291f746c2eb1c7f1c979899d9a61c44b8f3085622f0b311cfa99fc0e584b1aac

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Romper V5/Romper V5/Romper V5.exe
Size

30.1MB
MD5

20ccae603d435aab174b7b7e46ac7189
SHA1

c4c34d0a46c2f9532596f6dcb6fb86cc44046ab7
SHA256

cf675be72d39b1ee645b19bdbebbc615d6787d3f1c0e7ca9e2ef7c4396a7764b
SHA512

69658a3e15a9885691098976b89e8e2dd2936cbc78f0f0d58400dbf98fa14c4e170f9180b1ab130cc796b3a4b4245879e8406860770e03f3223a01d25532beb9
SSDEEP

786432:GW+e569MZLW+e569MuW+e569MgjW+e5i9M:GW+enhW+enuW+engjW+ev

Score

8^/10

execution persistence pyinstaller

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4732 powershell.exe
2788 powershell.exe
3472 powershell.exe
952 powershell.exe
3184 powershell.exe
2296 powershell.exe
232 powershell.exe
1928 powershell.exe

pid	process
4732	powershell.exe
2788	powershell.exe
3472	powershell.exe
952	powershell.exe
3184	powershell.exe
2296	powershell.exe
232	powershell.exe
1928	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cscript.execscript.exeRomper V5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Romper V5.exe

Executes dropped EXE 10 IoCs

Processes:

COOKD.EXECREAL.EXEDISCORD.EXECOOKD.EXECREAL.EXEPYTHON.EXEDISCORD.EXEPYTHON.EXEChromeUpdater.exeChromeUpdater.exe

pid process

2020 COOKD.EXE
4548 CREAL.EXE
3520 DISCORD.EXE
4916 COOKD.EXE
3176 CREAL.EXE
4316 PYTHON.EXE
2092 DISCORD.EXE
4716 PYTHON.EXE
2920 ChromeUpdater.exe
1392 ChromeUpdater.exe

pid	process
2020	COOKD.EXE
4548	CREAL.EXE
3520	DISCORD.EXE
4916	COOKD.EXE
3176	CREAL.EXE
4316	PYTHON.EXE
2092	DISCORD.EXE
4716	PYTHON.EXE
2920	ChromeUpdater.exe
1392	ChromeUpdater.exe

Loads dropped DLL 38 IoCs

Processes:

COOKD.EXECREAL.EXEDISCORD.EXEPYTHON.EXE

pid	process
4916	COOKD.EXE
4916	COOKD.EXE
3176	CREAL.EXE
3176	CREAL.EXE
4916	COOKD.EXE
2092	DISCORD.EXE
4916	COOKD.EXE
2092	DISCORD.EXE
4916	COOKD.EXE
4916	COOKD.EXE
4916	COOKD.EXE
4916	COOKD.EXE
4916	COOKD.EXE
4916	COOKD.EXE
4916	COOKD.EXE
3176	CREAL.EXE
3176	CREAL.EXE
3176	CREAL.EXE
3176	CREAL.EXE
3176	CREAL.EXE
3176	CREAL.EXE
3176	CREAL.EXE
3176	CREAL.EXE
2092	DISCORD.EXE
2092	DISCORD.EXE
2092	DISCORD.EXE
2092	DISCORD.EXE
2092	DISCORD.EXE
2092	DISCORD.EXE
2092	DISCORD.EXE
2092	DISCORD.EXE
2092	DISCORD.EXE
4716	PYTHON.EXE
4716	PYTHON.EXE
4716	PYTHON.EXE
4716	PYTHON.EXE
4716	PYTHON.EXE
4716	PYTHON.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DISCORD.EXECREAL.EXECOOKD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUpdater.exe"	DISCORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsStore = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsStore.exe"	CREAL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "C:\\ProgramData\\ChromeUpdater.exe"	COOKD.EXE

