Analysis
-
max time kernel
80s -
max time network
291s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-09-2024 00:02
Static task
static1
Behavioral task
behavioral1
Sample
1725148829.119856_File.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
1725148829.119856_File.exe
Resource
win11-20240802-en
General
-
Target
1725148829.119856_File.exe
-
Size
7.5MB
-
MD5
1facb48e71b030612dd4dd23040c699e
-
SHA1
ac87f80408d31879417259c3ab9dde2c32f175f0
-
SHA256
2c074fffbd47b3ed8129a7e9a4e350e7b9f6ce923f75b0166a8cb3e425e39e95
-
SHA512
fc3b5601889bd6e5252c3cc2e1ccbfd47ecdbd401beda2687f557a87423157b5bea9df2a777ac77d29d0428bb26fe060889bf304d9c0062e41d8818db1e9d6e0
-
SSDEEP
98304:8OWyk7cxZ0xjWoIOF/Oz+U8xJIhskAtpUacuxgGV2Tbs+unJsu5FFBN4W3:l7k7KawOJe+VDiiUajxgCusfnTFBN1
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
147.45.47.36:30035
Extracted
vidar
10.8
1f3c236c672ff2ffe017b396f834c66e
http://147.45.68.138:80
https://steamcommunity.com/profiles/76561199761128941
https://t.me/iyigunl
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Detect Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1508-182-0x0000000000400000-0x0000000000641000-memory.dmp family_vidar_v7 behavioral2/memory/1508-177-0x0000000000400000-0x0000000000641000-memory.dmp family_vidar_v7 behavioral2/memory/1508-184-0x0000000000400000-0x0000000000641000-memory.dmp family_vidar_v7 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1452-164-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
gMXDcsqBIr2c0Kn7Kw0fInmz.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gMXDcsqBIr2c0Kn7Kw0fInmz.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4660 powershell.exe 1952 powershell.exe 4652 powershell.exe 4112 powershell.exe 976 powershell.exe 3220 powershell.exe 32 powershell.exe 4268 powershell.exe 4268 powershell.exe 4660 powershell.exe 1952 powershell.exe 4652 powershell.exe 4112 powershell.exe 976 powershell.exe 3220 powershell.exe 32 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
gMXDcsqBIr2c0Kn7Kw0fInmz.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gMXDcsqBIr2c0Kn7Kw0fInmz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gMXDcsqBIr2c0Kn7Kw0fInmz.exe -
Drops startup file 1 IoCs
Processes:
Pel8pScpUBUSRZz0eAWFVlyQ.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk Pel8pScpUBUSRZz0eAWFVlyQ.exe -
Executes dropped EXE 17 IoCs
Processes:
4mC5Y7nbNcRWOrRVz0zXSAEn.exesmwwhSUC4AZ0GbZTP8GgiADp.exemKStypmO9XJBkkW_xjsAmIse.exeMi84AzKrGhypOtRmSnf01zgl.exegMXDcsqBIr2c0Kn7Kw0fInmz.exeXsCYtOTiVYve210PxDhWTnr7.exemexBLkBRJ6MTJ877Z4GVTnkU.exePel8pScpUBUSRZz0eAWFVlyQ.exerAs41tWSCPhv90DNdLRTzmYd.exemexBLkBRJ6MTJ877Z4GVTnkU.tmpPel8pScpUBUSRZz0eAWFVlyQ.exeXsCYtOTiVYve210PxDhWTnr7.exeXsCYtOTiVYve210PxDhWTnr7.exevideoconvertermax32_64.exeAdminDHCBAEHJJJ.exeAdminDBGHDGHCGH.exemsptjhkfda.exepid process 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe 764 smwwhSUC4AZ0GbZTP8GgiADp.exe 2820 mKStypmO9XJBkkW_xjsAmIse.exe 1704 Mi84AzKrGhypOtRmSnf01zgl.exe 2264 gMXDcsqBIr2c0Kn7Kw0fInmz.exe 4268 XsCYtOTiVYve210PxDhWTnr7.exe 2600 mexBLkBRJ6MTJ877Z4GVTnkU.exe 4212 Pel8pScpUBUSRZz0eAWFVlyQ.exe 2796 rAs41tWSCPhv90DNdLRTzmYd.exe 2932 mexBLkBRJ6MTJ877Z4GVTnkU.tmp 1904 Pel8pScpUBUSRZz0eAWFVlyQ.exe 1172 XsCYtOTiVYve210PxDhWTnr7.exe 1680 XsCYtOTiVYve210PxDhWTnr7.exe 2612 videoconvertermax32_64.exe 2044 AdminDHCBAEHJJJ.exe 3980 AdminDBGHDGHCGH.exe 2392 msptjhkfda.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
