Overview
overview
8Static
static
3SenPalia.exe
windows7-x64
7SenPalia.exe
windows10-2004-x64
8$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1SeanJourney.exe
windows7-x64
1SeanJourney.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1locales/af.ps1
windows7-x64
3locales/af.ps1
windows10-2004-x64
3locales/uk.ps1
windows7-x64
3locales/uk.ps1
windows10-2004-x64
3resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...ec.dll
windows7-x64
3Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
SenPalia.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral2
Sample
SenPalia.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
SeanJourney.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
SeanJourney.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral17
Sample
ffmpeg.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
locales/af.ps1
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral23
Sample
locales/af.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
locales/uk.ps1
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral25
Sample
locales/uk.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
resources/elevate.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral27
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
vk_swiftshader.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
vulkan-1.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral31
Sample
vulkan-1.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240419-en
windows7-x64
General
-
Target
SeanJourney.exe
-
Size
154.6MB
-
MD5
fff219239f9cdd5fcb1910afce034e06
-
SHA1
ba2e3ebdcaafc08cc515420fe3126e1ebd5fd0b2
-
SHA256
0509bc46aa617701913321e2388480b52c89be1f09fabc3fdf2414ed007020dd
-
SHA512
8fc46738ce37b8d4b93a8f47d1515d8f8d98d4cd3872b4bfd90662b1410bc908160b307119a1daf1536c20baafd27ae273c755b48c09f5f8ac0d7032928085b8
-
SSDEEP
1572864:GTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:Bv6E70+Mk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SeanJourney.exe -
Loads dropped DLL 1 IoCs
pid Process 2792 SeanJourney.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 3440 cmd.exe 3856 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 752 tasklist.exe 4444 tasklist.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2476 powershell.exe 2476 powershell.exe 5004 powershell.exe 5004 powershell.exe 4528 powershell.exe 4528 powershell.exe 4996 SeanJourney.exe 4996 SeanJourney.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1984 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 752 tasklist.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 4444 tasklist.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 4528 powershell.exe Token: SeShutdownPrivilege 2792 SeanJourney.exe Token: SeCreatePagefilePrivilege 2792 SeanJourney.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: 36 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: 36 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 3340 WMIC.exe Token: SeSecurityPrivilege 3340 WMIC.exe Token: SeTakeOwnershipPrivilege 3340 WMIC.exe Token: SeLoadDriverPrivilege 3340 WMIC.exe Token: SeSystemProfilePrivilege 3340 WMIC.exe Token: SeSystemtimePrivilege 3340 WMIC.exe Token: SeProfSingleProcessPrivilege 3340 WMIC.exe Token: SeIncBasePriorityPrivilege 3340 WMIC.exe Token: SeCreatePagefilePrivilege 3340 WMIC.exe Token: SeBackupPrivilege 3340 WMIC.exe Token: SeRestorePrivilege 3340 WMIC.exe Token: SeShutdownPrivilege 3340 WMIC.exe Token: SeDebugPrivilege 3340 WMIC.exe Token: SeSystemEnvironmentPrivilege 3340 WMIC.exe Token: SeRemoteShutdownPrivilege 3340 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe 1984 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2792 wrote to memory of 4520 2792 SeanJourney.exe 79 PID 2792 wrote to memory of 4520 2792 SeanJourney.exe 79 PID 2792 wrote to memory of 3264 2792 SeanJourney.exe 80 PID 2792 wrote to memory of 3264 2792 SeanJourney.exe 80 PID 4520 wrote to memory of 2476 4520 cmd.exe 83 PID 4520 wrote to memory of 2476 4520 cmd.exe 83 PID 3264 wrote to memory of 752 3264 cmd.exe 84 PID 3264 wrote to memory of 752 3264 cmd.exe 84 PID 2792 wrote to memory of 1820 2792 SeanJourney.exe 86 PID 2792 wrote to memory of 1820 2792 SeanJourney.exe 86 PID 2792 wrote to memory