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\COOKD.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\CREAL.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4332 taskkill.exe
1032 taskkill.exe

pid	process
4332	taskkill.exe
1032	taskkill.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3472	powershell.exe
3472	powershell.exe
4732	powershell.exe
2788	powershell.exe
2788	powershell.exe
4732	powershell.exe
2296	powershell.exe
2296	powershell.exe
952	powershell.exe
952	powershell.exe
3184	powershell.exe
3184	powershell.exe
2296	powershell.exe
952	powershell.exe
3184	powershell.exe
1928	powershell.exe
232	powershell.exe
1928	powershell.exe
232	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Romper V5.exeCOOKD.EXECREAL.EXEDISCORD.EXEPYTHON.EXEPYTHON.EXECREAL.EXEDISCORD.EXECOOKD.EXEpowershell.exepowershell.exepowershell.execmd.execmd.execmd.execsc.execsc.execsc.execscript.execscript.execmd.exe

description	pid	process	target process
PID 3636 wrote to memory of 2020	3636	Romper V5.exe	COOKD.EXE
PID 3636 wrote to memory of 2020	3636	Romper V5.exe	COOKD.EXE
PID 3636 wrote to memory of 4548	3636	Romper V5.exe	CREAL.EXE
PID 3636 wrote to memory of 4548	3636	Romper V5.exe	CREAL.EXE
PID 3636 wrote to memory of 3520	3636	Romper V5.exe	DISCORD.EXE
PID 3636 wrote to memory of 3520	3636	Romper V5.exe	DISCORD.EXE
PID 2020 wrote to memory of 4916	2020	COOKD.EXE	COOKD.EXE
PID 2020 wrote to memory of 4916	2020	COOKD.EXE	COOKD.EXE
PID 3636 wrote to memory of 4316	3636	Romper V5.exe	PYTHON.EXE
PID 3636 wrote to memory of 4316	3636	Romper V5.exe	PYTHON.EXE
PID 4548 wrote to memory of 3176	4548	CREAL.EXE	CREAL.EXE
PID 4548 wrote to memory of 3176	4548	CREAL.EXE	CREAL.EXE
PID 3520 wrote to memory of 2092	3520	DISCORD.EXE	DISCORD.EXE
PID 3520 wrote to memory of 2092	3520	DISCORD.EXE	DISCORD.EXE
PID 4316 wrote to memory of 4716	4316	PYTHON.EXE	PYTHON.EXE
PID 4316 wrote to memory of 4716	4316	PYTHON.EXE	PYTHON.EXE
PID 4716 wrote to memory of 3660	4716	PYTHON.EXE	cmd.exe
PID 4716 wrote to memory of 3660	4716	PYTHON.EXE	cmd.exe
PID 3176 wrote to memory of 2788	3176	CREAL.EXE	powershell.exe
PID 3176 wrote to memory of 2788	3176	CREAL.EXE	powershell.exe
PID 2092 wrote to memory of 3472	2092	DISCORD.EXE	svchost.exe
PID 2092 wrote to memory of 3472	2092	DISCORD.EXE	svchost.exe
PID 4916 wrote to memory of 4732	4916	COOKD.EXE	powershell.exe
PID 4916 wrote to memory of 4732	4916	COOKD.EXE	powershell.exe
PID 3472 wrote to memory of 2296	3472	powershell.exe	powershell.exe
PID 3472 wrote to memory of 2296	3472	powershell.exe	powershell.exe
PID 2092 wrote to memory of 4064	2092	DISCORD.EXE	cmd.exe
PID 2092 wrote to memory of 4064	2092	DISCORD.EXE	cmd.exe
PID 2788 wrote to memory of 3184	2788	powershell.exe	powershell.exe
PID 2788 wrote to memory of 3184	2788	powershell.exe	powershell.exe
PID 4732 wrote to memory of 952	4732	powershell.exe	powershell.exe
PID 4732 wrote to memory of 952	4732	powershell.exe	powershell.exe
PID 4064 wrote to memory of 3340	4064	cmd.exe	csc.exe
PID 4064 wrote to memory of 3340	4064	cmd.exe	csc.exe
PID 4064 wrote to memory of 3340	4064	cmd.exe	csc.exe
PID 4916 wrote to memory of 3692	4916	COOKD.EXE	cmd.exe
PID 4916 wrote to memory of 3692	4916	COOKD.EXE	cmd.exe
PID 3176 wrote to memory of 4864	3176	CREAL.EXE	svchost.exe
PID 3176 wrote to memory of 4864	3176	CREAL.EXE	svchost.exe
PID 4864 wrote to memory of 2196	4864	cmd.exe	csc.exe
PID 4864 wrote to memory of 2196	4864	cmd.exe	csc.exe
PID 4864 wrote to memory of 2196	4864	cmd.exe	csc.exe
PID 3692 wrote to memory of 4632	3692	cmd.exe	WerFault.exe
PID 3692 wrote to memory of 4632	3692	cmd.exe	WerFault.exe
PID 3692 wrote to memory of 4632	3692	cmd.exe	WerFault.exe
PID 2196 wrote to memory of 3168	2196	csc.exe	cvtres.exe
PID 2196 wrote to memory of 3168	2196	csc.exe	cvtres.exe
PID 2196 wrote to memory of 3168	2196	csc.exe	cvtres.exe
PID 3340 wrote to memory of 3588	3340	csc.exe	cvtres.exe
PID 3340 wrote to memory of 3588	3340	csc.exe	cvtres.exe
PID 3340 wrote to memory of 3588	3340	csc.exe	cvtres.exe
PID 4632 wrote to memory of 1216	4632	csc.exe	svchost.exe
PID 4632 wrote to memory of 1216	4632	csc.exe	svchost.exe
PID 4632 wrote to memory of 1216	4632	csc.exe	svchost.exe
PID 2092 wrote to memory of 3564	2092	DISCORD.EXE	cscript.exe
PID 2092 wrote to memory of 3564	2092	DISCORD.EXE	cscript.exe
PID 4916 wrote to memory of 3896	4916	COOKD.EXE	cscript.exe
PID 4916 wrote to memory of 3896	4916	COOKD.EXE	cscript.exe
PID 3896 wrote to memory of 4404	3896	cscript.exe	cmd.exe
PID 3896 wrote to memory of 4404	3896	cscript.exe	cmd.exe
PID 3564 wrote to memory of 1692	3564	cscript.exe	cmd.exe
PID 3564 wrote to memory of 1692	3564	cscript.exe	cmd.exe
PID 4404 wrote to memory of 3096	4404	cmd.exe	cmd.exe
PID 4404 wrote to memory of 3096	4404	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5\Romper V5.exe
"C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5\Romper V5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\COOKD.EXE
"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\COOKD.EXE
"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process powershell -Verb runAs -ArgumentList \"-Command Set-MpPreference -ExclusionPath c:\\\" -WindowStyle Hidden"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ExclusionPath c:\
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\ProgramData\ChromeUpdater.exe C:\Users\Admin\AppData\Local\Temp\ChromeUpdater.cs > nul 2>&1
4⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\ProgramData\ChromeUpdater.exe C:\Users\Admin\AppData\Local\Temp\ChromeUpdater.cs
5⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES596A.tmp" "c:\ProgramData\CSC70F3AE67E1044FC39083E0D1CB19643B.TMP"
6⤵
PID:1216

