Resubmissions
31/01/2025, 20:51
250131-zngnysynhl 1022/01/2025, 17:19
250122-vv8c2awqf1 1022/01/2025, 16:20
250122-ts986swjel 1022/01/2025, 13:44
250122-q2a9nayng1 1022/01/2025, 13:43
250122-q1jjmszmel 1022/01/2025, 13:42
250122-qz519ayncz 1021/01/2025, 02:07
250121-cjzbwa1jhp 1020/01/2025, 18:36
250120-w88fmasqfy 1020/01/2025, 18:27
250120-w3q96asnh1 10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
22/01/2025, 16:20
General
-
Target
4363463463464363463463463.exe
-
Size
764KB
-
MD5
85e3d4ac5a6ef32fb93764c090ef32b7
-
SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
-
SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
-
SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
-
SSDEEP
12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
lumma
https://covvercilverow.shop/api
https://surroundeocw.shop/api
https://abortinoiwiam.shop/api
https://pumpkinkwquo.shop/api
https://priooozekw.shop/api
https://deallyharvenw.shop/api
https://defenddsouneuw.shop/api
https://racedsuitreow.shop/api
https://roaddrermncomplai.shop/api
Extracted
quasar
1.4.1
Main
tpinauskas-54803.portmap.host:54803
8422dcc2-b8bd-4080-a017-5b62524b6546
-
encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
-
install_name
Win64.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Win64
-
subdirectory
SubDir
Extracted
quasar
1.4.1
Office04
interestingsigma.hopto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:8080
127.0.0.1:18274
6.tcp.eu.ngrok.io:6606
6.tcp.eu.ngrok.io:7707
6.tcp.eu.ngrok.io:8808
6.tcp.eu.ngrok.io:8080
6.tcp.eu.ngrok.io:18274
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
0.5.8
Default
192.168.0.14:4343
a1OON3Evw1pM
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xworm
assistance-arbitration.gl.at.ply.gg:12152
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
vidar
11.8
41d35cbb974bc2d1287dcd4381b4a2a8
https://t.me/fu4chmo
https://steamcommunity.com/profiles/76561199802540894
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Vidar Stealer 3 IoCs
-
Detect Xworm Payload 2 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 4 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Drops startup file 5 IoCs
-
Executes dropped EXE 45 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 28 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 28 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 34 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 57 IoCs
-
Suspicious use of FindShellTrayWindow 14 IoCs
-
Suspicious use of SendNotifyMessage 14 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe"C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\runtimebroker.exe"C:\Users\Admin\AppData\Local\Temp\Files\runtimebroker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcsPicsbF98b.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xW3QUZGeQEoY.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9f5lewhCkLfn.bat" "9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZU0wBsGYBkUt.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQN5JXM5Imgs.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e3s7SqeKWpcd.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEgEl7GFT9RK.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQTk3pEdefhF.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PrcF5pkqE3ze.