guloader | e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-01-2022 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Notification.xll
Size

554KB
MD5

68172769631a891bc5790feb75823f43
SHA1

e05ed4dbc6c2eb776c95007f62711c682b10c0c4
SHA256

e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7
SHA512

95c0980d2c06842c77b600bce5d8919e93ae206ad031d3ba88ae8c5ed9cdab81274c8cea04ef990553e045dc4173b0650074fcba79ce718b422a1642638b25b4

Score

10^/10

guloader lokibot pony collection discovery downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

lokibot

http://windowssecuritycheck.gdn/jx/l/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

pony

http://windowssecuritycheck.gdn/jx/p/gate.php

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

sse.exewix.exe

pid process

3104 sse.exe
3900 wix.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3104	sse.exe
3900	wix.exe

Checks QEMU agent file 2 TTPs 4 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sse.exewix.exewix.exesse.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	sse.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	wix.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	wix.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	sse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sse.exewix.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	sse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	wix.exe

Loads dropped DLL 4 IoCs

Processes:

EXCEL.EXEsse.exewix.exe

pid process

3960 EXCEL.EXE
3960 EXCEL.EXE
3232 sse.exe
3860 wix.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3960	EXCEL.EXE
3960	EXCEL.EXE
3232	sse.exe
3860	wix.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

wix.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wix.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

sse.exewix.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sse.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	sse.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	sse.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wix.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

sse.exewix.exe

pid process

3232 sse.exe
3232 sse.exe
3860 wix.exe
3860 wix.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

sse.exesse.exewix.exewix.exe

pid process

3104 sse.exe
3232 sse.exe
3900 wix.exe
3860 wix.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

sse.exewix.exe

description pid process target process

PID 3104 set thread context of 3232 3104 sse.exe sse.exe
PID 3900 set thread context of 3860 3900 wix.exe wix.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3232	sse.exe
3232	sse.exe
3860	wix.exe
3860	wix.exe

pid	process
3104	sse.exe
3232	sse.exe
3900	wix.exe
3860	wix.exe

description	pid	process	target process
PID 3104 set thread context of 3232	3104	sse.exe	sse.exe
PID 3900 set thread context of 3860	3900	wix.exe	wix.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3960 EXCEL.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sse.exewix.exe

pid process

3104 sse.exe
3900 wix.exe

pid	process
3960	EXCEL.EXE

pid	process
3104	sse.exe
3900	wix.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

EXCEL.EXEsse.exewix.exe

description	pid	process
Token: SeDebugPrivilege	3960	EXCEL.EXE
Token: SeDebugPrivilege	3232	sse.exe
Token: SeImpersonatePrivilege	3860	wix.exe
Token: SeTcbPrivilege	3860	wix.exe
Token: SeChangeNotifyPrivilege	3860	wix.exe
Token: SeCreateTokenPrivilege	3860	wix.exe
Token: SeBackupPrivilege	3860	wix.exe
Token: SeRestorePrivilege	3860	wix.exe
Token: SeIncreaseQuotaPrivilege	3860	wix.exe
Token: SeAssignPrimaryTokenPrivilege	3860	wix.exe
Token: SeImpersonatePrivilege	3860	wix.exe
Token: SeTcbPrivilege	3860	wix.exe
Token: SeChangeNotifyPrivilege	3860	wix.exe
Token: SeCreateTokenPrivilege	3860	wix.exe
Token: SeBackupPrivilege	3860	wix.exe
Token: SeRestorePrivilege	3860	wix.exe
Token: SeIncreaseQuotaPrivilege	3860	wix.exe
Token: SeAssignPrimaryTokenPrivilege	3860	wix.exe
Token: SeImpersonatePrivilege	3860	wix.exe
Token: SeTcbPrivilege	3860	wix.exe
Token: SeChangeNotifyPrivilege	3860	wix.exe
Token: SeCreateTokenPrivilege	3860	wix.exe
Token: SeBackupPrivilege	3860	wix.exe
Token: SeRestorePrivilege	3860	wix.exe
Token: SeIncreaseQuotaPrivilege	3860	wix.exe
Token: SeAssignPrimaryTokenPrivilege	3860	wix.exe
Token: SeImpersonatePrivilege	3860	wix.exe
Token: SeTcbPrivilege	3860	wix.exe
Token: SeChangeNotifyPrivilege	3860	wix.exe
Token: SeCreateTokenPrivilege	3860	wix.exe
Token: SeBackupPrivilege	3860	wix.exe
Token: SeRestorePrivilege	3860	wix.exe
Token: SeIncreaseQuotaPrivilege	3860	wix.exe
Token: SeAssignPrimaryTokenPrivilege	3860	wix.exe
Token: SeImpersonatePrivilege	3860	wix.exe
Token: SeTcbPrivilege	3860	wix.exe
Token: SeChangeNotifyPrivilege	3860	wix.exe
Token: SeCreateTokenPrivilege	3860	wix.exe
Token: SeBackupPrivilege	3860	wix.exe
Token: SeRestorePrivilege	3860	wix.exe
Token: SeIncreaseQuotaPrivilege	3860	wix.exe
Token: SeAssignPrimaryTokenPrivilege	3860	wix.exe
Token: SeImpersonatePrivilege	3860	wix.exe
Token: SeTcbPrivilege	3860	wix.exe
Token: SeChangeNotifyPrivilege	3860	wix.exe
Token: SeCreateTokenPrivilege	3860	wix.exe
Token: SeBackupPrivilege	3860	wix.exe
Token: SeRestorePrivilege	3860	wix.exe
Token: SeIncreaseQuotaPrivilege	3860	wix.exe
Token: SeAssignPrimaryTokenPrivilege	3860	wix.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXEsse.exewix.exe

