Overview
overview
8Static
static
3loudplayla...11.exe
windows7-x64
8loudplayla...11.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3Loudplay.exe
windows7-x64
7Loudplay.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
3ffmpeg.dll
windows7-x64
3ffmpeg.dll
windows10-2004-x64
3libEGL.dll
windows7-x64
3libEGL.dll
windows10-2004-x64
3libGLESv2.dll
windows7-x64
3libGLESv2.dll
windows10-2004-x64
3resources/elevate.exe
windows7-x64
3resources/elevate.exe
windows10-2004-x64
3swiftshade...GL.dll
windows7-x64
3swiftshade...GL.dll
windows10-2004-x64
3swiftshade...v2.dll
windows7-x64
3swiftshade...v2.dll
windows10-2004-x64
3vk_swiftshader.dll
windows7-x64
3vk_swiftshader.dll
windows10-2004-x64
3vulkan-1.dll
windows7-x64
3Analysis
-
max time kernel
121s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 12:16
Static task
static1
Behavioral task
behavioral1
Sample
loudplaylatestnull318041611.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
loudplaylatestnull318041611.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
LICENSES.chromium.html
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
LICENSES.chromium.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Loudplay.exe
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
Loudplay.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
ffmpeg.dll
Resource
win7-20240704-en
Behavioral task
behavioral19
Sample
ffmpeg.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
libEGL.dll
Resource
win7-20240708-en
Behavioral task
behavioral21
Sample
libEGL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral22
Sample
libGLESv2.dll
Resource
win7-20240704-en
Behavioral task
behavioral23
Sample
libGLESv2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral24
Sample
resources/elevate.exe
Resource
win7-20240705-en
Behavioral task
behavioral25
Sample
resources/elevate.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral26
Sample
swiftshader/libEGL.dll
Resource
win7-20240729-en
Behavioral task
behavioral27
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral28
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240708-en
Behavioral task
behavioral29
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral30
Sample
vk_swiftshader.dll
Resource
win7-20240705-en
Behavioral task
behavioral31
Sample
vk_swiftshader.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral32
Sample
vulkan-1.dll
Resource
win7-20240704-en
General
-
Target
Loudplay.exe
-
Size
104.6MB
-
MD5
9c1e70bc445f17228e5024e7a7bf2d51
-
SHA1
411b26453f7a10835bbc36bc3e4d3361b1358663
-
SHA256
a867e4aef02fb3f758b8fba1b936aa049231190e2a91555064dfb12a303a8f1f
-
SHA512
ca10e65ebaefd7c606771f36255abc832802058525f7bd10528e813b0376b26f47f6223be42b90d8fa394282e34582055c5260e35903c27d779f5a45be82053c
-
SSDEEP
1572864:0gStT+Mj0gi/4furS5YVTFh3WN/CQ5Z+87tRDIBfzec4nRreXw/cFmLWI76Z4z4J:0kJr+/CQ5Z+8XIh+h
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loudplay.exeLoudplay.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\Geo\Nation Loudplay.exe Key value queried \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\Geo\Nation Loudplay.exe -
Loads dropped DLL 1 IoCs
Processes:
Loudplay.exepid process 2824 Loudplay.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Loudplay.exe\" --hidden" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Loudplay.exe\" --hidden" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Loudplay.exe\" --hidden" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Loudplay.exe\" --hidden" reg.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2276 powershell.exe 696 powershell.exe 1292 powershell.exe 452 powershell.exe 1608 powershell.exe 2548 powershell.exe 1132 powershell.exe 1812 powershell.exe 2620 powershell.exe 1636 powershell.exe 2216 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
chcp.comWMIC.exeWMIC.exeWMIC.exeROUTE.EXEcmd.exechcp.comcmd.execmd.execmd.execmd.exepowershell.execmd.execmd.exeWMIC.execmd.execmd.execmd.execmd.execmd.execmd.exenetsh.exepowershell.exeLoudplay.exeLoudplay.exereg.exeWMIC.execmd.exeWMIC.exechcp.comLoudplay.exereg.execmd.exepowershell.exeipconfig.exewhere.execmd.exechcp.comreg.exeNETSTAT.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.exeWMIC.exereg.execmd.execmd.execmd.exechcp.comchcp.comchcp.comcmd.exeWMIC.execmd.exeWMIC.execmd.exeWMIC.exechcp.comcmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loudplay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loudplay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loudplay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language where.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
reg.exeLoudplay.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Loudplay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Loudplay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Loudplay.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Loudplay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Loudplay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Loudplay.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Loudplay.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet reg.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeNETSTAT.EXEpid process 1500 ipconfig.exe 2896 ipconfig.exe 2876 NETSTAT.EXE -
Modifies registry class 7 IoCs
Processes:
Loudplay.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\loudplay\shell\open\command Loudplay.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\loudplay\shell Loudplay.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\loudplay\shell\open Loudplay.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\loudplay\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Loudplay.exe\" \"%1\"" Loudplay.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\loudplay Loudplay.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\loudplay\URL Protocol Loudplay.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\loudplay\ = "URL:loudplay" Loudplay.exe -
Modifies registry key 1 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2412 reg.exe 452 reg.exe 788 reg.exe 1196 reg.exe 2908 reg.exe 2852 reg.exe 2756 reg.exe 2668 reg.exe -
Processes:
Loudplay.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Loudplay.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Loudplay.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 Loudplay.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Loudplay.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Loudplay.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Loudplay.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Loudplay.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f Loudplay.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f Loudplay.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
Loudplay.exeLoudplay.exeLoudplay.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2208 Loudplay.exe 2208 Loudplay.exe 2824 Loudplay.exe 2636 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2824 Loudplay.exe 2824 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2824 Loudplay.exe 2824 Loudplay.exe 2824 Loudplay.exe 2824 Loudplay.exe 2824 Loudplay.exe 2824 Loudplay.exe 452 powershell.exe 1608 powershell.exe 2620 powershell.exe 2216 powershell.exe 696 powershell.exe 1636 powershell.exe 2548 powershell.exe 1132 powershell.exe 1812 powershell.exe 2276 powershell.exe 1292 powershell.exe 2208 Loudplay.exe 2208 Loudplay.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Loudplay.exepid process 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Loudplay.exepid process 2208 Loudplay.exe 2208 Loudplay.exe 2208 Loudplay.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Loudplay.execmd.exedescription pid process target process PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2788 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2824 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2824 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2824 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2824 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2636 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2636 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2636 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 2636 2208 Loudplay.exe Loudplay.exe PID 2208 wrote to memory of 1128 2208 Loudplay.exe cmd.exe PID 2208 wrote to memory of 1128 2208 Loudplay.exe cmd.exe PID 2208 wrote to memory of 1128 2208 Loudplay.exe cmd.exe PID 2208 wrote to memory of 1128 2208 Loudplay.exe cmd.exe PID 1128 wrote to memory of 2960 1128 cmd.exe chcp.com PID 1128 wrote to memory of 2960 1128 cmd.exe chcp.com PID 1128 wrote to memory of 2960 1128 cmd.exe chcp.com PID 1128 wrote to memory of 2960 1128 cmd.exe chcp.com PID 2208 wrote to memory of 2668 2208 Loudplay.exe reg.exe PID 2208 wrote to memory of 2668 2208 Loudplay.exe reg.exe PID 2208 wrote to memory of 2668 2208 Loudplay.exe reg.exe PID 2208 wrote to memory of 2668 2208 Loudplay.exe reg.exe PID 2208 wrote to memory of 2756 2208 Loudplay.exe reg.exe PID 2208 wrote to memory of 2756 2208 Loudplay.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=gpu-process --field-trial-handle=2024,15353095997754109081,10191369804853087132,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2032 /prefetch:22⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=renderer --field-trial-handle=2024,15353095997754109081,10191369804853087132,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --node-integration-in-worker --no-sandbox --no-zygote --enable-remote-module --background-color=#000 --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2368 /prefetch:12⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,15353095997754109081,10191369804853087132,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=1476 /prefetch:82⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\chcp.comchcp3⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- Modifies registry key
PID:2668 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2756 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2852 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2908 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2412 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:452 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:1196 -
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netstat -r"2⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print4⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print5⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"2⤵
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"2⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\netsh.exenetsh lan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"2⤵PID:2852
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"2⤵PID:972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"2⤵PID:3036
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid3⤵PID:576
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid4⤵PID:1696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "openssl version"2⤵PID:1048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "npm -v"2⤵PID:472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pm2.cmd -v"2⤵PID:1988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "yarn --version"2⤵PID:2316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gulp.cmd --version"2⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tsc.cmd --version"2⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "grunt.cmd --version"2⤵
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "git --version"2⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "apachectl -v 2>&1"2⤵PID:2476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "nginx -v 2>&1"2⤵
- System Location Discovery: System Language Discovery
PID:296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mysql -V"2⤵PID:1704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "php -v"2⤵
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "redis-server --version"2⤵PID:856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "docker --version"2⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "postconf -d | grep mail_version"2⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mongod --version"2⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "perl -v"2⤵PID:1860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "python -V 2>&1"2⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "python3 -V 2>&1"2⤵PID:1816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pip -V 2>&1"2⤵PID:1272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pip3 -V 2>&1"2⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "java -version 2>&1"2⤵PID:1964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gcc -dumpversion"2⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" -v 2>&1"2⤵PID:1036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "bash --version"2⤵PID:848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "zsh --version"2⤵PID:2656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "fish --version"2⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"2⤵PID:692
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet3⤵
- Checks processor information in registry
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"2⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get /value3⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵PID:2248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"2⤵PID:2036
-
C:\Windows\SysWOW64\netsh.exenetsh lan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"2⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "WHERE smartctl 2>nul"2⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\where.exeWHERE smartctl3⤵
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"2⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe csproduct get /value3⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get /value"2⤵PID:2932
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe bios get /value3⤵PID:984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe baseboard get /value"2⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2504
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe baseboard get /value3⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value"2⤵PID:1224
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1632
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value3⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value"2⤵PID:1940
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1680
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value3⤵PID:3028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe os get /value"2⤵
- System Location Discovery: System Language Discovery
PID:284 -
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1196
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe os get /value3⤵PID:1948
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe service get /value"2⤵PID:952
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1912
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe service get /value3⤵PID:2144
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value"2⤵PID:2308
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2428
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value3⤵PID:2800
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value"2⤵
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value3⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memorychip get /value"2⤵PID:1468
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2344
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe memorychip get /value3⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe diskdrive get /value"2⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:2916
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe diskdrive get /value3⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"2⤵
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet3⤵
- Checks processor information in registry
PID:1112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value"2⤵PID:2688
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value3⤵PID:2780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gcc --version"2⤵
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"2⤵PID:2812
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe csproduct get /value3⤵
- System Location Discovery: System Language Discovery
PID:952 -
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2024,15353095997754109081,10191369804853087132,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=2660 /prefetch:82⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe cpu get /value"2⤵PID:1048
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe cpu get /value3⤵PID:920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose"2⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:572
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose3⤵PID:2140
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion"2⤵
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵PID:1512
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion3⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""2⤵PID:2004
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"3⤵PID:888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage"2⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage3⤵
- System Location Discovery: System Language Discovery
PID:2944
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "7248662263082808561593693034-1645744906233821923-1811496090-1573070751-1856725288"1⤵PID:2896
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-463893235-13465579471055494930-1103697176-576164786124425480356513315-482204894"1⤵PID:2504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbe8a28faf3ceb86cee553bb2772ca5b
SHA172049937317efc9a9cc4c8add4d0d21bb55f44b2
SHA256d579f010c2ddec6f3f0b865f3b5dd23d42b3d23c4e0100c447578aa3d348c80c
SHA512dcb1c3e00448aa641bbcfc5563a5ba11cc7c0d3de931fe4ca972abe0bfe35a1f8b86c34e82d3c2541d1115a19e76a0385d9d974e5aac77eaf8cc47daa2199e8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7c1a732bea2fdec2eeeadd77bc626bc
SHA19626ef777864eaaea99202b54c584fb96f67bbc6
SHA256338f18afc60d71bc6a31fcfe0150958dcd034d1f0f22bac3946f49b7ac66183b
SHA5127577da801afe2736e5eea1abad698bbbf6ce97fe5d5ca85c57958dbe0f6bae1b55c514f0d37cba9502d6bc313efb835ed4c8e70cd5437845bc588cebdeb2275f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2IXYC9TJXTUVBXXCNH8N.temp
Filesize7KB
MD5800ac34bd27eb2b304a9a81bc8f30aa9
SHA1cc8ce6e37b0306a0db9d2875b59d7e39b13e9e9d
SHA25698d8b9a218704ac888467be6f052f9059de177dbf4e7c8c169d9f8f217e31773
SHA51248e6674d7d775347fbb84334a0155653a0a0a8a65199182f8842bc22e443aaccf4ed6780e807e280ba851a6c4f364b5dd0e87cba52b80f74979f87b8dae6a2de
-
Filesize
441KB
MD5a78ad14e77147e7de3647e61964c0335
SHA1cecc3dd41f4cea0192b24300c71e1911bd4fce45
SHA2560d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa
SHA512dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.2MB
MD5c71f33dabbd487ddafc767470395f346
SHA1f9954b8c6d9ee39758316b170fcd925632fa886f
SHA2563ee841cf169376d85484520c908b51cbd01fba2623409efb348242dfe32ded3f
SHA5120307db845d059b5b72701c55db9b2632d9882de4749735cddd9100076b513df3fd2ec49d5ee7f5a0e3dafb39d772d6f5f05b8727df624ab514c212352031b6fb