Analysis
-
max time kernel
50s -
max time network
90s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/11/2024, 15:09
Static task
static1
Behavioral task
behavioral1
Sample
Discord.rar
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Prv.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
SecureEngineSDK64.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
libcrypto-3-x64.dll
Resource
win10ltsc2021-20241023-en
General
-
Target
Discord.rar
-
Size
2.1MB
-
MD5
2a605d92acf5b0f402b51eb4cd890f88
-
SHA1
ba95e03eece9d1cf9e6c05f860e8103d7f67672d
-
SHA256
e811decdc0c746351da7e841174ea7a644c287ae1ca177503f0f18930458e4f2
-
SHA512
7dc1ec73052a77916b547aa0a819773887a01b52f392c493f59351bf87e4e38e5c979a302dce41fb6f2bb017c975cfedff066490277e43a2c38fc595e736e9aa
-
SSDEEP
49152:+h208JbvjGu3UlCFj/vr6aOes7+525/3/iSOiZVpXCbI0H+lD:+h21vElCFj/vuaRs7+52lvO8Vp6gD
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4848 netsh.exe 3372 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2512 Prv.exe -
Loads dropped DLL 2 IoCs
pid Process 2512 Prv.exe 2512 Prv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 48 discord.com 49 discord.com -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1688 sc.exe 1708 sc.exe 440 sc.exe 1092 sc.exe 4432 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4132 ipconfig.exe 3156 ipconfig.exe -
Kills process with taskkill 21 IoCs
pid Process 5044 taskkill.exe 1748 taskkill.exe 2572 taskkill.exe 616 taskkill.exe 3876 taskkill.exe 3880 taskkill.exe 792 taskkill.exe 3784 taskkill.exe 8 taskkill.exe 1492 taskkill.exe 1976 taskkill.exe 4580 taskkill.exe 380 taskkill.exe 4700 taskkill.exe 4584 taskkill.exe 3292 taskkill.exe 3780 taskkill.exe 3004 taskkill.exe 4800 taskkill.exe 4980 taskkill.exe 4976 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 548 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe 2512 Prv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5020 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeRestorePrivilege 5020 7zFM.exe Token: 35 5020 7zFM.exe Token: SeSecurityPrivilege 5020 7zFM.exe Token: SeRestorePrivilege 3796 7zG.exe Token: 35 3796 7zG.exe Token: SeSecurityPrivilege 3796 7zG.exe Token: SeSecurityPrivilege 3796 7zG.exe Token: SeDebugPrivilege 4580 taskkill.exe Token: SeDebugPrivilege 5044 taskkill.exe Token: SeDebugPrivilege 380 taskkill.exe Token: SeDebugPrivilege 792 taskkill.exe Token: SeDebugPrivilege 3784 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5020 7zFM.exe 5020 7zFM.exe 3796 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2512 Prv.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2512 wrote to memory of 4920 2512 Prv.exe 100 PID 2512 wrote to memory of 4920 2512 Prv.exe 100 PID 4920 wrote to memory of 4132 4920 cmd.exe 101 PID 4920 wrote to memory of 4132 4920 cmd.exe 101 PID 2512 wrote to memory of 2572 2512 Prv.exe 102 PID 2512 wrote to memory of 2572 2512 Prv.exe 102 PID 2572 wrote to memory of 4848 2572 cmd.exe 103 PID 2572 wrote to memory of 4848 2572 cmd.exe 103 PID 2512 wrote to memory of 1280 2512 Prv.exe 104 PID 2512 wrote to memory of 1280 2512 Prv.exe 104 PID 2512 wrote to memory of 1812 2512 Prv.exe 105 PID 2512 wrote to memory of 1812 2512 Prv.exe 105 PID 1812 wrote to memory of 1696 1812 cmd.exe 106 PID 1812 wrote to memory of 1696 1812 cmd.exe 106 PID 2512 wrote to memory of 60 2512 Prv.exe 107 PID 2512 wrote to memory of 60 2512 Prv.exe 107 PID 2512 wrote to memory of 1584 2512 Prv.exe 108 PID 2512 wrote to memory of 1584 2512 Prv.exe 108 PID 1584 wrote to memory of 4580 1584 cmd.exe 109 PID 1584 wrote to memory of 4580 1584 cmd.exe 109 PID 2512 wrote to memory of 5072 2512 Prv.exe 110 PID 2512 wrote to memory of 5072 2512 Prv.exe 110 PID 5072 wrote to memory of 5044 5072 cmd.exe 111 PID 5072 wrote to memory of 5044 5072 cmd.exe 111 PID 2512 wrote to memory of 1380 2512 Prv.exe 112 PID 2512 wrote to memory of 1380 2512 Prv.exe 112 PID 1380 wrote to memory of 380 1380 cmd.exe 113 PID 1380 wrote to memory of 380 1380 cmd.exe 113 PID 2512 wrote to memory of 2828 2512 Prv.exe 114 PID 2512 wrote to memory of 2828 2512 Prv.exe 114 PID 2828 wrote to memory of 1708 2828 cmd.exe 115 PID 2828 wrote to memory of 1708 2828 cmd.exe 115 PID 2512 wrote to memory of 2564 2512 Prv.exe 116 PID 2512 wrote to memory of 2564 2512 Prv.exe 116 PID 2564 wrote to memory of 792 2564 cmd.exe 117 PID 2564 wrote to memory of 792 2564 cmd.exe 117 PID 2512 wrote to memory of 460 2512 Prv.exe 118 PID 2512 wrote to memory of 460 2512 Prv.exe 118 PID 2512 wrote to memory of 4612 2512 Prv.exe 119 PID 2512 wrote to memory of 4612 2512 Prv.exe 119 PID 4612 wrote to memory of 4620 4612 cmd.exe 120 PID 4612 wrote to memory of 4620 4612 cmd.exe 120 PID 2512 wrote to memory of 4768 2512 Prv.exe 121 PID 2512 wrote to memory of 4768 2512 Prv.exe 121 PID 4768 wrote to memory of 3784 4768 cmd.exe 122 PID 4768 wrote to memory of 3784 4768 cmd.exe 122
