Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27-08-2024 16:33
General
-
Target
SyncSpoofer.exe
-
Size
276KB
-
MD5
5a8afe7bfd11728c32066c4290eeddc7
-
SHA1
f2064bbdec287d61722ef35e511b4090212cd1a8
-
SHA256
92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f
-
SHA512
e03994e666aa7ff84400e86e4cc3db5a77a5475e1961b553f16dbc293160f58f196b0ab6fb7be4ba34b1d030969f2f94ae80dc0c423f3ec015621bf987b796cb
-
SSDEEP
1536:hJ99JW77A9oXFY+w67Vh7O9H/squacb3P12NETDLiaSKry3bgDBsvVeXBdZs4o7M:vSFHh69HEZJRTDLiaSKreumVeBs4o
Score
10/10
Malware Config
Extracted
Family
gurcu
C2
https://api.telegram.org/bot7308213044:AAFm9yNR1WX2-QnC_ZcUdYHkkJGg7179JYE/sendMessag
Signatures
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 30 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sWsmPty.exe"C:\Users\Admin\AppData\Roaming\sWsmPty.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 9C2M-VCU33⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 9C2M-VCU34⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 1162HP-TRGT16515AB4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 21165HP-TRGT27263RV4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 81165HP-TRGT27263SG4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 51165HP-TRGT27263SL4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 41165HP-TRGT27263FA4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 61165HP-TRGT27263FU4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 31165HP-TRGT27263DQ4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 71165HP-TRGT27263MST4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 1181HP-TRGT15469AB4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 21181HP-TRGT15469RV4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 81181HP-TRGT15469SG4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 51181HP-TRGT15469SL4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 41181HP-TRGT15469FA4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 61181HP-TRGT15469FU4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 31185HP-TRGT26218DQ4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 71185HP-TRGT26218MST4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 1201HP-TRGT14424AB4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 21201HP-TRGT14424RV4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 81201HP-TRGT14424SG4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 51201HP-TRGT14424SL4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 41201HP-TRGT14424FA4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 61201HP-TRGT14424FU4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 31201HP-TRGT14424DQ4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 71201HP-TRGT14424MST4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: MKR3-9M2O3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe a: MKR3-9M2O4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: 1FFU-ECV93⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe b: 1FFU-ECV94⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: R8TI-SJVG3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe c: R8TI-SJVG4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 12D9-N74C3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 12D9-N74C4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: GAV2-SLAL3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe e: GAV2-SLAL4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: V5AV-TDBN3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe f: V5AV-TDBN4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: RH9I-SNZB3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe g: RH9I-SNZB4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: P4CN-J00H3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe h: P4CN-J00H4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 2C3P-0Z1U3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 2C3P-0Z1U4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: G97G-6EJ53⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe j: G97G-6EJ54⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: U7J9-85I83⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe k: U7J9-85I84⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 97J0-6FT63⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 97J0-6FT64⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 54S0-LK5T3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 54S0-LK5T4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: P4L8-3I233⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe n: P4L8-3I234⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: ULT6-GH2P3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe o: ULT6-GH2P4⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: HDU8-2SH63⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe p: HDU8-2SH64⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: KP7Z-BSN23⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe r: KP7Z-BSN24⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: RFFM-BJU23⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe s: RFFM-BJU24⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 0U4P-IRC13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 0U4P-IRC14⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: DZ36-39RJ3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe u: DZ36-39RJ4⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 8DTP-IDRO3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 8DTP-IDRO4⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: NM3C-4OIJ3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe y: NM3C-4OIJ4⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: LC2N-BMT23⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe z: LC2N-BMT24⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat3⤵
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x394 0x34c1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
MD5c4d09d3b3516550ad2ded3b09e28c10c
SHA17a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA25666433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA5122e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2
-
Filesize
1KB
MD543b37d0f48bad1537a4de59ffda50ffe
SHA148ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8
SHA256fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288
SHA512cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82
-
Filesize
162KB
MD533d7a84f8ef67fd005f37142232ae97e
SHA11f560717d8038221c9b161716affb7cd6b14056e
SHA256a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5
-
Filesize
1KB
MD5250e75ba9aac6e2e9349bdebc5ef104e
SHA17efdaef5ec1752e7e29d8cc4641615d14ac1855f
SHA2567d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516
SHA5127f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438
-
Filesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
-
Filesize
18KB
MD5785045f8b25cd2e937ddc6b09debe01a
SHA1029c678674f482ababe8bbfdb93152392457109d
SHA25637073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA51240bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9
-
Filesize
942B
MD59d61fe90e3d46c7436edff71df55f438
SHA14e4132995ca05b42ca6bf6453a3a2315c6f0beaa
SHA2560970f3d296aa2e17faefff34981061b5e05c735f0068f9f762f71e8659c940af
SHA512d2fc0deb6e999884554d0f1cba1d66d253053f1e241bc0abf142d26087c7ad9a4a7b2ba6dd2a29d3f7c554df79451c8af4564c6e9e0f2839f20a571d15bbf26f
-
Filesize
905KB
MD5dd1313842898ffaf72d79df643637ded
SHA193a34cb05fdf76869769af09a22711deea44ed28
SHA25681b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df
SHA512db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9
-
Filesize
2.6MB
MD5dab13157795e19d8fe050f65ce49401d
SHA1ecb6f0a864fd92fb7c423d882f9a6ea703096318
SHA256d8b4ce77f87bfe0b958f01ea30f48cf53e6ff51b425a57abc4f83a71d47f58fc
SHA5125cdb82bf347dbdae3c8e3f376ad18fb48509af3da91e8d18876ee7adb9db9fa9d2476060bf5de1294d44e86d477486db9efa045bd45a86a0e6739d6cfa9cca89
-
Filesize
13.2MB
MD5f94352e1545f9b8820885dca9baafcb4
SHA1710f642efb3e30e5e9a3abc7586997de1aac0852
SHA25607d614e26f1ab51b36eba12ba11e5deae3415688c6d6989e9a41d387884df763
SHA512d13ccb3b6ba61db1bc1a03438fda50e617ea531ea568aa86366909fecee01b8979e284552aac2441aa8bdeddf4c1634d1d5e82701697978986294f53196537ab
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
280KB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
13.3MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
10.4MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
10.4MB
-
Filesize
10.4MB