Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
717s -
max time network
715s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
04/07/2024, 11:25
General
-
Target
GTA 6 Builder-Install.exe
-
Size
13.2MB
-
MD5
76c24a289ef8e97b890585d7727ac384
-
SHA1
4f5e5bbd4d24f3d475bd77b30c9f6f62d96f3d64
-
SHA256
ecf92b4d201eb858e63d6dd03937de3255ac7bc6f57264753f53306a3a9d7aa2
-
SHA512
0d54872ea7cc28f3de62a40eb50b06ace92a4e77144608f2d9e51d4ca60fec5d485bd6bceba8d1f4acea8b20670233a412df4cf5bf29eac17dc723b23ee1128d
-
SSDEEP
196608:FexmCr8ywE5Ec0BY36vhmYzr9bD3xRlLlPIIHtOC21rGY+GVz3mAp:UPr8ycYqv9bDflLlggOd+M1p
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 38 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 38 IoCs
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 37 IoCs
-
Runs ping.exe 1 TTPs 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\GTA 6 Builder-Install.exe"C:\Users\Admin\AppData\Local\Temp\GTA 6 Builder-Install.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lbSQETZDjd.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ege7x4f51h.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WJ1wtP2ROC.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CRpzSJfEpm.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\htx2mBafAs.bat"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gzlPEas6c9.bat"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KWBHRiM3K6.bat"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mpHYiEZ4vY.bat"19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ege7x4f51h.bat"21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat"23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OEffu0Lctr.bat"25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k1znnYI5tX.bat"27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat"29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j7nAGxaWLn.bat"31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GogtzRNUlL.bat"33⤵
-
C:\Windows\system32\chcp.comchcp 6500134⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost34⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nUe3m5ImHN.bat"35⤵
-
C:\Windows\system32\chcp.comchcp 6500136⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost36⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UZvaQo7Ba.bat"37⤵
-
C:\Windows\system32\chcp.comchcp 6500138⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost38⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GogtzRNUlL.bat"39⤵
-
C:\Windows\system32\chcp.comchcp 6500140⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost40⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ege7x4f51h.bat"41⤵
-
C:\Windows\system32\chcp.comchcp 6500142⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:242⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sRyZj7GC23.bat"43⤵
-
C:\Windows\system32\chcp.comchcp 6500144⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:244⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAOW7F8RUK.bat"45⤵
-
C:\Windows\system32\chcp.comchcp 6500146⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost46⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UZvaQo7Ba.bat"47⤵
-
C:\Windows\system32\chcp.comchcp 6500148⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost48⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tgniDsG2Ey.bat"49⤵
-
C:\Windows\system32\chcp.comchcp 6500150⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost50⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\htx2mBafAs.bat"51⤵
-
C:\Windows\system32\chcp.comchcp 6500152⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost52⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\26i24I6rG0.bat"53⤵
-