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Discord.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5020
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Discord\" -ad -an -ai#7zMap25000:72:7zEvent157121⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3796
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1216
-
C:\Users\Admin\Desktop\Discord\Prv.exe"C:\Users\Admin\Desktop\Discord\Prv.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:4132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Block IP"2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name="Block IP"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=122⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\mode.comMODE CON COLS=55 LINES=123⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:60
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5 >> C:\ProgramData\hash.txt2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\system32\certutil.execertutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD53⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:4824
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:3552
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:2616
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1476
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1820
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:3796
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
PID:1748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:4056
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
PID:2572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1760
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:836
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:2448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1104
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:4620
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
PID:3876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2140
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:3076
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:2136
-
-
C:\Users\Admin\Desktop\Discord\Prv.exe"C:\Users\Admin\Desktop\Discord\Prv.exe"1⤵PID:2160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns2⤵PID:3996
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Block IP"2⤵PID:3728
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name="Block IP"3⤵
- Modifies Windows Firewall
PID:3372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=122⤵PID:3228
-
C:\Windows\system32\mode.comMODE CON COLS=55 LINES=123⤵PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:3848
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:192
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:920
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
PID:616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:2476
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:4616
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5 >> C:\ProgramData\hash.txt2⤵PID:3792
-
C:\Windows\system32\certutil.execertutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD53⤵PID:440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:2524
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:5000
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
PID:3292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1164
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:888
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Discord\SecureEngineSDK64.dll2⤵
- Opens file in notepad (likely ransom note)
PID:548
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140B
MD5f55f1f1ae272d0c0f170a5c02f694301
SHA19ed3722a92fbc1a40be1a28642d2fa6804586a78
SHA256d2532e4108591a92ea440d8c48c107c223981d287b129f728edff9e6d2ff256d
SHA512388c0b9023e96cf3e71e30d10dd8e8c8d5e86e009dca3d609b0da17fd229ac1e24fb8ff704f59d20c5ccc03d7ae2efc6df457bab940937abe494ded47479938a
-
Filesize
2.2MB
MD5e66ed4613b57ea69f248d947c78aee5d
SHA1fe22fd8f8d133d019d5a14737ebce8df93908b89
SHA256df4f585a8338fb58d6d0d5a611faa30f1bf69ac792a5390e8ec322e6f96af040
SHA512e9394f6d56b009e55dd7b1ee928641dc6422a201e50131e610a88b91556f2cf75fe1a366725625ce383e0c6d5899232390176c6cd2c6bf4f1cec793a88b8327f
-
Filesize
28KB
MD584d5311491c5174cc34406ec25fcb1f3
SHA1c0c2ee8f6e515ef9f29c5de92a86fe7ec3063d7e
SHA2566f33fd1a9bddc1eca5b73e2909bf63cea0ef96fb707fb6bc715e32b109f30772
SHA512693bbb170e4a29d2ed3eb0293cf5cc67b2f223c3b365787f6be53f4194b450dd95c86ccb47dd87f72e19f3e3349e61f78ed79561d263e8df3e82714a7b3f02ba
-
Filesize
4.9MB
MD5c8206fdc0701395880c71c7913d1aaf4
SHA1dc0d885dee996da8cd74d1bee328ca5739af4c5a
SHA256d7b9362e945a06d53b61d6525c8e87031969fce7156663d102b2b965d69a67cc
SHA51279ada6f20a9ba11ba0f384322168036d1f842a971e7c6c054e804b6ed01d8f53db372a1da944222fa7dcdd5062a029f3d81a75ee4e5ae4051e029b739e553c57