C:\Windows\SYSTEM32\cscript.exe
cscript.exe //nologo C:\Users\Admin\AppData\Local\Temp\launch.vbs
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\Temp\temporary.cmd
5⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\temporary.cmd
6⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
7⤵
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\curl.exe
curl -L -o "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" "https://www.python.org/ftp/python/+FullyQualifiedErrorId/python-+FullyQualifiedErrorId-amd64.exe"
7⤵
PID:4292

C:\Windows\system32\taskkill.exe
taskkill /f /im "python-installer.exe"
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\ProgramData\ChromeUpdater.exe
"C:\ProgramData\ChromeUpdater.exe"
7⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2920 -s 780
8⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\CREAL.EXE
"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\CREAL.EXE
"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process powershell -Verb runAs -ArgumentList \"-Command Set-MpPreference -ExclusionPath c:\\\" -WindowStyle Hidden"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ExclusionPath c:\
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\Temp\WindowsStore.exe C:\Users\Admin\AppData\Local\Temp\WindowsStore.cs > nul 2>&1
4⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\Temp\WindowsStore.exe C:\Users\Admin\AppData\Local\Temp\WindowsStore.cs
5⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES593C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA4EECB7DA98049BDADFBE211AA54BB8A.TMP"
6⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE
"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520

C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE
"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process powershell -Verb runAs -ArgumentList \"-Command Set-MpPreference -ExclusionPath c:\\\" -WindowStyle Hidden"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ExclusionPath c:\
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.cs > nul 2>&1
4⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.cs
5⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES594B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2BE10D6FC34B989FD9DAC66F23DCCC.TMP"
6⤵
PID:3588

C:\Windows\SYSTEM32\cscript.exe
cscript.exe //nologo C:\Users\Admin\AppData\Local\Temp\launch.vbs
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\Temp\temporary.cmd
5⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\temporary.cmd
6⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
7⤵
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\curl.exe
curl -L -o "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" "https://www.python.org/ftp/python/+FullyQualifiedErrorId/python-+FullyQualifiedErrorId-amd64.exe"
7⤵
PID:3528

