Overview
overview
10Static
static
10Trojan/BlueScreen.exe
windows10-ltsc 2021-x64
5Trojan/Bolbi.vbs
windows10-ltsc 2021-x64
10Trojan/Carewmr.vbs
windows10-ltsc 2021-x64
4Trojan/Dud...an.bat
windows10-ltsc 2021-x64
1Trojan/Fra...n.docx
windows10-ltsc 2021-x64
1Trojan/Grave.apk
windows10-ltsc 2021-x64
3Trojan/L0Lz.bat
windows10-ltsc 2021-x64
8Trojan/Malum.apk
windows10-ltsc 2021-x64
3Trojan/Mis...st.exe
windows10-ltsc 2021-x64
8Trojan/Mis...er.exe
windows10-ltsc 2021-x64
8Trojan/Mis...RC.exe
windows10-ltsc 2021-x64
8Trojan/Mob...re.apk
windows10-ltsc 2021-x64
3Trojan/Mrs...or.exe
windows10-ltsc 2021-x64
MrsMajor2.0.exe
windows10-ltsc 2021-x64
Trojan/Mrs....0.exe
windows10-ltsc 2021-x64
10Trojan/Offiz.html
windows10-ltsc 2021-x64
4Trojan/Spa...rk.exe
windows10-ltsc 2021-x64
7Trojan/Spa...rk.exe
windows10-ltsc 2021-x64
9Trojan/XCS...f54ca6
windows10-ltsc 2021-x64
3Trojan/XCS...2aed41
windows10-ltsc 2021-x64
3Trojan/XCS...b54692
windows10-ltsc 2021-x64
3Trojan/XCS...00f6c1
windows10-ltsc 2021-x64
3Trojan/elite.apk
windows10-ltsc 2021-x64
3Trojan/mobelejen.apk
windows10-ltsc 2021-x64
3Trojan/vi4a.apk
windows10-ltsc 2021-x64
3Analysis
-
max time kernel
26s -
max time network
29s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06-12-2024 10:38
Behavioral task
behavioral1
Sample
Trojan/BlueScreen.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Trojan/Bolbi.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
Trojan/Carewmr.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
Trojan/DudleyTrojan.bat
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
Trojan/Frankenstein.docx
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral6
Sample
Trojan/Grave.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral7
Sample
Trojan/L0Lz.bat
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral8
Sample
Trojan/Malum.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral9
Sample
Trojan/Mist/MistInfected_newest.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral10
Sample
Trojan/Mist/MistInstaller.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral11
Sample
Trojan/Mist/MistInstallerRC.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral12
Sample
Trojan/Mobile_Legends_Adventure.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral13
Sample
Trojan/MrsMajors/BossDaMajor/BossDaMajor.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral14
Sample
MrsMajor2.0.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral15
Sample
Trojan/MrsMajors/MrsMajor3.0.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral16
Sample
Trojan/Offiz.html
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral17
Sample
Trojan/Spark/NETFramework.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral18
Sample
Trojan/Spark/Spark.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral19
Sample
Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral20
Sample
Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6fa938770e83ef2e177e8adf4a2ea3d2d5b26107c30f9d85c3d1a557db2aed41
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral21
Sample
Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.ac3467a04eeb552d92651af1187bdc795100ea77a7a1ac755b4681c654b54692
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral22
Sample
Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.d11a549e6bc913c78673f4e142e577f372311404766be8a3153792de9f00f6c1
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral23
Sample
Trojan/elite.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral24
Sample
Trojan/mobelejen.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral25
Sample
Trojan/vi4a.apk
Resource
win10ltsc2021-20241023-en
Errors
General
-
Target
Trojan/MrsMajors/BossDaMajor/BossDaMajor.exe
-
Size
1.9MB
-
MD5
38ff71c1dee2a9add67f1edb1a30ff8c
-
SHA1
10f0defd98d4e5096fbeb321b28d6559e44d66db
-
SHA256
730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
-
SHA512
8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9
-
SSDEEP