C:\Windows\system32\chcp.comchcp 6500154⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:254⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat"55⤵
-
C:\Windows\system32\chcp.comchcp 6500156⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost56⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UZvaQo7Ba.bat"57⤵
-
C:\Windows\system32\chcp.comchcp 6500158⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost58⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat"59⤵
-
C:\Windows\system32\chcp.comchcp 6500160⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:260⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ojUBGqHdSI.bat"61⤵
-
C:\Windows\system32\chcp.comchcp 6500162⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost62⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xEBZwnpYP.bat"63⤵
-
C:\Windows\system32\chcp.comchcp 6500164⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:264⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\40vfctpQnk.bat"65⤵
-
C:\Windows\system32\chcp.comchcp 6500166⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:266⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"66⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lbSQETZDjd.bat"67⤵
-
C:\Windows\system32\chcp.comchcp 6500168⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:268⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"68⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nUe3m5ImHN.bat"69⤵
-
C:\Windows\system32\chcp.comchcp 6500170⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost70⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"70⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OEffu0Lctr.bat"71⤵
-
C:\Windows\system32\chcp.comchcp 6500172⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost72⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"72⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XKxUoGu8Hi.bat"73⤵
-
C:\Windows\system32\chcp.comchcp 6500174⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:274⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"74⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j7nAGxaWLn.bat"75⤵
-
C:\Windows\system32\chcp.comchcp 6500176⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:276⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"2⤵
- Drops startup file
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59b88ec4146b97a654b26aa3134d72f7b
SHA10310fd2b3d9c4a2430884cb3b934944c1795c4f7
SHA256da8f8d6a1502af37be9b19b9d83bafe15200d9dd2a6ed80513ac9e492b2bcb9d
SHA512bdc298b59f5635f5f0d418ba0e278e64a6adc1632787cd18120d3038d70e2e39305f25a7aeb1c7c73711eb23a3aa4236430cc8ec379791cb4e265ea273c32e98
-
Filesize
224B
MD570b173b41effcebed7aae1dd8fca421e
SHA110339aeca89270087370f26a33ebe2a38898c7af
SHA256cd4cea46ad9f1768665662fbe72865c297da196867a5b640d37cdf43989567b7
SHA512f5c23d54bbbcb4e7016199117a27eb8bfcb82b418a6a968d839355724265ae7ed90afd27d9113516ec59109c659e22befd89372c37dc20ed2871b74f75f9901b
-
Filesize
176B
MD5322c57863d8ce49a3d202a77e9060e62
SHA1a25ad6d9f073bcf8406fedcb456d26374c3cb959
SHA2560b41dc6a8d216bc30b88438a5cac2d25fc909bd9f1563491b4374d41cda00fef
SHA51234f6c1afcbe216d291caaec8b0bb98dc157b41d5956971d450cc10e1244a95079346beadc40c1b688bf9013629d13d21b1ca2d89751e5448d503a137b709cc7b
-
Filesize
224B
MD5246ce5108e3bb3941e95492e6fbc477e
SHA1768aebc567c3f9d1009986196f462253090e3d06
SHA2568f77fd74b2f62d2b6f513da348d84c3ecae73593261ad5f1942860eb3e50f23d
SHA51296a64b30a2557b2f5677354042aad43995a8dc5f44069f30c6200e40fcf44e9342519ac3c779483852c8b45b356165a8894168c1c7d006eae97669c9902c4936
-
Filesize
2.0MB
MD531e5e3ac5a03d60d67188b6b0c3d152b
SHA141e831bc8b0c314a46d17492ded7b6b587d66db2