C:\Windows\system32\taskkill.exe
taskkill /f /im "python-installer.exe"
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\ProgramData\ChromeUpdater.exe
"C:\ProgramData\ChromeUpdater.exe"
7⤵
- Executes dropped EXE
PID:1392

C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE
"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE
"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
4⤵
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
4⤵
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
4⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
4⤵
PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:4636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
1⤵
PID:3472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COOKD.EXE
Filesize
7.5MB

MD5
a4d88d60fdebe4d85736d7684de377d5

SHA1
3cd96116e5ee43b28a499ea48eff1533b029d8be

SHA256
13611a82912fc262cec5433aeb83c62e6488c5931359749c8a29dcc3bc66c731

SHA512
739223bae82b42c55bdabc0e7d94d0f9daf4b130317122a491ad36e34da0f3a6ba30e87ef0aeba4319aded8a156f31ffdbcb803921f208c7e00ea7ee11e144b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CREAL.EXE
Filesize
7.5MB

MD5
2dc33067754eb099bd137180a357088b

SHA1
65ec6e077726a462fe96c32f0540891e76cabc4e

SHA256
78b6b54a4643d3648f9653cfd9ec89b0d158f586647e7afc1b78113e1b988585

SHA512
b0073ba54eebfc0afc1ce8c72d9dc87050e434d77f86d2c3d4cfc00c2d84463cd0ab7891e74eaea92de46c934ff13f61202d4f33d6209e45b4b96e064348d7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE
Filesize
7.4MB

MD5
3cc78ec13e19e7deacb003b556afa189

SHA1
26f4ce646c930464b07c3eb8d7f888354df0f73b

SHA256
c11cf38be5e32cf2f7172a47dd93bff04168b4f607a26558d84b90783ba67372

SHA512
23bd312a390f7779085732a648026bb06f215ebde483dd1b824b53be03382173b0626be5683860c0c3b806dd081677165b99305ff8990c086231f818f03828b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE
Filesize
7.3MB

MD5
ac69ea4dae2d61194cedc40f423fc240

SHA1
9ec71b517b7e7c36091dbf96fb8eb0577cf0b7f2

SHA256
aabbc779eef339c207509e4ca1ab3cf82abe780c3a5c2cecf39cb3730de5cf61

SHA512
0c224aeccc66a19bc2ab2911c70a7b2a6bbd5c4cc8f57c3001c7e1f6dfb5c2aa310b73e669592a9c3f244d352bff37f5c912ed37a4e860a62ef1a508de1acc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20202\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_hashlib.pyd
Filesize
63KB

MD5
f495d1897a1b52a2b15c20dcecb84b47

SHA1
8cb65590a8815bda58c86613b6386b5982d9ec3f

SHA256
e47e76d70d508b62924fe480f30e615b12fdd7745c0aac68a2cddabd07b692ae

SHA512
725d408892887bebd5bcf040a0ecc6a4e4b608815b9dea5b6f7b95c812715f82079896df33b0830c9f787ffe149b8182e529bb1f78aadd89df264cf8853ee4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_wmi.pyd
Filesize
35KB

MD5
ee33f4c8d17d17ad62925e85097b0109

SHA1
8c4a03531cf3dbfe6f378fdab9699d51e7888796

SHA256
79adca5037d9145309d3bd19f7a26f7bb7da716ee86e01073c6f2a9681e33dad

SHA512
60b0705a371ad2985db54a91f0e904eea502108663ea3c3fb18ed54671be1932f4f03e8e3fd687a857a5e3500545377b036276c69e821a7d6116b327f5b3d5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20202\base_library.zip
Filesize
1.3MB

MD5
3909f1a45b16c6c6ef797032de7e3b61

SHA1
5a243f6c8db11bf401aeac69f4c2a0c6cd63b3a8

SHA256
56cce68da6a7ebd11aab4b4a4e6a164647b42b29ae57656532c530d1e22e5b44

SHA512
647e343eb9732150c0fd12c7142a960ede969b41d5a567940e89636f021f0c0b3249b6cfc99c732190085bcae7aa077f8ac52c8e7fe7817d48a34489f0cd5148

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20202\python312.dll
Filesize
6.6MB

MD5
5c5602cda7ab8418420f223366fff5db

SHA1
52f81ee0aef9b6906f7751fd2bbd4953e3f3b798

SHA256
e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce

SHA512
51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20202\pywin32_system32\pywintypes312.dll
Filesize
131KB

MD5
26d752c8896b324ffd12827a5e4b2808

SHA1
447979fa03f78cb7210a4e4ba365085ab2f42c22

SHA256
bd33548dbdbb178873be92901b282bad9c6817e3eac154ca50a666d5753fd7ec

SHA512
99c87ab9920e79a03169b29a2f838d568ca4d4056b54a67bc51caf5c0ff5a4897ed02533ba504f884c6f983ebc400743e6ad52ac451821385b1e25c3b1ebcee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20202\win32\win32api.pyd
Filesize
130KB

MD5
3a80fea23a007b42cef8e375fc73ad40

SHA1
04319f7552ea968e2421c3936c3a9ee6f9cf30b2

SHA256
b70d69d25204381f19378e1bb35cc2b8c8430aa80a983f8d0e8e837050bb06ef

SHA512
a63bed03f05396b967858902e922b2fbfb4cf517712f91cfaa096ff0539cf300d6b9c659ffee6bf11c28e79e23115fd6b9c0b1aa95db1cbd4843487f060ccf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\VCRUNTIME140_1.dll
Filesize
48KB

MD5
7e668ab8a78bd0118b94978d154c85bc

SHA1
dbac42a02a8d50639805174afd21d45f3c56e3a0

SHA256
e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f

SHA512
72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\_bz2.pyd
Filesize
82KB

MD5
c7ce973f261f698e3db148ccad057c96

SHA1
59809fd48e8597a73211c5df64c7292c5d120a10

SHA256
02d772c03704fe243c8de2672c210a5804d075c1f75e738d6130a173d08dfcde

SHA512
a924750b1825747a622eef93331fd764d824c954297e37e8dc93a450c11aa7ab3ad7c3b823b11656b86e64de3cd5d409fda15db472488dfaa4bb50341f0b29d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\_decimal.pyd
Filesize
247KB

MD5
21c73e7e0d7dad7a1fe728e3b80ce073

SHA1
7b363af01e83c05d0ea75299b39c31d948bbfe01

SHA256
a28c543976aa4b6d37da6f94a280d72124b429f458d0d57b7dbcf71b4bea8f73

SHA512
0357102bffc2ec2bc6ff4d9956d6b8e77ed8558402609e558f1c1ebc1baca6aeaa5220a7781a69b783a54f3e76362d1f74d817e4ee22aac16c7f8c86b6122390

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\libcrypto-3.dll
Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\unicodedata.pyd
Filesize
1.1MB

MD5
a1388676824ce6347d31d6c6a7a1d1b5

SHA1
27dd45a5c9b7e61bb894f13193212c6d5668085b

SHA256
2480a78815f619a631210e577e733c9bafecb7f608042e979423c5850ee390ff

SHA512
26ea1b33f14f08bb91027e0d35ac03f6203b4dfeee602bb592c5292ab089b27ff6922da2804a9e8a28e47d4351b32cf93445d894f00b4ad6e2d0c35c6c7f1d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_lzma.pyd
Filesize
155KB

MD5
4e2239ece266230ecb231b306adde070

SHA1
e807a078b71c660db10a27315e761872ffd01443

SHA256
34130d8abe27586ee315262d69af4e27429b7eab1f3131ea375c2bb62cf094be

SHA512
86e6a1eab3529e600dd5caab6103e34b0f618d67322a5ecf1b80839faa028150c492a5cf865a2292cc8584fba008955da81a50b92301583424401d249c5f1401

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_socket.pyd
Filesize
81KB

MD5
899380b2d48df53414b974e11bb711e3

SHA1
f1d11f7e970a7cd476e739243f8f197fcb3ad590

SHA256
b38e66e6ee413e5955ef03d619cadd40fca8be035b43093d2342b6f3739e883e

SHA512
7426ca5e7a404b9628e2966dae544f3e8310c697145567b361825dc0b5c6cd87f2caf567def8cd19e73d68643f2f38c08ff4ff0bb0a459c853f241b8fdf40024

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45482\select.pyd
Filesize
30KB

MD5
bffff83a000baf559f3eb2b599a1b7e8

SHA1
7f9238bda6d0c7cc5399c6b6ab3b42d21053f467

SHA256
bc71fbdfd1441d62dd86d33ff41b35dc3cc34875f625d885c58c8dc000064dab

SHA512
3c0ba0cf356a727066ae0d0d6523440a882aafb3ebdf70117993effd61395deebf179948f8c7f5222d59d1ed748c71d9d53782e16bd2f2eccc296f2f8b4fc948

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3k5y5jt.tnk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2920-305-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/3472-201-0x000001B59AE80000-0x000001B59AEA2000-memory.dmp

Filesize
136KB

Download