gMXDcsqBIr2c0Kn7Kw0fInmz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine gMXDcsqBIr2c0Kn7Kw0fInmz.exe -
Loads dropped DLL 5 IoCs
Processes:
mexBLkBRJ6MTJ877Z4GVTnkU.tmpRegAsm.exeRegAsm.exepid process 2932 mexBLkBRJ6MTJ877Z4GVTnkU.tmp 2364 RegAsm.exe 2364 RegAsm.exe 1508 RegAsm.exe 1508 RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 45.155.250.90 -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Pel8pScpUBUSRZz0eAWFVlyQ.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" Pel8pScpUBUSRZz0eAWFVlyQ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 50 iplogger.org 16 raw.githubusercontent.com 40 iplogger.org 49 raw.githubusercontent.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api64.ipify.org 38 api64.ipify.org 40 ipinfo.io 41 ipinfo.io -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 3252 powercfg.exe 4460 powercfg.exe 1984 powercfg.exe 4268 powercfg.exe 744 powercfg.exe 1612 powercfg.exe 1952 powercfg.exe 2996 powercfg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
gMXDcsqBIr2c0Kn7Kw0fInmz.exemsptjhkfda.exepid process 2264 gMXDcsqBIr2c0Kn7Kw0fInmz.exe 2392 msptjhkfda.exe 2392 msptjhkfda.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
1725148829.119856_File.exe4mC5Y7nbNcRWOrRVz0zXSAEn.exemKStypmO9XJBkkW_xjsAmIse.exeMi84AzKrGhypOtRmSnf01zgl.exePel8pScpUBUSRZz0eAWFVlyQ.exeXsCYtOTiVYve210PxDhWTnr7.exeAdminDHCBAEHJJJ.exeAdminDBGHDGHCGH.exedescription pid process target process PID 1976 set thread context of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 3312 set thread context of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 2820 set thread context of 1452 2820 mKStypmO9XJBkkW_xjsAmIse.exe RegAsm.exe PID 1704 set thread context of 1508 1704 Mi84AzKrGhypOtRmSnf01zgl.exe RegAsm.exe PID 4212 set thread context of 1904 4212 Pel8pScpUBUSRZz0eAWFVlyQ.exe Pel8pScpUBUSRZz0eAWFVlyQ.exe PID 4268 set thread context of 1680 4268 XsCYtOTiVYve210PxDhWTnr7.exe XsCYtOTiVYve210PxDhWTnr7.exe PID 2044 set thread context of 4728 2044 AdminDHCBAEHJJJ.exe RegAsm.exe PID 3980 set thread context of 1044 3980 AdminDBGHDGHCGH.exe RegAsm.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 5008 sc.exe 3392 sc.exe 952 sc.exe 2448 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1092 1044 WerFault.exe RegAsm.exe 2564 2452 WerFault.exe RegAsm.exe 4800 2452 WerFault.exe RegAsm.exe -
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
XsCYtOTiVYve210PxDhWTnr7.exeRegAsm.exeAdminDHCBAEHJJJ.exePel8pScpUBUSRZz0eAWFVlyQ.exeRegAsm.exeMi84AzKrGhypOtRmSnf01zgl.exevideoconvertermax32_64.exeschtasks.exemexBLkBRJ6MTJ877Z4GVTnkU.tmp4mC5Y7nbNcRWOrRVz0zXSAEn.exeRegAsm.execmd.exeAdminDBGHDGHCGH.exeXsCYtOTiVYve210PxDhWTnr7.exeRegAsm.exeschtasks.exeRegAsm.exemexBLkBRJ6MTJ877Z4GVTnkU.exePel8pScpUBUSRZz0eAWFVlyQ.exeRegAsm.execmd.exe1725148829.119856_File.exegMXDcsqBIr2c0Kn7Kw0fInmz.exemKStypmO9XJBkkW_xjsAmIse.exemsptjhkfda.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XsCYtOTiVYve210PxDhWTnr7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminDHCBAEHJJJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pel8pScpUBUSRZz0eAWFVlyQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mi84AzKrGhypOtRmSnf01zgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language videoconvertermax32_64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mexBLkBRJ6MTJ877Z4GVTnkU.