Analysis
-
max time kernel
139s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-08-2024 12:16
General
-
Target
Loudplay.exe
-
Size
104.6MB
-
MD5
9c1e70bc445f17228e5024e7a7bf2d51
-
SHA1
411b26453f7a10835bbc36bc3e4d3361b1358663
-
SHA256
a867e4aef02fb3f758b8fba1b936aa049231190e2a91555064dfb12a303a8f1f
-
SHA512
ca10e65ebaefd7c606771f36255abc832802058525f7bd10528e813b0376b26f47f6223be42b90d8fa394282e34582055c5260e35903c27d779f5a45be82053c
-
SSDEEP
1572864:0gStT+Mj0gi/4furS5YVTFh3WN/CQ5Z+87tRDIBfzec4nRreXw/cFmLWI76Z4z4J:0kJr+/CQ5Z+8XIh+h
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 7 IoCs
-
Modifies registry key 1 TTPs 8 IoCs
-
Modifies system certificate store 2 TTPs 17 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=gpu-process --field-trial-handle=2600,16858008998272668170,15510223768120410645,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2608 /prefetch:22⤵
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2600,16858008998272668170,15510223768120410645,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=3100 /prefetch:82⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=renderer --field-trial-handle=2600,16858008998272668170,15510223768120410645,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --node-integration-in-worker --no-sandbox --no-zygote --enable-remote-module --background-color=#000 --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe\" --hidden" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\Loudplay.exe"C:\Users\Admin\AppData\Local\Temp\Loudplay.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2600,16858008998272668170,15510223768120410645,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=1672 /prefetch:82⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netstat -r"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r3⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print4⤵
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"2⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get /value3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh lan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid3⤵
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "openssl version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "npm -v"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pm2.cmd -v"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "yarn --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gulp.cmd --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tsc.cmd --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "grunt.cmd --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "git --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "apachectl -v 2>&1"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "nginx -v 2>&1"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mysql -V"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "php -v"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "redis-server --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "docker --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "postconf -d | grep mail_version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mongod --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "perl -v"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "python -V 2>&1"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "python3 -V 2>&1"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pip -V 2>&1"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "pip3 -V 2>&1"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "java -version 2>&1"2⤵
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -version3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gcc -dumpversion"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" -v 2>&1"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "bash --version"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "zsh --version"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "fish --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"2⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet3⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh lan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "WHERE smartctl 2>nul"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\where.exeWHERE smartctl3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe csproduct get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe bios get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe baseboard get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe baseboard get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe os get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe os get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe service get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe service get /value3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memorychip get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe memorychip get /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe diskdrive get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe diskdrive get /value3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"2⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet3⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe csproduct get /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "gcc --version"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe cpu get /value"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe cpu get /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""2⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage"2⤵