49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" wscript.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation BossDaMajor.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation wscript.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files\mrsmajor\Launcher.vbs wscript.exe File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs wscript.exe File created C:\Program Files\mrsmajor\WinLogon.bat wscript.exe File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg wscript.exe File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico wscript.exe File created C:\Program Files\mrsmajor\DreS_X.bat wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGui.exe wscript.exe File created C:\Program Files\mrsmajor\Doll_patch.xml wscript.exe File created C:\Program Files\mrsmajor\def_resource\f11.mp4 wscript.exe File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur wscript.exe File created C:\Program Files\mrsmajor\default.txt wscript.exe File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 wscript.exe File created C:\Program Files\mrsmajor\reStart.vbs wscript.exe File created C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat wscript.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 1484 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BossDaMajor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Cursors wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "130" LogonUI.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1669812756-2240353048-2660728061-1000\{C5D4F2DC-A3E6-45B5-A188-6E8A61B1EBDE} wmplayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeShutdownPrivilege 1720 wmplayer.exe Token: SeCreatePagefilePrivilege 1720 wmplayer.exe Token: SeShutdownPrivilege 5008 unregmp2.exe Token: SeCreatePagefilePrivilege 5008 unregmp2.exe Token: 33 2292 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2292 AUDIODG.EXE Token: SeShutdownPrivilege 1720 wmplayer.exe Token: SeCreatePagefilePrivilege 1720 wmplayer.exe Token: SeShutdownPrivilege 4620 shutdown.exe Token: SeRemoteShutdownPrivilege 4620 shutdown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1720 wmplayer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4484 LogonUI.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 64 wrote to memory of 4180 64 BossDaMajor.exe 79 PID 64 wrote to memory of 4180 64 BossDaMajor.exe 79 PID 4180 wrote to memory of 4720 4180 wscript.exe 81 PID 4180 wrote to memory of 4720 4180 wscript.exe 81 PID 4180 wrote to memory of 1484 4180 wscript.exe 86 PID 4180 wrote to memory of 1484 4180 wscript.exe 86 PID 1484 wrote to memory of 1720 1484 wscript.exe 87 PID 1484 wrote to memory of 1720 1484 wscript.exe 87 PID 1484 wrote to memory of 1720 1484 wscript.exe 87 PID 1720 wrote to memory of 4344 1720 wmplayer.exe 88 PID 1720 wrote to memory of 4344 1720 wmplayer.exe 88 PID 1720 wrote to memory of 4344 1720 wmplayer.exe 88 PID 4344 wrote to memory of 5008 4344 unregmp2.exe 89 PID 4344 wrote to memory of 5008 4344 unregmp2.exe 89 PID 1484 wrote to memory of 4620 1484 wscript.exe 98 PID 1484 wrote to memory of 4620 1484 wscript.exe 98 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe"C:\Users\Admin\AppData\Local\Temp\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4EFB.tmp\4EFC.vbs2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:4720
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Access Token Manipulation: Create Process with Token
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1484 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"4⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT6⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 034⤵
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:2956
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x340 0x4681⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a1f855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4484
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5c374c25875887db7d072033f817b6ce1
SHA13a6d10268f30e42f973dadf044dba7497e05cdaf
SHA25605d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6
SHA5126a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d
-
Filesize
1024KB
MD5aca6d4f52df95f35c75f598929da5234
SHA15dd6a74c831e5d75ff8498a94d23981373c741d4
SHA256b25cd0b315e6a8116531ccfceaa8e082a5ad37f56849722bfe75c489ac6ce5bd
SHA512666316985bac28329c29701ec05a83d23a5d65340c2dd70cfd9899faee2e210ac99d322230696ec0642e1ed03c3b5ed0c8aba76aa391b88e2b76374ddc4f3a89
