd1a115d268991c001dea376a436

SHA256
3a5066e2c3d983bc02c2583d9feb1396fb640d3b07c38765afc723193dcbadaa

SHA512
08c9a55efa4f72eb83125c81f01415a234de8350c7a0491cf5d7980c4ea253c619968928e3f90c37527d0839c7718a122df45dd28165b669b9e9ff1f784dcda8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68ff19bf0cdbaac90ebb42c18bbda670

SHA1
ce889709ed08fd3863eaee3b509da8c4d14a868a

SHA256
e14d685ef64ee3b00fe1e12a439f472122ba83bdde0ed335fdc5ddf7e6c969ce

SHA512
6b34a123c01f009e2debc462bec03a3081bd573444bfc8ca574946978a11001faed99e1332f7515436b69e50c9c81b75921755bec87c5946df99406aa834edc1

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\chrome_100_percent.pak

Filesize
121KB

MD5
06baf0ad34e0231bd76651203dba8326

SHA1
a5f99ecdcc06dec9d7f9ce0a8c66e46969117391

SHA256
5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189

SHA512
aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\chrome_200_percent.pak

Filesize
181KB

MD5
57c27201e7cd33471da7ec205fe9973c

SHA1
a8e7bce09c4cbdae2797611b2be8aeb5491036f9

SHA256
dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b

SHA512
57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\ffmpeg.dll

Filesize
2.5MB

MD5
594100c352317c2027cbccb5b8c0e54e

SHA1
17d1df60cd4e7aedd3801c4e55be1d7afaf13487

SHA256
1b2fbefaf3f4c503621374b191aee676a6457e4dd12931e020ce8d6700692b78

SHA512
a21248c9b7862aa3ff09ca5a7db3cbf45fc255d60c214b5018e0968027e5f4e2cd1baacda210f673238eefbf1fa4d3bdfa3d9ffc25073c7195cbe2a0bccfb492

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\icudtl.dat

Filesize
10.0MB

MD5
ad2988770b8cb3281a28783ad833a201

SHA1
94b7586ee187d9b58405485f4c551b55615f11b5

SHA256
df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108

SHA512
f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\locales\en-US.pak

Filesize
83KB

MD5
bd8f7b719110342b7cefb16ddd05ec55

SHA1
82a79aeaa1dd4b1464b67053ba1766a4498c13e7

SHA256
d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de

SHA512
7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\resources.pak

Filesize
4.8MB

MD5
d13873f6fb051266deb3599b14535806

SHA1
143782c0ce5a5773ae0aae7a22377c8a6d18a5b2

SHA256
7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506

SHA512
1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\v8_context_snapshot.bin

Filesize
167KB

MD5
2c28ffbe331f4a32c7799bcb941dcca1

SHA1
d572497341ac1e8079531616f0bef7611dd12243

SHA256
96d85880d161bd37a28ad13777337e5121189a6ac45b9232c74e052d6d1e27f2

SHA512
f18ca45dbd04499bb3ea74cb59414ae4bf497be0cedd96d9f3693591198a1afeaf48ae4e7c7a0c31e31c1a128a34c990f2837fb576e0ffb288edc860b27563ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB51.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC10.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\latest.x86.yml

Filesize
243B

MD5
2ae555faff123f9cf21a5ed6d3e9fc6a

SHA1
435c264a68fc678c52c2b2affda1348f764f8c5e

SHA256
aa91d174a8fc92a5ac6ba0c4d42b5c885337f52d8a4982e3c262c0db015f9711

SHA512
22e44b9008cfe84727305fa6e5a0c782c5688d342c47bef22169a6eb331b208285a318093e7d65094280613cd37da22f4bca500916b0dcfa3e20d0b65ed4ca3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\loudplay_firewall_rules.ps1

Filesize
351B

MD5
6aa91f00a13fab945c252a692647b133

SHA1
19199e35c8480b650d78e83a3004caf412743e4b

SHA256
92c5edea86640aff77fd145ad836fc0044fae718d380538dbf09b9495e74e942

SHA512
cc7fafb169c5b5e17ca5da5585aa5ba0266a0987bc2d38dda2953f083e26a40f9385e41240f671c7579a21f500a20e59e0a606b9656ba245f9e1e7a19e9c844e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
72dcc9edc1ea8fdad48287cff85a1828

SHA1
3912705983d5db05a95c0c4be68d6cc6dc18ee2e

SHA256
7ab625dd6b8e85cc28032050436969c2c5111b0e388d2148b2f1f5fee261072c

SHA512
de0655a7e0f9896a4260d99c3ff68151cf637f84297ac278434c921197f2be6bc24b32c2c5474cf06f0ac566541bf6ec17e279edd7dc11bfbe0df0fee9b61a26