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4mC5Y7nbNcRWOrRVz0zXSAEn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminDBGHDGHCGH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XsCYtOTiVYve210PxDhWTnr7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mexBLkBRJ6MTJ877Z4GVTnkU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pel8pScpUBUSRZz0eAWFVlyQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1725148829.119856_File.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gMXDcsqBIr2c0Kn7Kw0fInmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mKStypmO9XJBkkW_xjsAmIse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msptjhkfda.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3372 timeout.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3360 schtasks.exe 3312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
gMXDcsqBIr2c0Kn7Kw0fInmz.exeXsCYtOTiVYve210PxDhWTnr7.exeRegAsm.exerAs41tWSCPhv90DNdLRTzmYd.exepowershell.exepowershell.exepowershell.exepowershell.exeXsCYtOTiVYve210PxDhWTnr7.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exeRegAsm.exepid process 2264 gMXDcsqBIr2c0Kn7Kw0fInmz.exe 2264 gMXDcsqBIr2c0Kn7Kw0fInmz.exe 4268 XsCYtOTiVYve210PxDhWTnr7.exe 4268 XsCYtOTiVYve210PxDhWTnr7.exe 2364 RegAsm.exe 2364 RegAsm.exe 2796 rAs41tWSCPhv90DNdLRTzmYd.exe 2796 rAs41tWSCPhv90DNdLRTzmYd.exe 32 powershell.exe 32 powershell.exe 32 powershell.exe 4268 powershell.exe 4268 powershell.exe 4268 powershell.exe 4660 powershell.exe 4660 powershell.exe 4660 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 2364 RegAsm.exe 2364 RegAsm.exe 1680 XsCYtOTiVYve210PxDhWTnr7.exe 1680 XsCYtOTiVYve210PxDhWTnr7.exe 4652 powershell.exe 4652 powershell.exe 4652 powershell.exe 1508 RegAsm.exe 1508 RegAsm.exe 4112 powershell.exe 4112 powershell.exe 4112 powershell.exe 976 powershell.exe 976 powershell.exe 976 powershell.exe 3220 powershell.exe 3220 powershell.exe 3220 powershell.exe 1508 RegAsm.exe 1508 RegAsm.exe 1452 RegAsm.exe 1452 RegAsm.exe 1452 RegAsm.exe 1452 RegAsm.exe 1452 RegAsm.exe 1452 RegAsm.exe 1508 RegAsm.exe 1508 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
XsCYtOTiVYve210PxDhWTnr7.exeXsCYtOTiVYve210PxDhWTnr7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4268 XsCYtOTiVYve210PxDhWTnr7.exe Token: SeDebugPrivilege 1680 XsCYtOTiVYve210PxDhWTnr7.exe Token: SeBackupPrivilege 1680 XsCYtOTiVYve210PxDhWTnr7.exe Token: SeSecurityPrivilege 1680 XsCYtOTiVYve210PxDhWTnr7.exe Token: SeSecurityPrivilege 1680 XsCYtOTiVYve210PxDhWTnr7.exe Token: SeSecurityPrivilege 1680 XsCYtOTiVYve210PxDhWTnr7.exe Token: SeSecurityPrivilege 1680 XsCYtOTiVYve210PxDhWTnr7.exe Token: SeDebugPrivilege 32 powershell.exe Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 4652 powershell.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeDebugPrivilege 976 powershell.exe Token: SeDebugPrivilege 3220 powershell.exe Token: SeDebugPrivilege 1452 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msptjhkfda.exepid process 2392 msptjhkfda.