-
Filesize
68KB
MD5d7d5f41209491916a9096613274ecffa
SHA1937a94c8b844f705d5745618826f08f5c1f10258
SHA2566f076fd99dc519591ab9e5adb3a67674f63f2583fb7e092cedfbff33f4b63981
SHA51211312eb5e75b83626b3b6dc499563ddf2520103bd7f22c0b05ac0b79acd09bbf75befbe339d1b9c391aaf601b6d86733d1bdebfa5e4d73470bf53cbb1b9e35d8
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1007B
MD55706bc5d518069a3b2be5e6fac51b12f
SHA1d7361f3623ecf05e63bb97cc9da8d5c50401575c
SHA2568a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad
SHA512fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047
-
Filesize
92B
MD50e4c01bf30b13c953f8f76db4a7e857d
SHA1b8ddbc05adcf890b55d82a9f00922376c1a22696
SHA25628e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738
SHA5125e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1
-
Filesize
360B
MD5ba81d7fa0662e8ee3780c5becc355a14
SHA10bd3d86116f431a43d02894337af084caf2b4de1
SHA2562590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816
SHA5120b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2
-
Filesize
244KB
MD5c7bf05d7cb3535f7485606cf5b5987fe
SHA19d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5
SHA2564c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311
SHA512d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8
-
Filesize
590B
MD5b5a1c9ae4c2ae863ac3f6a019f556a22
SHA19ae506e04b4b7394796d5c5640b8ba9eba71a4a6
SHA2566f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529
SHA512a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03
-
Filesize
71KB
MD5450f49426b4519ecaac8cd04814c03a4
SHA1063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA5120cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc
-
Filesize
98B
MD5c7146f88f4184c6ee5dcf7a62846aa23
SHA1215adb85d81cc4130154e73a2ab76c6e0f6f2ff3
SHA25647e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963
SHA5123b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10
-
Filesize
117B
MD5870bce376c1b71365390a9e9aefb9a33
SHA1176fdbdb8e5795fb5fddc81b2b4e1d9677779786
SHA2562798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc
SHA512f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53
-
Filesize
7KB
MD53e21bcf0d1e7f39d8b8ec2c940489ca2
SHA1fa6879a984d70241557bb0abb849f175ace2fd78
SHA256064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5
SHA5125577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922
-
Filesize
3KB
MD5cea57c3a54a04118f1db9db8b38ea17a
SHA1112d0f8913ff205776b975f54639c5c34ce43987
SHA256d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b
SHA512561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0
-
Filesize
1.2MB
MD54a9b1d8a8fe8a75c81ddba3e411ddc5d
SHA1e40cb1ee4490f6d7520902e12222446a8efbf9a8
SHA25679e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac
SHA512e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601
-
Filesize
227KB
MD517042b9e5fc04a571311cd484f17b9eb
SHA1585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb
SHA256a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424
SHA512709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f
-
Filesize
266B
MD530cfd8bb946a7e889090fb148ea6f501
SHA1c49dbc93f0f17ff65faf3b313562c655ef3f9753
SHA256e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210
SHA5128e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2
-
Filesize
3KB
MD5e3fdf285b14fb588f674ebfc2134200c
SHA130fba2298b6e1fade4b5f9c8c80f7f1ea07de811
SHA2564d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92
SHA5129b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a
-
Filesize
638B
MD50851e8d791f618daa5b72d40e0c8e32b
SHA180bea0443dc4cc508e846fefdb9de6c44ad8ff91
SHA2562cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722
SHA51257a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40
-
Filesize
1KB
MD52946e3cc23886cf6b53a1877562923c9
SHA175f24742cec3ae9c9d19e5f5cc4fd4e79ed71838
SHA2569ef626b9434adc0c6fa1781a1890245ed01a945d79b6dcd17e42bf0abcccdd7d
SHA512619d084300233c8590d080cee0180987f35a836e483023d8f5ee7a3754b8fd17fea7eca58cd824771d6a15cdb62cf216472f14b3da8eb8530defd680c6ba8c2a
-
Filesize
27B
MD5e20f623b1d5a781f86b51347260d68a5
SHA17e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA5122e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b