SHA256dc73ce51066fdcd5f0c7c88fd6fdfb9a4a3722ebe3d2def1dc593fbc1af9e467
SHA51264837c66af3f63c214ff8f466266f3dea1cf135d54ccaaf5c06fa13763045d79220f88d09ca49a36668d7e1f506bc74c9a2b8de0ec77aac272b0e1466aa168c2
-
Filesize
224B
MD5ea05abadab75feef9604be0872bc1839
SHA19529b42a8f947c8292b1c8af548a7556b66288fe
SHA2561a0a541f935288a0555bc2bf2744cf5f108bf36c6651f701a0decf87dfeb729f
SHA5121d0ccd7ace7fb50ae0e946253138a7bd274fc18b14984d9452406c9b9feb5dd0c9e25c8b655fbadd044ef3731ea82079a70ef4fdbf1c12676481a6f190c2a8a2
-
Filesize
176B
MD526be6f164d53eaf0287e7bfc55f09818
SHA1eea36e322c3bffd401c1c1eee675bbafd37f71ea
SHA25694987fe891f0bc1e4f9bcd46ba5e4de52d9318c2f850e020a8ae001536ed831a
SHA5121dfb6fb3113085c0b796cc18b03e143552d470f8ae9057caebf70dc085945e3e6c47b9465c22efd0b925f7f6828ee69e6cbc3d95b95448eb5d843c9962b613a7
-
Filesize
176B
MD57bc2e1b013cf4453d6e6ee709c874922
SHA16947efd91ea7afdaf65cb4f83c080641ccf7bf35
SHA25684dc3e7e144b1184a2171176a89777a821a1a8e0f6de9d41a6c2637079955496
SHA5126a5f4e285c35e34e36dea0001666c0508e1f4f8dc58f5387e45389a0d20430c5eab50af88c1a0df03c016e3cb65254543b95ede44773c485ef4e86d874819566
-
Filesize
224B
MD57efe39d3b61705606f404942f525c606
SHA17dd330330b1b65425ec3a472ad631b11f8592685
SHA256522cb84a0b86c03fa9cf57c55dfbc98a16a5d4d4761d5767f30a5994718086e2
SHA512a8c8363055040fdefc1ba35ce39a93c8ff6b0c35e88f837b0d1cb7d377e524dcd216b94f54e4189b601a1324c7e62f7788441050bdd3f30bab4b52d07d5e6101
-
Filesize
224B
MD5f3cf68b58841e3a4fc5fda6865ac8d61
SHA19932da3284614595fa4bda64c08284a9b8023dc9
SHA25685a11dbadba918d1f81a78aadca19e401e37c5c0779cd49210178bae48b672f3
SHA512d39b38d4a9dde168f8ccb3d6049e66d2681f8b1b97f6ebb8e40c6b177f30effa7451b158d42a831cd5910b10fbad5104cd3b3dcdce789f5694c868dd919d5146
-
Filesize
176B
MD5e0df16c9751ef4387248d2a6ed6db577
SHA15ec6d8da214730a3ff70b2c834ed4feea44a77ee
SHA2560891632876f615024a5fff1ec56e4b97a03e087a885ed571f019e86cdeba7a3d
SHA512b3f63d2dc35eefb2ac634cfd6943422b9c774baa200c093b3577aa933d5bf2d0d615daa4deef26fc6f1c07bd5abbf9c34ca32d89c167597089a027716c4b866f
-
Filesize
224B
MD52d762b0dbc13df8cdcd53511380692c3
SHA14f42b7b332103b033ba85c19c99a30ea3d0becd5
SHA256f8121fe4ac5cb7e9a74c72f92d3284f4f7e1f9c166a13f03fcbafc1433a92694
SHA512b4ef60b8a2683b7163ffdb4b14fa86d5d99061c46d61080efdbf31e992a5a90ad202b67ca2a092885b342d538aeeb62b20ca2f9bdac889e6d55320ba304f03f9
-
Filesize
11KB
MD5da23f44a96e6aa3a8b80f1cc40169dae
SHA19c5ff4215e46407da34524ce4f26841aa2c842c6
SHA2562d86ab0d97a265aa7b465439ac97c0c6b428a3bdc18000625f3fd66c07ff6f70
SHA512ccf6056c176a98e2f235f22667ea1497191a3cb373fc63632467de6255493c98fcb315d55a634cd0bb10e6087d832f46d0712fb3661dd3786bd9fe360981a035
-
Filesize
176B
MD5be6a0172806f939f6d65c1a34ac07d5d
SHA171e01b9ba00af731e36b7735ee1bf6acb4a38552
SHA256633071b3af8e4c99022fe1dcb8fdcae6a8e64faefa3c4a00645c6d3b7954c2fc
SHA512f747cdab56785c58f4fa9bb2593a3281bd0b3f4607b744a6bc9206b9c773397e6477ebf5a839a48cce3cafc8ec4a2a5fac1b0db284b729b7eba871ed003494aa
-
Filesize
224B
MD5d93e70ebecb1a4eff94f3f2e7c7b1448
SHA1c85746b4b5783ef5d75b044061ba39d97da0b47a
SHA256eedf311fd9a72ab67ccb5680ca1e3c385ddd34bf8331b25ae2ba0962fcd2d096
SHA5123d392862ec5d82c283d36d54c6b794ce6056ce41c0b76aea94fd612e93aa7707ca6431db42b63509a2152a15d6322dd828731e510e6120ab36e76bdbccad2575
-
Filesize
176B
MD517aea2b28157abf6b8fa7278b32764e1
SHA139f33bdc96e144d5acad16bb1abb8a1e282568e6
SHA256f4823b511bb600cd09ff9a3ff1ae1c1fbd0bf58907738d0dc7875e7b8bf988b9
SHA51264876eda0ce54832335ac631923be94d0c98a426a4fa5a7c729cefd60564aa653369ff5bfeaa8f1f5978c8a41e8e259b92da790f74acf8b15280083c83fe25ff
-
Filesize
176B
MD5eeb78a83bfd75ff0e222bd8bb3abe55b
SHA194f103d6757106b53a12a696feca616c2afb7114
SHA256ecb191bb492ef29a4ae05aea654fe847289b680282706d293e303dec6de60f09