of 3440 2792 SeanJourney.exe 88 PID 2792 wrote to memory of 3440 2792 SeanJourney.exe 88 PID 1820 wrote to memory of 4444 1820 cmd.exe 90 PID 1820 wrote to memory of 4444 1820 cmd.exe 90 PID 3440 wrote to memory of 5004 3440 cmd.exe 91 PID 3440 wrote to memory of 5004 3440 cmd.exe 91 PID 2792 wrote to memory of 3856 2792 SeanJourney.exe 92 PID 2792 wrote to memory of 3856 2792 SeanJourney.exe 92 PID 3856 wrote to memory of 4528 3856 cmd.exe 94 PID 3856 wrote to memory of 4528 3856 cmd.exe 94 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 3276 2792 SeanJourney.exe 95 PID 2792 wrote to memory of 2052 2792 SeanJourney.exe 96 PID 2792 wrote to memory of 2052 2792 SeanJourney.exe 96 PID 2792 wrote to memory of 4996 2792 SeanJourney.exe 97 PID 2792 wrote to memory of 4996 2792 SeanJourney.exe 97 PID 2052 wrote to memory of 1768 2052 cmd.exe 99 PID 2052 wrote to memory of 1768 2052 cmd.exe 99 PID 2792 wrote to memory of 2676 2792 SeanJourney.exe 100 PID 2792 wrote to memory of 2676 2792 SeanJourney.exe 100 PID 2676 wrote to memory of 3340 2676 cmd.exe 102 PID 2676 wrote to memory of 3340 2676 cmd.exe 102 PID 2792 wrote to memory of 2164 2792 SeanJourney.exe 103 PID 2792 wrote to memory of 2164 2792 SeanJourney.exe 103 PID 2164 wrote to memory of 2156 2164 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\SeanJourney.exe"C:\Users\Admin\AppData\Local\Temp\SeanJourney.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
-
C:\Users\Admin\AppData\Local\Temp\SeanJourney.exe"C:\Users\Admin\AppData\Local\Temp\SeanJourney.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SeanJourney" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1904 --field-trial-handle=1912,i,15684311335457139217,2743527206767282275,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:3276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\SeanJourney.exe"C:\Users\Admin\AppData\Local\Temp\SeanJourney.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SeanJourney" --mojo-platform-channel-handle=2092 --field-trial-handle=1912,i,15684311335457139217,2743527206767282275,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"2⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get ProcessorId3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"2⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get Product3⤵PID:2156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"2⤵PID:4364
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get SerialNumber3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"2⤵PID:1412
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"2⤵PID:3696
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get TotalPhysicalMemory3⤵PID:208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"2⤵PID:1516
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get caption,PNPDeviceID3⤵PID:2324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"2⤵PID:3416
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get SerialNumber3⤵PID:3268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:1556
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:2888
-
-
-
C:\Users\Admin\AppData\Local\Temp\SeanJourney.exe"C:\Users\Admin\AppData\Local\Temp\SeanJourney.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\SeanJourney" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2512 --field-trial-handle=1912,i,15684311335457139217,2743527206767282275,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:3308
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
1KB
MD58e26941f21dac5843c6d170e536afccb
SHA126b9ebd7bf3ed13bc51874ba06151850a0dac7db
SHA256316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0
SHA5129148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62
-
Filesize
477B
MD564995a6c323f8d5e2f412b4fafc6a189
SHA19c70063d77552ab6c4fead9b3547dbd7931d1d86
SHA256fc727f89e4e7f7b6031c3b7810f283e8c5aad78de720792dc58fefb6af3f5778
SHA51299ad5a1e6a46f0da3b6e63ab40e51b9fe4d518ea901f1651ef20b063ac0c65bc29493754197877d94293ff4b099a0c6a17d9acab75f96c3947234d7afe172ddd
-
Filesize
14B
MD5b4b41665eb819824e886204a28cc610b
SHA1e778edb6f635f665c0b512748b8fec6a2a23a88b
SHA256635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6
SHA51237648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33