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1725148829.119856_File.exeRegAsm.exemexBLkBRJ6MTJ877Z4GVTnkU.exe4mC5Y7nbNcRWOrRVz0zXSAEn.exemKStypmO9XJBkkW_xjsAmIse.exeMi84AzKrGhypOtRmSnf01zgl.exePel8pScpUBUSRZz0eAWFVlyQ.exedescription pid process target process PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1976 wrote to memory of 1380 1976 1725148829.119856_File.exe RegAsm.exe PID 1380 wrote to memory of 3312 1380 RegAsm.exe schtasks.exe PID 1380 wrote to memory of 3312 1380 RegAsm.exe schtasks.exe PID 1380 wrote to memory of 3312 1380 RegAsm.exe schtasks.exe PID 1380 wrote to memory of 764 1380 RegAsm.exe smwwhSUC4AZ0GbZTP8GgiADp.exe PID 1380 wrote to memory of 764 1380 RegAsm.exe smwwhSUC4AZ0GbZTP8GgiADp.exe PID 1380 wrote to memory of 2820 1380 RegAsm.exe mKStypmO9XJBkkW_xjsAmIse.exe PID 1380 wrote to memory of 2820 1380 RegAsm.exe mKStypmO9XJBkkW_xjsAmIse.exe PID 1380 wrote to memory of 2820 1380 RegAsm.exe mKStypmO9XJBkkW_xjsAmIse.exe PID 1380 wrote to memory of 1704 1380 RegAsm.exe Mi84AzKrGhypOtRmSnf01zgl.exe PID 1380 wrote to memory of 1704 1380 RegAsm.exe Mi84AzKrGhypOtRmSnf01zgl.exe PID 1380 wrote to memory of 1704 1380 RegAsm.exe Mi84AzKrGhypOtRmSnf01zgl.exe PID 1380 wrote to memory of 2264 1380 RegAsm.exe gMXDcsqBIr2c0Kn7Kw0fInmz.exe PID 1380 wrote to memory of 2264 1380 RegAsm.exe gMXDcsqBIr2c0Kn7Kw0fInmz.exe PID 1380 wrote to memory of 2264 1380 RegAsm.exe gMXDcsqBIr2c0Kn7Kw0fInmz.exe PID 1380 wrote to memory of 4268 1380 RegAsm.exe powershell.exe PID 1380 wrote to memory of 4268 1380 RegAsm.exe powershell.exe PID 1380 wrote to memory of 4268 1380 RegAsm.exe powershell.exe PID 1380 wrote to memory of 2600 1380 RegAsm.exe mexBLkBRJ6MTJ877Z4GVTnkU.exe PID 1380 wrote to memory of 2600 1380 RegAsm.exe mexBLkBRJ6MTJ877Z4GVTnkU.exe PID 1380 wrote to memory of 2600 1380 RegAsm.exe mexBLkBRJ6MTJ877Z4GVTnkU.exe PID 1380 wrote to memory of 4212 1380 RegAsm.exe Pel8pScpUBUSRZz0eAWFVlyQ.exe PID 1380 wrote to memory of 4212 1380 RegAsm.exe Pel8pScpUBUSRZz0eAWFVlyQ.exe PID 1380 wrote to memory of 4212 1380 RegAsm.exe Pel8pScpUBUSRZz0eAWFVlyQ.exe PID 1380 wrote to memory of 2796 1380 RegAsm.exe rAs41tWSCPhv90DNdLRTzmYd.exe PID 1380 wrote to memory of 2796 1380 RegAsm.exe rAs41tWSCPhv90DNdLRTzmYd.exe PID 2600 wrote to memory of 2932 2600 mexBLkBRJ6MTJ877Z4GVTnkU.exe mexBLkBRJ6MTJ877Z4GVTnkU.tmp PID 2600 wrote to memory of 2932 2600 mexBLkBRJ6MTJ877Z4GVTnkU.exe mexBLkBRJ6MTJ877Z4GVTnkU.tmp PID 2600 wrote to memory of 2932 2600 mexBLkBRJ6MTJ877Z4GVTnkU.exe mexBLkBRJ6MTJ877Z4GVTnkU.tmp PID 3312 wrote to memory of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 3312 wrote to memory of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 3312 wrote to memory of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 3312 wrote to memory of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 3312 wrote to memory of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 3312 wrote to memory of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 3312 wrote to memory of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 3312 wrote to memory of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 3312 wrote to memory of 2364 3312 4mC5Y7nbNcRWOrRVz0zXSAEn.exe RegAsm.exe PID 2820 wrote to memory of 1452 2820 mKStypmO9XJBkkW_xjsAmIse.exe RegAsm.exe PID 2820 