SHA512c5c1a6b29ec686a0b0db31a40134246bccaa79524ac25af957b1549b5973f114dcf964d513e7e3f2ee9c601234918eca308069120831b3f4c334387218e1d17c
-
Filesize
176B
MD58208c50fd5631d00ac079ef07de774af
SHA19aeb590bd69972147701ddcd6e081fa9e996ff96
SHA256c4f5a944e564794b8e1aeb776870503fa83733cee24b103511df6601ed9b5cfd
SHA512f699755af2ae4964b64996a006f24fefd88a1b9fc3594e4c83e8bd1c147fb08ff9b9c3dab76d27b74e2fd16883401b6555dea3a02a00f3c49648db2eed523489
-
Filesize
224B
MD54f347f8c40ce0b8695630df95cf131cf
SHA1dcbfb6f0f1563a35c9083cfa8e2f664475b17133
SHA256c440e0b142a4ff6f3296c0c0a4f33de6a1d599b87f844b442102f7f15387f4c0
SHA5129a07dca6afe79e118a97367e9afa02ed3f18d9b863af77dd70f5bde7c3726f7c32c8be990129e28a3d3fda0552de60c78e59efa49240ab495c8abae03d63c4d1
-
Filesize
224B
MD5528192bd213ed2bd6e1fd75b0c2e7313
SHA1d4ee3279215477bd6c84b65f3ccfa97c9f4d78fc
SHA25671f462dd6f8b27e0045c9bf073c5e1c7e380cdc4aad762fa63b7762b38583aa3
SHA5128da2e7f9ed13788fa66ff83671b3ca4a074824e4692b77d03330426f44bd509fc7e275e0740183fbaddcfe4119d4e5087e1e5b4a43d561c16ccfbd83fde9a8f4
-
Filesize
224B
MD5390d8a017e4f0961b5c38d225fd606ab
SHA19ef551d48ddaa73bcab665488e2b1f4402fba142
SHA256a70c55349ab82b07f350ec235357f3f47460d3edf234ae05f46dfcad8faf2f4e
SHA512aaedc5b7563a6fc55ef613d5c96220b38fc4583e51758f90c5e26f0f76dad35526cfeb5facd0802f2e9d89cb5a664feb915e6f1cbe2ae4df4d4df418ba26797f
-
Filesize
176B
MD5eee7b1ee1e4effcd216f9da7e7b6e692
SHA15242913ef50dc7eecbdc749ef736c1113280f81d
SHA256fdf7bf49becb3298f7dc547c7a020afd932b229b5097c6ec246e71bb2092c58a
SHA5120a32e312c26f5d97bfe9b3c9c7b8731f7af83e46161e6a36283d7fc390bf17d28b44c1985c28e963f0157b5b3744342f2e7865bab21ce4a3213c5f481adaecf8
-
Filesize
176B
MD5c01c1eae26486cecd61c410d7322bf6c
SHA130e50a69cfd4603cbce764e7aea0760befe38edd
SHA2565bdadd54c4aeb16247ff05d421ac461f60ac130ef1eab7e0d108a0ef7b963c84
SHA512557b4c4544f90971ca2b1387dd527d16609ceff483c957b942cc8e111ddc2ec7a7a9f9cf6fc6ab4f294d8fed79d99c2cae42bd45fd164cc21e1f51f181bbc932
-
Filesize
176B
MD5dd187b750bbfa67f2f6f8fb000dcce21
SHA13d3c5a0a36e157ff523ee546b749caf53d066c4c
SHA2565fe2dcdb92e00090116955d88a2ef2c95194a8ae1874f1f809f16bd86e9bfd03
SHA512aafaaf955003b512ea8f7a1440e8e12d14c4b1323b88dae8169257fe0f2f29a8f105ca34ee1a9fb41f468b512c1f2c2859d04285c51685de8c6e5b43058230f3
-
Filesize
224B
MD5ac0f3b77be7e2e3e1ff3b5325a8c91fa
SHA15c277eb6ee3c8040a3a02c46c8d9b8f556ddcfa0
SHA2560ede29e8e2ae4f8b3259a0df6796d3706374892501030930124eb22ac3181b65
SHA5121dda4f3fd1110c224e772e7dec7d40d858923698f8a750da4a6fa7e6d4957ce412e27af6b90afcc7f535a44e88af375c79689c1a71702b97f282bfa2d6fde1ce
-
Filesize
176B
MD57ab7c2c0a22a215e494267885a61d054
SHA1538aba3f8bea7805d43280b7411360001daff33c
SHA256ae8cbdef908ef2336edcc6c51af6a414f44f0a0d6bd1326a1b17efc1fcee183a
SHA512fe3c1ed1297de64b3f66bff7abf28cd2d1ff1e5bdee0eb7a7f201794bb3d0448d8877fcaacae30f0d622664121e2eb7c8807f16437b6aaf4ce54657f34dadd81
-
Filesize
176B
MD52ddebcab0a862446ddd8e0d1c40f0596
SHA1ddcc0ba8f4ca5994ddb07c84ea4946cd949a317a
SHA256d2e69a9520505577abaf9b72b18cd0553f2692496ea9fa3f67622fa89a03a1ef
SHA512c85586ba0dcd5e8faeac979f60cd8ede4af8bebbbd31457d7a14001f035dad7231b6228e67177e3d450b4a8aa2e45bae8b5c760532bfe196ca14dec55386894d
-
Filesize
312KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
8KB
-
Filesize
29.9MB
-
Filesize
29.9MB
-
Filesize
312KB
-
Filesize
1.4MB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
1.4MB
-
Filesize
312KB
-
Filesize
1.4MB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
1.0MB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
312KB
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
56KB
-
Filesize
2.0MB
-
Filesize
56KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
1.0MB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB