Analysis
-
max time kernel
121s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
20-08-2024 12:16
General
-
Target
Loudplay.exe
-
Size
104.6MB
-
MD5
9c1e70bc445f17228e5024e7a7bf2d51
-
SHA1
411b26453f7a10835bbc36bc3e4d3361b1358663
-
SHA256
a867e4aef02fb3f758b8fba1b936aa049231190e2a91555064dfb12a303a8f1f
-
SHA512
ca10e65ebaefd7c606771f36255abc832802058525f7bd10528e813b0376b26f47f6223be42b90d8fa394282e34582055c5260e35903c27d779f5a45be82053c
-
SSDEEP
1572864:0gStT+Mj0gi/4furS5YVTFh3WN/CQ5Z+87tRDIBfzec4nRreXw/cFmLWI76Z4z4J:0kJr+/CQ5Z+8XIh+h
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 7 IoCs
-
Modifies registry key 1 TTPs 8 IoCs
-
Modifies system certificate store 2 TTPs 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=gpu-process --field-trial-handle=2024,15353095997754109081,10191369804853087132,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2032 /prefetch:22⤵
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=renderer --field-trial-handle=2024,15353095997754109081,10191369804853087132,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --node-integration-in-worker --no-sandbox --no-zygote --enable-remote-module --background-color=#000 --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2368 /prefetch:12⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,15353095997754109081,10191369804853087132,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=1476 /prefetch:82⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netstat -r"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh lan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid3⤵
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "openssl version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "npm -v"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pm2.cmd -v"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "yarn --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gulp.cmd --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tsc.cmd --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "grunt.cmd --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "git --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "apachectl -v 2>&1"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "nginx -v 2>&1"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mysql -V"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "php -v"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "redis-server --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "docker --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "postconf -d | grep mail_version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mongod --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "perl -v"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "python -V 2>&1"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "python3 -V 2>&1"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pip -V 2>&1"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pip3 -V 2>&1"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "java -version 2>&1"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gcc -dumpversion"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" -v 2>&1"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "bash --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "zsh --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "fish --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"2⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet3⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh lan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "WHERE smartctl 2>nul"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\where.exeWHERE smartctl3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe csproduct get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe bios get /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe baseboard get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe baseboard get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe os get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe os get /value3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe service get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe service get /value3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memorychip get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe memorychip get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe diskdrive get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe diskdrive get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet3⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gcc --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe csproduct get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2024,15353095997754109081,10191369804853087132,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=2660 /prefetch:82⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe cpu get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe cpu get /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""2⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "7248662263082808561593693034-1645744906233821923-1811496090-1573070751-1856725288"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-463893235-13465579471055494930-1103697176-576164786124425480356513315-482204894"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5fbe8a28faf3ceb86cee553bb2772ca5b
SHA172049937317efc9a9cc4c8add4d0d21bb55f44b2
SHA256d579f010c2ddec6f3f0b865f3b5dd23d42b3d23c4e0100c447578aa3d348c80c
SHA512dcb1c3e00448aa641bbcfc5563a5ba11cc7c0d3de931fe4ca972abe0bfe35a1f8b86c34e82d3c2541d1115a19e76a0385d9d974e5aac77eaf8cc47daa2199e8e
-
Filesize
342B
MD5e7c1a732bea2fdec2eeeadd77bc626bc
SHA19626ef777864eaaea99202b54c584fb96f67bbc6
SHA256338f18afc60d71bc6a31fcfe0150958dcd034d1f0f22bac3946f49b7ac66183b
SHA5127577da801afe2736e5eea1abad698bbbf6ce97fe5d5ca85c57958dbe0f6bae1b55c514f0d37cba9502d6bc313efb835ed4c8e70cd5437845bc588cebdeb2275f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
7KB
MD5800ac34bd27eb2b304a9a81bc8f30aa9
SHA1cc8ce6e37b0306a0db9d2875b59d7e39b13e9e9d
SHA25698d8b9a218704ac888467be6f052f9059de177dbf4e7c8c169d9f8f217e31773
SHA51248e6674d7d775347fbb84334a0155653a0a0a8a65199182f8842bc22e443aaccf4ed6780e807e280ba851a6c4f364b5dd0e87cba52b80f74979f87b8dae6a2de
-
Filesize
441KB
MD5a78ad14e77147e7de3647e61964c0335
SHA1cecc3dd41f4cea0192b24300c71e1911bd4fce45
SHA2560d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa
SHA512dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.2MB
MD5c71f33dabbd487ddafc767470395f346
SHA1f9954b8c6d9ee39758316b170fcd925632fa886f
SHA2563ee841cf169376d85484520c908b51cbd01fba2623409efb348242dfe32ded3f
SHA5120307db845d059b5b72701c55db9b2632d9882de4749735cddd9100076b513df3fd2ec49d5ee7f5a0e3dafb39d772d6f5f05b8727df624ab514c212352031b6fb
-
Filesize
4KB