-
C:\Windows\SysWOW64\chcp.comC:\Windows\system32\chcp.com 650013⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x240 0x3081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54279e6347a341c54e5e9bcc5ccf0b55e
SHA154e8b5376f11426145c70cb07a47da6c7c536bfe
SHA2561d6fb68d1b317f18ae1f506adebddc735260a7d79fc25cbe5208a66baf9611fb
SHA512ebfa6e9a7ae45305d929c0ec75fcf2d368fa786427e533859b537b4c1a3d609f9eff313977e6c3a33acf4d06906149fdc8f3bf684d36be9c5f669867e6b722c5
-
Filesize
20KB
MD5d45ce2c19b95fbab5b279f48401cf89f
SHA1562d48d66fb728f1d11a3a01ba561d68c4bcbf2e
SHA25602788d0e4385fc1805ca17424c776efb150ea402f747f988e075be6df3f000ce
SHA5129bc39497921ed6d97dbfea0215d806c70e72aa27614fa632a5de6ec398be20f3baba78e51375951aec4b7189f0ddbc1b6effbdc48835584528528775c97f81f7
-
Filesize
21KB
MD597044cd6459fa674bc3861189548bde1
SHA183bf9335a87352308d5103218b722a7c66aeb678
SHA256ecefa2e28d5a30652124560623432599c8123c2e37445ced370ed29cffa3fe03
SHA512c952f682cedb90cd4f6877359ba9150c24e576d8c6dbf99b17aad9192d893784f7dd6723c46efa6c734e2ad192be39a2db6b3e6741c6128d163b98aded8d40df
-
Filesize
21KB
MD5e59664fec52bc6f9bef11410be2b8345
SHA16b10e51089475277819ade34ce26aa77b1d92619
SHA256b1f72a2fb5d0ca1260fa662fe3d58de0bc405ebc6dddc8952404856e17412c09
SHA512c3c8c83520f267c134312ee1e6730e15cacc69a8a9721bfc3f4b277791740ddcb2e7c1dd2502f842bdfdd63feac93c89d683b82f81f4d1d4c93f955f62b1f9cf
-
Filesize
20KB
MD567c133238723670bca194efce836c6ad
SHA1c6e8c42627637505d36337c0d6508affab1e25c9
SHA256ddaf483f7a05c246ab3307de02c00a4c35bf9fc48b77a05930229b7717b337d3
SHA5125aa73a8cff4fddfa396c7909af509cc20ef7357aff48e023d56e0b4636d28ce6fd8ce9eb56352e60b7d368ee0d88501354280a7d0ad7dc4bc442e25a57194c0f
-
Filesize
21KB
MD53ce35af9670ebfd2bc8c52495f7d243c
SHA1b9ba09d90d1586375b8dd737955b9f76707d752a
SHA2563cde1a537d6df007aa41871ff986c2a4b9ba070fd31e27680a14fd6f210ab7ca
SHA5120b8602fa25ebf06ab819ad449175e2eec5c64d3a61f69d8c865e676114090e45c68139c8dff72959cfe32012a009b43e2597dff8a57172ec366a287c41374e6f
-
Filesize
21KB
MD540c19e14176b5439211209b3b771e6db
SHA1944e6ccb58886e74342c1f360a0fd5566acee73b
SHA256f47e37b9707dd02693bd6a1dbfdcfdc612eef0915cebf719e125f91919f4fd45
SHA51213a240458b635b8b002647da524d08bbb500295544db9345fd151e9094300857134ce8b36bab231dac13e5eeffdbf187956f35505fcbb23e6f6982d7ca44528c
-
Filesize
20KB
MD5dd7ca712b60abf896509372d8bb842e4
SHA1b120c9ae2d717d28b94d8a26a000894cb5df976b
SHA25628bdd489c18c34949a0477c706a5bbb8d5950fd90b7b30727a863ea0adb07fc5
SHA5129d5cd034510eedc11e567114a641b0f319ed1d8b53fefa04f3d32b70ca07c40db386701bce211526b040a5aaef0ad199a8d52e71b525383471d1f59afd36abb0
-
Filesize
21KB
MD5179a7377922ac85dd8290c3d5646bc6a
SHA1de6eabb3e3fa91c790da8d772319a1a77bf02b6a
SHA256a71d0c3f17dd7e98a1cf86e3cd04cdcf19ba504405c3c39ab4292f3eedc8e7a9
SHA5121bccbcf07505c4f076b6a3774d126f9f3a153e6289e228a6929d1af4dd208c2dea37d05dd323d5602af8a09a1c5391674cbec9cd53fe9d5aadf3263c0bb8d58e
-
Filesize
21KB
MD56109b20574dc373ad72d4d534f4f97cd
SHA106295039b5b2c3c15a7061f25b294f41993758c5
SHA2565c279eeadf11cde4c3a2a2c2bc98699d392e088190729abab21d34b30790653c
SHA512b0a614bd53fda4f9758f305abf426eeb27f790f267e5926ce1cce9447b0a2b30b86faf925e037469c82567aa369423afb4cb51bf6787f7c658c779fe0f5505a7
-
Filesize
24KB
MD532fed580c3ed6de99652f51c7ba34d26
SHA1befed21beec8ae0b1048602f7fe88ce47c3ec277
SHA256048d5c7211eb789975e2e72d13a5f8571e90f8ccf702d98e70efaa16cdb8379b
SHA5126fafbfc076f189100af2ce79e312e92f6d5c7a74115a3b8d45b872b280830637b0d89bca9ee2f729ed57793606299abe8821b229e20abf132a7c2859f4a4efca
-
Filesize
1.2MB
MD5c71f33dabbd487ddafc767470395f346
SHA1f9954b8c6d9ee39758316b170fcd925632fa886f
SHA2563ee841cf169376d85484520c908b51cbd01fba2623409efb348242dfe32ded3f
SHA5120307db845d059b5b72701c55db9b2632d9882de4749735cddd9100076b513df3fd2ec49d5ee7f5a0e3dafb39d772d6f5f05b8727df624ab514c212352031b6fb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
792B
MD51bd69b205688f2c67e09ab8b93be88d5
SHA1536ef58ef6f72b2837cf76a172c39b891628a641
SHA2564f9b610b71f027331e07a1090819831125e76a12d44e6b0df78763b981408135
SHA512269e64d06a0472473e47d2de7a7d5c4a9e81e20350331c7cf0e074e8317344340a5a12fb53c1b049cfde3cf7dbbbc6122a1091209bd13611061e323c9b28d004
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
Filesize
86B
MD5d11dedf80b85d8d9be3fec6bb292f64b
SHA1aab8783454819cd66ddf7871e887abdba138aef3
SHA2568029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67
SHA5126b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
272KB
-
Filesize
200KB
-
Filesize
40KB
-
Filesize
168KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
144KB
-
Filesize
6.5MB
-
Filesize
472KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
304KB
-
Filesize
3.3MB