Download Submit
C:\Users\Admin\AppData\Roaming\loudplay\Dictionaries\en-US-9-0.bdic

Filesize
441KB

MD5
a78ad14e77147e7de3647e61964c0335

SHA1
cecc3dd41f4cea0192b24300c71e1911bd4fce45

SHA256
0d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa

SHA512
dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101

Download Submit
C:\Users\Admin\AppData\Roaming\loudplay\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\loudplay\a9d8dc4f-9f36-4d81-bd89-7ceeb079f4b2.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\loudplay\exefile.txt

Filesize
34B

MD5
57a1759e974ed6896d33194634129a74

SHA1
3addb71b8a93c7605bc04e265dc4f1bccd83c660

SHA256
9eb61312d68d4f6882aac0c83cf06546ec31e1a219437a280c0f224026c984ff

SHA512
19fd200e4d9d7a6ef47a99b671c9fc9e0bd4b3d8dc696d5bb22d88a7fe98ffeaad925007a9ab3d5c5f5d4be1d6a5dcb4f52cc4be19cdb4509c765816b480730d

Download Submit
C:\Users\Admin\AppData\Roaming\loudplay\roistat.txt

Filesize
14B

MD5
ad1349f4cbb010aa91e6eed62058adf7

SHA1
5a5a038d2de90ad0c035ccbe803b356a63b4437f

SHA256
c7be080774685391938566a9784dda7763a4c63ff9e7a1e92cc862ae9fb9ff07

SHA512
83e4067cd8d39470ff7befa66f265de9710a7900901a91a19b382524db2fad72edb3c9e3d329f718ac28a4e355e6764d2c64a2f5ea3dc6973e7a3faab643d3bb

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Programs\loudplay\d3dcompiler_47.dll

Filesize
3.5MB

MD5
2f2e363c9a9baa0a9626db374cc4e8a4

SHA1
17f405e81e5fce4c5a02ca049f7bd48b31674c8f

SHA256
2630f4188bd2ea5451ca61d83869bf7068a4f0440401c949a9feb9fb476e15df

SHA512
e668a5d1f5e6f821ebfa0913e201f0dfd8da2f96605701f8db18d14ea4fdeac73aeb9b4fe1f22eaeffcdd1c0f73a6701763727d5b09775666f82b678404e4924

Download Submit
\Users\Admin\AppData\Local\Programs\loudplay\swiftshader\libEGL.dll

Filesize
379KB

MD5
d4cf83f1825f90d8874064f320869a9f

SHA1
af77ddbea239a75793e02faf664ab8d2f76b30e0

SHA256
381becc89734be051b4acf30b3bb29fe07895b6f148b4e9cbcdca167cdb6d071

SHA512
d90cb37b01199c800016c55e0879b8049876fafbf3148a73fd18af8a63092b1e8c6439643789e2ca5a56ca55893844b3e301ab5c35bfe5ea31bbdbda727bede9

Download Submit
\Users\Admin\AppData\Local\Programs\loudplay\swiftshader\libGLESv2.dll

Filesize
2.7MB

MD5
f82e1f3e89414d5b632c15e747f17087

SHA1
0d66035f1cb4526be2493915c55b005c20b88c8a

SHA256
7c81336f390c55a5b04841e835051ca2701bf7ab3e6316d73c968e30bfcd4be7

SHA512
d4826e2636e26bb1335406c4823a03465f2469de2951b5c5837290687f1796c6457c06036a18e1ce935b3aa80d8e909e19b3ddac60bb7e93dbd7770fe42a3cf8

Download Submit
\Users\Admin\AppData\Local\Temp\9d84c266-c862-4a4d-afa9-4ae309e5c1d1.tmp.node

Filesize
1.2MB

MD5
c71f33dabbd487ddafc767470395f346

SHA1
f9954b8c6d9ee39758316b170fcd925632fa886f

SHA256
3ee841cf169376d85484520c908b51cbd01fba2623409efb348242dfe32ded3f

SHA512
0307db845d059b5b72701c55db9b2632d9882de4749735cddd9100076b513df3fd2ec49d5ee7f5a0e3dafb39d772d6f5f05b8727df624ab514c212352031b6fb

Download Submit
\Users\Admin\AppData\Local\Temp\nso77A1.tmp\INetC.dll

Filesize
238KB

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
\Users\Admin\AppData\Local\Temp\nso77A1.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nso77A1.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nso77A1.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nso77A1.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nso77A1.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
\Users\Admin\AppData\Local\Temp\nso77A1.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nso77A1.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/2524-286-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/2996-255-0x0000000004060000-0x0000000004062000-memory.dmp

Filesize
8KB

Download