wrote to memory of 1452 2820 mKStypmO9XJBkkW_xjsAmIse.exe RegAsm.exe PID 2820 wrote to memory of 1452 2820 mKStypmO9XJBkkW_xjsAmIse.exe RegAsm.exe PID 2820 wrote to memory of 1452 2820 mKStypmO9XJBkkW_xjsAmIse.exe RegAsm.exe PID 2820 wrote to memory of 1452 2820 mKStypmO9XJBkkW_xjsAmIse.exe RegAsm.exe PID 2820 wrote to memory of 1452 2820 mKStypmO9XJBkkW_xjsAmIse.exe RegAsm.exe PID 2820 wrote to memory of 1452 2820 mKStypmO9XJBkkW_xjsAmIse.exe RegAsm.exe PID 2820 wrote to memory of 1452 2820 mKStypmO9XJBkkW_xjsAmIse.exe RegAsm.exe PID 1704 wrote to memory of 1508 1704 Mi84AzKrGhypOtRmSnf01zgl.exe RegAsm.exe PID 1704 wrote to memory of 1508 1704 Mi84AzKrGhypOtRmSnf01zgl.exe RegAsm.exe PID 1704 wrote to memory of 1508 1704 Mi84AzKrGhypOtRmSnf01zgl.exe RegAsm.exe PID 4212 wrote to memory of 1904 4212 Pel8pScpUBUSRZz0eAWFVlyQ.exe Pel8pScpUBUSRZz0eAWFVlyQ.exe PID 4212 wrote to memory of 1904 4212 Pel8pScpUBUSRZz0eAWFVlyQ.exe Pel8pScpUBUSRZz0eAWFVlyQ.exe PID 4212 wrote to memory of 1904 4212 Pel8pScpUBUSRZz0eAWFVlyQ.exe Pel8pScpUBUSRZz0eAWFVlyQ.exe PID 1704 wrote to memory of 1508 1704 Mi84AzKrGhypOtRmSnf01zgl.exe RegAsm.exe PID 1704 wrote to memory of 1508 1704 Mi84AzKrGhypOtRmSnf01zgl.exe RegAsm.exe PID 1704 wrote to memory of 1508 1704 Mi84AzKrGhypOtRmSnf01zgl.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1725148829.119856_File.exe"C:\Users\Admin\AppData\Local\Temp\1725148829.119856_File.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\Documents\iofolko5\4mC5Y7nbNcRWOrRVz0zXSAEn.exeC:\Users\Admin\Documents\iofolko5\4mC5Y7nbNcRWOrRVz0zXSAEn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDHCBAEHJJJ.exe"5⤵
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Users\AdminDHCBAEHJJJ.exe"C:\Users\AdminDHCBAEHJJJ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDBGHDGHCGH.exe"5⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Users\AdminDBGHDGHCGH.exe"C:\Users\AdminDBGHDGHCGH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 12768⤵
- Program crash
PID:1092 -
C:\Users\Admin\Documents\iofolko5\smwwhSUC4AZ0GbZTP8GgiADp.exeC:\Users\Admin\Documents\iofolko5\smwwhSUC4AZ0GbZTP8GgiADp.exe3⤵
- Executes dropped EXE
PID:764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Liliafer'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Liliafer\msptjhkfda.exeC:\Liliafer\msptjhkfda.exe4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Users\Admin\Documents\iofolko5\mKStypmO9XJBkkW_xjsAmIse.exeC:\Users\Admin\Documents\iofolko5\mKStypmO9XJBkkW_xjsAmIse.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Users\Admin\Documents\iofolko5\Mi84AzKrGhypOtRmSnf01zgl.exeC:\Users\Admin\Documents\iofolko5\Mi84AzKrGhypOtRmSnf01zgl.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1508 -
C:\ProgramData\EGCGHCBKFC.exe"C:\ProgramData\EGCGHCBKFC.exe"5⤵PID:4412
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 12887⤵
- Program crash
PID:4800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 12487⤵
- Program crash
PID:2564 -
C:\ProgramData\KJDGDGDHDG.exe"C:\ProgramData\KJDGDGDHDG.exe"5⤵PID:1216
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:4652
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KJEHJKJEBGHJ" & exit5⤵PID:2448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4660
-
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- Delays execution with timeout.exe
PID:3372 -
C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exeC:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2264 -
C:\Users\Admin\Documents\iofolko5\rAs41tWSCPhv90DNdLRTzmYd.exeC:\Users\Admin\Documents\iofolko5\rAs41tWSCPhv90DNdLRTzmYd.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2796 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:2996 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:3252 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
PID:4460 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3960
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:1984 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "VIFLJRPW"4⤵
- Launches sc.exe
PID:5008 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"4⤵
- Launches sc.exe
PID:3392 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2448 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "VIFLJRPW"4⤵
- Launches sc.exe
PID:952 -
C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exeC:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268 -
C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe"C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe"4⤵
- Executes dropped EXE
PID:1172 -
C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe"C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exeC:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe"C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3360 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3312 -
C:\Users\Admin\Documents\iofolko5\mexBLkBRJ6MTJ877Z4GVTnkU.exeC:\Users\Admin\Documents\iofolko5\mexBLkBRJ6MTJ877Z4GVTnkU.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\is-JLIJ6.tmp\mexBLkBRJ6MTJ877Z4GVTnkU.tmp"C:\Users\Admin\AppData\Local\Temp\is-JLIJ6.tmp\mexBLkBRJ6MTJ877Z4GVTnkU.tmp" /SL5="$8027A,3429829,54272,C:\Users\Admin\Documents\iofolko5\mexBLkBRJ6MTJ877Z4GVTnkU.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe"C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe" -i5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:2044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1044 -ip 10442⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2452 -ip 24522⤵PID:3144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2452 -ip 24522⤵PID:2112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2452 -ip 24522⤵PID:4776
-
C:\ProgramData\xprfjygruytr\etzpikspwykg.exeC:\ProgramData\xprfjygruytr\etzpikspwykg.exe1⤵PID:8
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:1952 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:1612 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:744 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:4268 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:860
-
C:\Windows\system32\svchost.exesvchost.exe2⤵PID:564
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD535b8c1c64fe230be546ef57fc2402c09
SHA106a4298da56d14b37f051171463603cc43727f3a
SHA256f5a0022c0b4669fa4a8f89fe75b0f230afc6e4d3c31bded8d6d4328fbb76d5bf
SHA51218ce36ae35ec32963ddb92c9dc63a200e952d9b0e21e2dcca9878324c67294997fc394479d74af4b293cefc7a3ce993695bf8bcbfcf5088553c797b66e11b44b
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD56205160b38ce34c90456d967715ca941
SHA1fce483a831467c4f8b8cf9558ff753d1f1d4d340
SHA2565df07863dae25402f552f8cb599367a9e5d0f7e913648c07c163c1a4ff656407
SHA5129249ccfe3272002224f348bbffac93b59d1f207237a12e07e694ab38d3ecd198ea470596cb0114e6b29aedd7d90879c1ebddfe6c370be8eff401948c8345b7fb
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
11KB
MD5f9711ba270e571c3e7b88d12d2cbac7d
SHA1e72a7d8db8e674d7d5ae5e61b55075dedba7a9c0
SHA256cabb2cab893db44aa94d3fb400eba2893699e3f58c0cf84b3f1aefbb30aa4e0e
SHA512a58048085d88d2532c61b7a3f7eac60a8fd8a1b9149bc15697746db89d2868e7be94cc2d0374c7322979277ecb29f70c8f14c6579075e8bb6c1e9a3f658cac72
-
Filesize
669KB
MD5550686c0ee48c386dfcb40199bd076ac
SHA1ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA5120b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
251KB
MD54e52d739c324db8225bd9ab2695f262f
SHA171c3da43dc5a0d2a1941e874a6d015a071783889
SHA25674ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA5122d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
Filesize
383KB
MD5463fa073a06a2d19d0a8395d94d12fb4
SHA1257b18e3d4c1004afafce8c2ff7c604a459abef9
SHA25648c76c428ef4e3e11a2ab4e3e0689465415d0c491179709c70f89067e096cd8f
SHA512ccac763a4c8744fd6493822d3399fbf8066d5f0465004d20be92dde7ca6b47932b1d6988dde536e9a3d9ae58856ef1f9406909bca6215fe45f02294cc0121f63
-
Filesize
3.5MB
MD50451ab717fb9d85d548df23d0f3d0596
SHA14704da48917a13b6acfcc7ad18727b16bdef3274
SHA256a6c3d2b564125c7fc51643e9f778e2404da45c2790a0d7f5d9f3bf8bb5acc35d
SHA5128dd396656a8e7b09f81066f0c88ff3449c7ba02d34149f97f7021288366988478853266e62bbb93155e1ee660f939229f876eb6ff156aa78f13e80f6f60421b3
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
425B
MD5bb27934be8860266d478c13f2d65f45e
SHA1a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA25685ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA51287dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb
-
Filesize
617B
MD53ed4d7ca42ade54d0dedaf2f11b46e83
SHA165a563e185b03f2c3a9764a38c15bbff1e3acc4f
SHA256a2e15cb4d04d01dcb2156d754dae42c92c7e1824dd260f306a5f834a467ce993
SHA5126e941fcd818b208fd4b17102f39239dcc10e50ca819e5fbbc9130917efd09dae18ba4d8c9a181d2582ccbd8ea52249551eb6265017a82b018b6a6b95087c8933
-
Filesize
2.3MB
MD590e744829865d57082a7f452edc90de5
SHA1833b178775f39675fa4e55eab1032353514e1052
SHA256036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550
SHA5120a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5781da0576417bf414dc558e5a315e2be
SHA1215451c1e370be595f1c389f587efeaa93108b4c
SHA25641a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA51224e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
944B
MD51189a72e42e2321edf1ed3a8d5568687
SHA1a2142fc754d6830de107d9d46f398483156f16a6
SHA256009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea
SHA512b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29
-
Filesize
944B
MD534e3230cb2131270db1af79fb3d57752
SHA121434dd7cf3c4624226b89f404fd7982825f8ac6
SHA2560f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39
SHA5123756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335
-
Filesize
944B
MD50d1f09639656a53035ea14bb10d6e36c
SHA1c3e76231c631f26eee988c8d72db53002150ad9d
SHA256f437a53b1c3986583492450a06337658312f06c10cb302e353947e6a4fef0889
SHA512469aa860e902c156d62ef0ef804371896b5ca81c0b8e77f53922b4048479f876dde39866db394418984f6ff71e1e364a5506db7d4c2f1174f2358183a0dab087
