Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2025, 14:31
Static task
static1
Behavioral task
behavioral1
Sample
2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe
-
Size
3.8MB
-
MD5
220aae5d05fd2cc172ddb78e3b5a79d8
-
SHA1
7f66e1d9d3bb81eb4df045ca7ece093ca166a595
-
SHA256
2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245
-
SHA512
3252348ade86c5913648c041ce58e438b7be7ca8b1554ba64f1024a4d9e126d19bb8a58536f5a4a1d0b2c93d472393f32336fac800c1b8b66a82bd274e0fc2c2
-
SSDEEP
49152:MhbFk85ulG4dJXY5UeD1jWs1O/BP4YPpPAPGPpPVP6PJP8P8P9PdPdPRPfPdPlPl:WRk85ulG4XywJxFTsmBm
Malware Config
Extracted
Family
valleyrat_s2
Version
1.0
C2
154.219.97.191:6666
Attributes
-
campaign_date
2025. 3.14
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
ValleyRat
ValleyRat stage2 is a backdoor written in C++.
-
Valleyrat_s2 family
-
Blocklisted process makes network request 6 IoCs
flow pid Process 22 1288 cmd.exe 23 744 cmd.exe 24 2128 cmd.exe 26 744 cmd.exe 27 1288 cmd.exe 28 2128 cmd.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation qusdjcxzzsa.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation mshta.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yHrJMHz.lnk 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe -
Executes dropped EXE 5 IoCs
pid Process 4184 qusdjcxzzsa.exe 5856 qusdjcxzzsa.exe 540 asdccx.exe 1464 asdccx.exe 2320 asdccx.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: cmd.exe File opened (read-only) \??\Q: cmd.exe File opened (read-only) \??\X: cmd.exe File opened (read-only) \??\X: cmd.exe File opened (read-only) \??\R: cmd.exe File opened (read-only) \??\Y: cmd.exe File opened (read-only) \??\R: cmd.exe File opened (read-only) \??\Q: cmd.exe File opened (read-only) \??\I: cmd.exe File opened (read-only) \??\N: cmd.exe File opened (read-only) \??\V: cmd.exe File opened (read-only) \??\M: cmd.exe File opened (read-only) \??\S: cmd.exe File opened (read-only) \??\O: cmd.exe File opened (read-only) \??\N: cmd.exe File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\G: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\N: cmd.exe File opened (read-only) \??\W: cmd.exe File opened (read-only) \??\H: cmd.exe File opened (read-only) \??\T: cmd.exe File opened (read-only) \??\L: cmd.exe File opened (read-only) \??\R: cmd.exe File opened (read-only) \??\Z: cmd.exe File opened (read-only) \??\L: cmd.exe File opened (read-only) \??\I: cmd.exe File opened (read-only) \??\K: cmd.exe File opened (read-only) \??\L: cmd.exe File opened (read-only) \??\O: cmd.exe File opened (read-only) \??\W: cmd.exe File opened (read-only) \??\K: cmd.exe File opened (read-only) \??\P: cmd.exe File opened (read-only) \??\V: cmd.exe File opened (read-only) \??\U: cmd.exe File opened (read-only) \??\S: cmd.exe File opened (read-only) \??\U: cmd.exe File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\Q: cmd.exe File opened (read-only) \??\Y: cmd.exe File opened (read-only) \??\Z: cmd.exe File opened (read-only) \??\T: cmd.exe File opened (read-only) \??\I: cmd.exe File opened (read-only) \??\M: cmd.exe File opened (read-only) \??\Y: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\P: cmd.exe File opened (read-only) \??\P: cmd.exe File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\W: cmd.exe File opened (read-only) \??\J: cmd.exe File opened (read-only) \??\M: cmd.exe File opened (read-only) \??\U: cmd.exe File opened (read-only) \??\H: cmd.exe File opened (read-only) \??\H: cmd.exe File opened (read-only) \??\O: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\J: cmd.exe File opened (read-only) \??\G: cmd.exe File opened (read-only) \??\T: cmd.exe File opened (read-only) \??\G: cmd.exe File opened (read-only) \??\Z: cmd.exe File opened (read-only) \??\J: cmd.exe File opened (read-only) \??\S: cmd.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 5856 set thread context of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 set thread context of 744 5856 qusdjcxzzsa.exe 106 PID 5856 set thread context of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 set thread context of 540 5856 qusdjcxzzsa.exe 108 PID 5856 set thread context of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 set thread context of 2320 5856 qusdjcxzzsa.exe 110 -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 1776 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5108 1020 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asdccx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language subst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qusdjcxzzsa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qusdjcxzzsa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asdccx.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings mshta.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 5228 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 5856 qusdjcxzzsa.exe 5856 qusdjcxzzsa.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe 540 asdccx.