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkVpoZsl0QKZ.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xnVwE2wNJd0A.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMMoH1mi34eg.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEqUOIcLPDxF.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w7hpjI6uhvOq.bat" "31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\leetspoofer.exe"C:\Users\Admin\AppData\Local\Temp\Files\leetspoofer.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe"C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Files\main.exe"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\dllhost.exe"C:\ProgramData\dllhost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f im Wireshark.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f im Wireshark.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f im Wireshark.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\Files\main.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe"C:\Users\Admin\AppData\Local\Temp\Files\xdd.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "PPTBMYWF"4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "PPTBMYWF" binpath= "C:\ProgramData\wxiftyzsteng\qpgcxlhnvaqc.exe" start= "auto"4⤵
- Launches sc.exe
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\Amogus.exe"C:\Users\Admin\AppData\Local\Temp\Files\Amogus.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0sTQTbaC94uR.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUXyoERaFxNq.bat" "8⤵
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6foUxvrrmaa3.bat" "10⤵
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A8zxAzFEFxQ2.bat" "12⤵
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYVgxiWt2898.bat" "14⤵
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqELlwNO6xE3.bat" "16⤵
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIuBCuDNdUBL.bat" "18⤵
-
C:\Windows\system32\chcp.comchcp 6500119⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaXxUNbnraeN.bat" "20⤵
-
C:\Windows\system32\chcp.comchcp 6500121⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JJomjGD2wAG4.bat" "22⤵
-
C:\Windows\system32\chcp.comchcp 6500123⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOj7JPiOC7Zo.bat" "24⤵
-
C:\Windows\system32\chcp.comchcp 6500125⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUMeBtwpphly.bat" "26⤵
-
C:\Windows\system32\chcp.comchcp 6500127⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yq5GtsFlSaJU.bat" "28⤵
-
C:\Windows\system32\chcp.comchcp 6500129⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yM0NxtAf2m8D.bat" "30⤵
-
C:\Windows\system32\chcp.comchcp 6500131⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f32⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxhTFSoFfRyU.bat" "32⤵
-
C:\Windows\system32\chcp.comchcp 6500133⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe"C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Client.exe"C:\Users\Admin\AppData\Local\Temp\Files\Client.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\nthnaedltg.exe"C:\Users\Admin\AppData\Local\Temp\Files\nthnaedltg.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\nthnaedltg.exe" & rd /s /q "C:\ProgramData\KKFCFBKFCFBF" & exit5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\dllhost.exeC:\ProgramData\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