-
Filesize
944B
MD5cc349bca6af5d58c4d32aaa973a6120d
SHA100e9a04a3794cc0da7ac7613e812fac1cc3a57aa
SHA2565e2069281396a765ad0d1468ca9244a5c816d35b4919f67c47ca5a368267a73c
SHA512a32cc7b654055614682a0458c709cab0b7396a64768848d7b0ef2e3a5c92e1924e5e5314b2ceb070efd614615f3704f0c86860daee9000d2549d505cf4cd7684
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
680KB
MD538deb275b04a61c5837ef9597e066fcd
SHA1c389def26f07be7c4f44e1d3b686ed52de401753
SHA256346d652d50dd304ef8eafa8ffcc3b959363d006bb97a96caba169cde8c3cbc8e
SHA512385a604f61e8a2c4dd1610a34361b1248491639961f891db509e45890457ff647c6305390ebfbde5a26ce29c748a87f422840d2935be2988d5aeb9bbfd95cb62
-
Filesize
269KB
MD568da26c2c1d0d040a86cc3910a40d287
SHA1b374f418f3d086868f661ae2108a71e8eb70dcfa
SHA2560904ef6ec1a22ab31adf07bb35bb0667603c574032da3e6004fb1592cea15b06
SHA51209b0647bf8e9d01bb36cf90cc82ecd33d545586ffa7ef14bf903f796739bc1c3c0986aa0f71851407434fc215214acb082fd6e95a24ca027a1d51982a1841b08
-
Filesize
252KB
MD519206462deb8093a24b063f75c0f88a0
SHA1294b76a6e7dceadde162e682c69115151edd8d73
SHA256a672db5e7e34e662bbf17075a2076dc0b3479f75a49982c77e575077813ace94
SHA512426db34d5128e3071f766bf937b04959b90016448311789b97fb8b39d214f4129818e2b24e4c068eb3d1d1ef45be82bd16139f2db0eecb7c6d7b2c57001f06e8
-
Filesize
2.9MB
MD5d4ac1a0d0504ab9a127defa511df833e
SHA19254864b6917eba6d4d4616ac2564f192626668b
SHA256a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848
SHA51259b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5
-
Filesize
6.3MB
MD5bd2891236510c953d469e346d092f0c7
SHA16409a3259b18ecf91d2ff6a43ff319c2f8158be2
SHA2561cf403233a05fd6140f33df350f8edccf51eea02746c6ba4ab3e31b32b8bab44
SHA512409abb8ce3382297bb669e7b7edfa44b0c2166831a6212223237245cba0595cf35592ec9755c839a69372bd0a4e96c74b98e7bca375a82b3e0707658d4b5802d
-
Filesize
1.7MB
MD54847d6885adc7ea78fdf9918c384cecb
SHA19eb0ce983f5a81300f18331b4899e03692fea6ef
SHA2562954dec8276af3d7c60154c2afb2ae360d696c6a90eb779fd9e380848c6fd8cc
SHA512e9b4d83425344b7137477105ee474c114f098d6c6e41d7bdfb47fb5902e32ba5c91ae9b9a3629dbad0ce4151bbf9d880c80dbfd5002d77da9ad88e8aa67f41fe
-
Filesize
375KB
MD51b4e6b62027f8ee24d3401c9ec96f672
SHA16bb4152446cd1ed5752f81f7ba4053b8e12d0852
SHA256d30d079e3e347e11a8d8ebd5ec025367968147b52d47d15c61a7bc48e0fbeee2
SHA512bf8a779100c87206018926bc077ffd23bdce02fe5f47518e528e747b0ed83f60972d98abdf618ac514f8ac87250488fe0cab7756bc11ba18686e0d45c1c0dffc
-
Filesize
3.5MB
MD5fdcc68a75a0e43485921c995d7b30aa5
SHA1904c066f7a5aa391a105de475fe0621ea9434a67
SHA256350cdb47086ec6370f72779d1851953c3d12a91f0e6b59571be703a4538bbc48
SHA51211df46188805f1b943c4e4885eabcd66aa146c222f6863e1110a964d7d313587dd7ad3558380152ddf62980160b4580c2ec9f497ab41b7ed48a5d46de0b8fdbd
-
Filesize
10.4MB
MD5025ebe0a476fe1a27749e6da0eea724f
SHA1fe844380280463b927b9368f9eace55eb97baab7
SHA2562a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA5125f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799
-
Filesize
7.8MB
MD501a3155b62c88c17d864f9fd78745902
SHA1ad629d70451330123fcd8c98e6a05406c4aea050
SHA25682475d4397b6d833a0b170945b7fb607eb82e3609dc35dc51f04884be3a91155
SHA512e61debb7a875414fa8af8baa28847fd852c719da94107e98a5209b96cd09dab99f3d291ddd7692b1074bf95a8d8e624423264d0ac524e9ff7a2e174acddc0a42