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 1020 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 1020 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 1020 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 4184 qusdjcxzzsa.exe 4184 qusdjcxzzsa.exe 4184 qusdjcxzzsa.exe 5856 qusdjcxzzsa.exe 5856 qusdjcxzzsa.exe 5856 qusdjcxzzsa.exe 540 asdccx.exe 540 asdccx.exe 2320 asdccx.exe 2320 asdccx.exe 744 cmd.exe 1288 cmd.exe 2128 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1020 wrote to memory of 5988 1020 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 88 PID 1020 wrote to memory of 5988 1020 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 88 PID 1020 wrote to memory of 5988 1020 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 88 PID 5988 wrote to memory of 4184 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 96 PID 5988 wrote to memory of 4184 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 96 PID 5988 wrote to memory of 4184 5988 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe 96 PID 4184 wrote to memory of 5856 4184 qusdjcxzzsa.exe 102 PID 4184 wrote to memory of 5856 4184 qusdjcxzzsa.exe 102 PID 4184 wrote to memory of 5856 4184 qusdjcxzzsa.exe 102 PID 5856 wrote to memory of 5276 5856 qusdjcxzzsa.exe 103 PID 5856 wrote to memory of 5276 5856 qusdjcxzzsa.exe 103 PID 5856 wrote to memory of 5276 5856 qusdjcxzzsa.exe 103 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 2128 5856 qusdjcxzzsa.exe 105 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 744 5856 qusdjcxzzsa.exe 106 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 1288 5856 qusdjcxzzsa.exe 107 PID 5856 wrote to memory of 540 5856 qusdjcxzzsa.exe 108 PID 5856 wrote to memory of 540 5856 qusdjcxzzsa.exe 108 PID 5856 wrote to memory of 540 5856 qusdjcxzzsa.exe 108 PID 5856 wrote to memory of 540 5856 qusdjcxzzsa.exe 108 PID 5856 wrote to memory of 540 5856 qusdjcxzzsa.exe 108 PID 5856 wrote to memory of 540 5856 qusdjcxzzsa.exe 108 PID 5856 wrote to memory of 540 5856 qusdjcxzzsa.exe 108 PID 5856 wrote to memory of 540 5856 qusdjcxzzsa.exe 108 PID 5856 wrote to memory of 540 5856 qusdjcxzzsa.exe 108 PID 5856 wrote to memory of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 wrote to memory of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 wrote to memory of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 wrote to memory of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 wrote to memory of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 wrote to memory of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 wrote to memory of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 wrote to memory of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 wrote to memory of 1464 5856 qusdjcxzzsa.exe 109 PID 5856 wrote to memory of 2320 5856 qusdjcxzzsa.exe 110 PID 5856 wrote to memory of 2320 5856 qusdjcxzzsa.exe 110 PID 5856 wrote to memory of 2320 5856 qusdjcxzzsa.exe 110 PID 5856 wrote to memory of 2320 5856 qusdjcxzzsa.exe 110 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-03_220aae5d05fd2cc172ddb78e3b5a79d8_hijackloader_icedid.exe" shouciyunxing2⤵
- UAC bypass
- Drops startup file
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5988 -
C:\Users\Public\OQieGYp\qusdjcxzzsa.exeC:/Users/Public/OQieGYp\qusdjcxzzsa.exe zhuruxitong3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Public\OQieGYp\qusdjcxzzsa.exe"C:\Users\Public\OQieGYp\qusdjcxzzsa.exe" Kdiaoni4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\OQieGYp\62310.cmd5⤵
- System Location Discovery: System Language Discovery
PID:5276 -
C:\Windows\SysWOW64\mshta.exemshta vbscript:createobject("shell.application").shellexecute("C:\Users\Public\OQieGYp\62310.cmd","::","","runas",0)(window.close)6⤵
- Checks computer location settings
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\OQieGYp\62310.cmd" ::7⤵
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Windows\SysWOW64\subst.exesubst o: /d8⤵
- System Location Discovery: System Language Discovery
PID:2156
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5228
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices" /v O: /f8⤵
- System Location Discovery: System Language Discovery
PID:4092
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f8⤵
- Modifies Windows Defender DisableAntiSpyware settings
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe5⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe5⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe5⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1288
-
-
C:\Users\Public\OQieGYp\asdccx.exeC:\Users\Public\OQieGYp\asdccx.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:540
-
-
C:\Users\Public\OQieGYp\asdccx.exeC:\Users\Public\OQieGYp\asdccx.exe5⤵
- Executes dropped EXE
PID:1464
-
-
C:\Users\Public\OQieGYp\asdccx.exeC:\Users\Public\OQieGYp\asdccx.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2320
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 14122⤵
- Program crash
PID:5108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1020 -ip 10201⤵PID:4924
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
527B
MD534ac662d5343e07bcb06d373e737252f
SHA1d304ebfd043c4eb09f7c193c3562f94590221211
SHA256777690549389083ce6807b077ee3bb5410cc1a6f0ee73e6afa7d424471ceb173
SHA51260e71ead901bd0fb8cc856ba6a09b2e8dda0eca583e40d44fee9ecb632872054d0b7571a315f990915b52b5fc399bce67e0f2b8468210faef3516f399a0ee80e
-
Filesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
Filesize
108KB
MD5d442c9efaf31a91319116ef17e0022e7
SHA12809f71775ac044c9e50cf24e2ce1ff3bd16e576
SHA2565662b6f42fcf97143d252c0f43b2d345a53866f0fe737115ecc99ccfc4370eeb
SHA5126ad96ab748b31109661357b9dfc0b5c53e6bab6d8c0ca90273d07c438933bf65a5d81b1257774f104c485ac22c50da4832e509f63b107da6055aa31a509f9eae