764KB
MD585e3d4ac5a6ef32fb93764c090ef32b7
SHA1adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA2564e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
-
Filesize
2KB
MD515eab799098760706ed95d314e75449d
SHA1273fb07e40148d5c267ca53f958c5075d24c4444
SHA25645030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778
SHA51250c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c
-
Filesize
10KB
MD52a94f3960c58c6e70826495f76d00b85
SHA1e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA2562fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
Filesize
206B
MD56cfaf133a38f07ad3d6d6971ea9541d8
SHA13804ba95c549b2bc5bbcdd520c165e60987c00e7
SHA2569a31c63ee56da686e59dbd015ac42f64a4b5e5ac54feacde3658fb29039d0776
SHA512be6861814a9526caa27eca04035a64bc94e670afa50effa600bf8e4521cbc985f3c7b80420d9a509e2c92d33ead4785633d3f5c1b78ed2931f7fa2c1d954678b
-
Filesize
22KB
MD509b0dcbf9d2c5a8995b18e3e985de529
SHA1bc3de0eae84a87b6d1d92a53cf5aa1ece3b75f84
SHA2560a89d9299cf4f146cbf9d133087dee31e3053e1ad1ed76256d5677f7bba4ceac
SHA5124449896d8446e12e341d51cb20c3667c570d03c7c9aee21e92f8d446ecba3a7d5279b51721b4e65c3fc0b272d0158aa7ae145ec7f0cd28a025bcea6dcb99d1c6
-
Filesize
206B
MD521b3fc9d29a4376fcf4b30bce18958f8
SHA19fd0ad7ec15b1adc077e975cd46829988c6cd47b
SHA256e87149499098e93c58af8d81fd2cd7c3b53452928a28e0528bd4e31e57cddb51
SHA5123f97d0d0eb59e45c74e57c5b7369e4157c17bfa3ef7df9e4c05a55e2cb1e9dc0ac6e41dc1978ceb738316d184d4c802383bf69cfb0258004ea25fe349cdc84d5
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
207B
MD51de389b204285dcdc75a32d360a21001
SHA107e68ce5901aab33eff6ef3ed424dd11076db10f
SHA256fa1ef5e46276ed7b28d5a6932bd3e56cdc1dde80f28270eea6ac689eecc834b2
SHA5125e592981bbe329bd3e8c58a683b085b72893167c64e19078c2ee30071678122490ad090ae9d9e8b3aa108c0a8f3cd5e7a3ad8dab09a9f5e30fe9a9a9d9a5ade9
-
Filesize
206B
MD5b5ce9043ed4eb037d0f65705af778f43
SHA1ef89298350cd971eb2af4de4d5078950e14925b1
SHA2560cc5c83ee1bb0b3856102974ec496d6e281808c3bb677592ac42aa8787e02d99
SHA51239d004bd770eab55177d3586ed3b8de07704b285ef387f5bb7df7bf2597956022e3ed0468d74f7d5972e64939c749eb3bb5dab5cc3707d40a41b7b613e4026d6
-
Filesize
206B
MD53112b2c4ed066cb1dac174f0862f2a4f
SHA15f886f7c99cf82c17166e889f8ee5f8e85c3d448
SHA256a24de16f43c46001027475677566924f2aea0031ffedd4866a3d37115946b08d
SHA5128e1d5abb5846c98baf13bb3603b4fe7d9a9fb7d3fb341b11c651ce96e45389e055c1f7c181ed309695053a2c279559d6db332c70f281f4ccb611e9351d45fa5f
-
Filesize
206B
MD526b410018fee4a477e4319424c2f896d
SHA1d8cededceab46f8c2c9c47954627ebcc7324c64c
SHA256251b43cdcb346f09429a444b594cb6a91ab1e63b3e519cc8f1741549c8f19150
SHA512f32d3bee7698f6a73b347e1a25efd4c7c791b825a1edaf493d28b348f1b6bede9da7911bfd0e8ce58f4dbf066506d6bead04628ba19c806add6c57f24125bc1c
-
Filesize
208KB
MD54700e950db3b114e91e237ed11d2f9e0
SHA144aac69a91378e768cd8237c65f5e990a0394436
SHA25672b38061644ebae315151affd95b314880c79f3963e1be30c6027d3977e36786
SHA512ad92f9ab3ca82022772cf226380d10138e51eed932f78c108bc45b061e000fd5597dcf9a09740d5fc689172e86c537acf63cf6c8f4f679d9262a792faad0cb02
-
Filesize
3.2MB
MD523c072bdc1c5fe6c2290df7cd3e9abf8
SHA1e10c6f7843e89f787866aac99c0cb7a3b2c7a902
SHA2568c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490
SHA5125e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e
-
Filesize
47KB
MD5d3ed1c2da2065809f44ef00d759e125e
SHA121600d2f5475563e79b52004daa4fe77f4c6cf4b
SHA256bdef6f54af01f98f107e189fb07b2159177d25bd80077b87b5f83f18959b7e42
SHA512e7809edc41ee0c3e4e00bb9370b37e3f431bec715563f94f0fb9a702e93b71876089016d9a075a8fb4fcebbe0493c9b6565a18b7e8e55a748cdb9e8a53bcc51a
-
Filesize
550KB
MD5ee6be1648866b63fd7f860fa0114f368
SHA142cab62fff29eb98851b33986b637514fc904f4b
SHA256e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511
SHA512d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a
-
Filesize
321KB
MD53db33784eb4a2c5ff0d97237bd25d4ce
SHA1e1ee87f9353ff1438e860ef695b5e022a83ac298
SHA256e0fad6ad403b01fb99b906403d2abb21ffd1adf78e88477568291bb0cf392deb
SHA5127394150c055ec7c42f7f28a7f0fceedd6a32da68502ff7d2c5ecf32f48f3899c4416cc0ca1223d5d173033fb047c34e9ba31c91c12a26bf0d4758d338f179937
-
Filesize
59KB
MD5cf14fac9fa45e4989ad1db2910ed98fd
SHA19e6381b831257bebf6356984e6ac3764aee72a84
SHA2563df057f43a8c20c88fe2a2266ac09414fcf9dac4037e9a4f6e95ab66e6409636
SHA512184a88c77ee9e8254cbe4489447d89a710b057efa6fe9f0510a93da91e200dd6717416b275140b31301fed6800884cc62b7941854565c96462f109dd7f972e0a
-
Filesize
45KB
MD58123d15bb6100a19ac103b4ec3d592bf
SHA1713d2344beb28d34864768e7b2c0463044bdc014
SHA25668e92585378abdd8a5e6ba42c20a66558ebbcc964c08ba3ce56d020568ebf16d
SHA512ca048fc1aa53af7b517c2b894e038ed7e413690f2a9e9838c0a5624f9530b20ec8ca22c8d99b8b7ed1e049753970880ee047de984557e2e6c28a55ba2c974351
-
Filesize
2.0MB
MD5be799584483e20f3789f6e14e9b1cbcb
SHA1795621142e849101658ebd281d475043d4076da6
SHA256d387263b9117417e83b25313230f833ad68080bc9ff92c2d9de70e7fb39004d1
SHA512d63a5b5913bb1a1bf0480b0575fe3689bfe67019a24c238f11becf144e995a0774fd94e3e0a97d477b805917650f39a1a7512a4d60a37f0e286f93f09f982901
-
Filesize
65KB
MD5915756ae44759560e8476467163b0f5d
SHA102c6eeb6a68c4fab801061321645c3cf118b823a
SHA2560a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb
SHA5124d7b862f7e4dd4856eac8e5982eb7ed10afddb943661b84cd8f06293fed80e26a65595a89b6abdd1d99bd6154791169006a6d0a4f572de756a691cfb9889049c
-
Filesize
275KB
MD50a7b3454fdad8431bd3523648c915665
SHA1800a97a7c1a92a92cac76afc1fe5349895ee5287
SHA256baf217d7bb8f3a86856def6891638318a94ed5d7082149d4dd4cb755d90d86ce
SHA512020e45eaeee083d6739155d9a821ab54dd07f1320b8efb73871ee5d29188122fdbb7d39b34a8b3694a8b0c08ae1801ec370e40ff8d837c9190a72905f26baff9
-
Filesize
3.1MB
MD5a29d070abe87b2be24892421e0c763bb
SHA1383104c7c6956a98ae5f63c743250f737700f509
SHA25600bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
SHA5126d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969
-
Filesize
5.0MB
MD518eb87d99216dfd5b0771ea566663073
SHA15218b45e307d06f88b4a05b46a7fefc25ab92d64
SHA256c6251dd1cecc17a699ad2f5598faa297b76d284f699309d44cfbfa24e020c74a
SHA5123fd9cca40df23c73fa5c85be2ffbdb7af253e6e17ae38aeaaa0ff906d72b998ebf11b463e15aa0f6ca7a28e527f21b11c8ea70a87371302ea98070455a5efe6f
-
Filesize
207B
MD5a0bc80dce7d238f1781562534e3bc272
SHA16001a36daed260b54095994c20c25283db6a1f47
SHA256d7ae5fee143693021522235bede00565d64db29d7d7403fc243eb9c165ceb47b
SHA512d02a5bb4e7f23f069be6494288e0ec6bbcfdafbc3d3b7b4d9f2d006bd089ef63f5de923a841703a5e9907c08e0c0a39a78e7353a36ccaefb4333e3e0e2650a5a
-
Filesize
206B
MD5fe202795d263224956848a51fac977a3
SHA1051d470680d7c41e9f5111862c7f8b8e6145e610
SHA2562b6bba6f83d45e5b36edf171363063a43403aeb507aa8f66280776e0bb1375a6
SHA512edc642da569d6e097f1cb3173db0e7d34a55b4c335d4637573c791a62a569848c71ac74d04f2a2db602509161351eb09b926ed5123786d81273f4a128db29a72
-
Filesize
207B
MD576a2c5d7bbdea292e1fd2a3bb6b8ff19
SHA10d3e3b45d6e990b276dbbfd6532ae2ab56507c4e
SHA256fafa8bbccd28386b3eb8eb2712e35562d6d1dc35e3270b414167f8d00138b370
SHA512e81256dcdd5c6a6bb259ec8cc9fe19cfaf9c0448815a682aa1eda6311684080fe34b133f201f88a31fd807a5b7cd0afdc24e4d0396a7787a16433175ab221d46
-
Filesize
206B
MD566cb061646025afef48cd0907625e256
SHA131ab289eeb5907b7d365c39d0b3b3ac0ad3185b6
SHA256e3408c68dcb7552328db443e68fa031f6d26a3e3b2673d570d893673c1a33c1a
SHA512dec8a54a5c3dab2ae0bc23d0e90bde5571f83c99473f55f3aa6a635290b0681a5febfeeec4470df919e4bce67cca8cbd8a11370130d5f634e866c307692b8117
-
Filesize
207B
MD51e7a358ad93ceb4cbf982702acd17908
SHA13cc0fd2b031009ce45b08e14d7224df579855a0a
SHA256c12d27a53e2d50fbf7f97ad82e5da004b4cb0b0b787eb2ee9050e31390c6f3c2
SHA512b6ada6ef9f52ecfc1af7bc0c2e0c02d82923d3a675a1c1ae637199739d28d50a6f18ab02cbf063b4f345fc66a606636358aa8b66688181403b8c36cf01fb0678
-
Filesize
207B
MD5fc4f82e6df8677fafd013d26413447eb
SHA1cd4416171e300424795f0017a8a1866e67602834
SHA256f643208e193c259cf75f58d9903303c29b3b10b29ca0923da03547e62429411a
SHA512407aa0e89b5642be139e1abb9337fb5ef7c8b531eda4f50343cc32a59ac953297197881e3ccc8573ada2ac5619ffbc9735cc35f6b48625d69769074130d934a4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
206B
MD50bd159ecb056a49ae181506337a9e7ae
SHA1165dca029b47bfa25d2dd9f8914dd2072d4e5feb
SHA2560de2fb0aac2f29a5a0eeb9043639415163436952b732503ce8fabde8b4b82d56
SHA512c5da3c7e79fb45b87c315537901729c8467be88b707b951bfc06585ffb2ab51cf3f2f0992049c4f05a347dab992dc88a53398f871c5587c183185310f070aefd
-
Filesize
207B
MD5ec1c5ce479caf61c1061553e69707092
SHA1be93b40937a196f1fe9b3a0e3342a9b4d7804284
SHA2561988eda20b353b473071e0edfaeb155d38c45fba5171ba0e8c2c4334ec02d4a7
SHA51241cda13a0b2a487d013da80f2130d37ad3c9db79912c9bde0d0baaa8d28a562a6b376e7bd2875a81d655efdb847b29097b51535b71e660446d8a30a01826cdd5
-
Filesize
207B
MD518d94f87245cebd45270168248fdf54e
SHA17e013059b99a49e027b049abd860938691c87f82
SHA2565e8cbffa3f2467c047c3d82a7e43e14d7866d7321d2b9006632810e8f7f06afc
SHA512fc3f06d1d9e133a3b0d3c9c848de5d9cc07435c2bb09129d6a7645c5f04581292d7a083dc775a99a6f491ae5ecce07b3a7fcad622b13f74a80cb266a6dbf5d3e
-
Filesize
207B
MD5e1fdfac5d88b19022917cd030bdffb4d
SHA1277edd69fc96eee03d02c5dd1e8d61c3b073165a
SHA256d2d1fa783355dc661419ba3fa1920b97b67eb83bb6de7fabd483dfae6e2e7fac
SHA5127a8ef4be1017e0b84355e4cc69b86df18d80f3fb0a9daaf42b9bdb763c24d7d87103e9a7df1b9f5c1ec83deb6836a4adef7797f752f25aeb09f03c978a2935b7
-
Filesize
642KB
MD59bc424be13dca227268ab018dca9ef0c
SHA1f6f42e926f511d57ef298613634f3a186ec25ddc
SHA25659d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2
SHA51270a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715
-
Filesize
3.2MB
-
Filesize
576KB
-
Filesize
72KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
3.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
788KB
-
Filesize
788KB
-
Filesize
788KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
88KB
-
Filesize
348KB
-
Filesize
300KB
-
Filesize
136KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
4KB
-
Filesize
788KB