pid process

3960 EXCEL.EXE
3960 EXCEL.EXE
3960 EXCEL.EXE
3960 EXCEL.EXE
3960 EXCEL.EXE
3960 EXCEL.EXE
3960 EXCEL.EXE
3960 EXCEL.EXE
3104 sse.exe
3900 wix.exe

pid	process
3960	EXCEL.EXE
3960	EXCEL.EXE
3960	EXCEL.EXE
3960	EXCEL.EXE
3960	EXCEL.EXE
3960	EXCEL.EXE
3960	EXCEL.EXE
3960	EXCEL.EXE
3104	sse.exe
3900	wix.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EXCEL.EXEsse.exesse.exewix.exewix.exe

description	pid	process	target process
PID 3960 wrote to memory of 3104	3960	EXCEL.EXE	sse.exe
PID 3960 wrote to memory of 3104	3960	EXCEL.EXE	sse.exe
PID 3960 wrote to memory of 3104	3960	EXCEL.EXE	sse.exe
PID 3104 wrote to memory of 3232	3104	sse.exe	sse.exe
PID 3104 wrote to memory of 3232	3104	sse.exe	sse.exe
PID 3104 wrote to memory of 3232	3104	sse.exe	sse.exe
PID 3104 wrote to memory of 3232	3104	sse.exe	sse.exe
PID 3232 wrote to memory of 3900	3232	sse.exe	wix.exe
PID 3232 wrote to memory of 3900	3232	sse.exe	wix.exe
PID 3232 wrote to memory of 3900	3232	sse.exe	wix.exe
PID 3900 wrote to memory of 3860	3900	wix.exe	wix.exe
PID 3900 wrote to memory of 3860	3900	wix.exe	wix.exe
PID 3900 wrote to memory of 3860	3900	wix.exe	wix.exe
PID 3900 wrote to memory of 3860	3900	wix.exe	wix.exe
PID 3860 wrote to memory of 640	3860	wix.exe	cmd.exe
PID 3860 wrote to memory of 640	3860	wix.exe	cmd.exe
PID 3860 wrote to memory of 640	3860	wix.exe	cmd.exe

outlook_office_path 1 IoCs

Processes:

sse.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	sse.exe

outlook_win_path 1 IoCs

Processes:

wix.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wix.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment Notification.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\sse.exe
C:\Users\Admin\AppData\Local\Temp\sse.exe
2⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Local\Temp\sse.exe
C:\Users\Admin\AppData\Local\Temp\sse.exe
3⤵
- Checks QEMU agent file
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
PID:3232

C:\Users\Admin\AppData\Local\Temp\wix.exe
"C:\Users\Admin\AppData\Local\Temp\wix.exe"
4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\wix.exe
"C:\Users\Admin\AppData\Local\Temp\wix.exe"
5⤵
- Checks QEMU agent file
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\30354875.bat" "C:\Users\Admin\AppData\Local\Temp\wix.exe" "
6⤵
PID:640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:264

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 8828ca379238c01d31420cad894a221f YorinnXjoUWhdGTRBe0mRA.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30354875.bat
MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payment Notification.xll
MD5
68172769631a891bc5790feb75823f43

SHA1
e05ed4dbc6c2eb776c95007f62711c682b10c0c4

SHA256
e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7

SHA512
95c0980d2c06842c77b600bce5d8919e93ae206ad031d3ba88ae8c5ed9cdab81274c8cea04ef990553e045dc4173b0650074fcba79ce718b422a1642638b25b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payment Notification.xll
MD5
68172769631a891bc5790feb75823f43

SHA1
e05ed4dbc6c2eb776c95007f62711c682b10c0c4

SHA256
e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7

SHA512
95c0980d2c06842c77b600bce5d8919e93ae206ad031d3ba88ae8c5ed9cdab81274c8cea04ef990553e045dc4173b0650074fcba79ce718b422a1642638b25b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWd6XQZBhARVHwO1QZW240
MD5
f97264a5d29376aadd091cb8880bf4e4

SHA1
1641d112c7f0f31ccff1b9ccab6222d245642e27

SHA256
5bd919690a6400c82da06969c65988a748945cbf3fd6f4ed803884ba516e4bd2

SHA512
6badc1c7bd2b5dad04ff809f0ea6e3a590a777fcaef4750e873bdaea24afd9ce4cc5e1190811632c12f9d6a5cfd67e0b449060fd1811bd55e8863f3a5620b0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sse.exe
MD5
6eaeb3b2575361e191ee34c0baacf7b7

SHA1
673bf4970b55bf5d4a89cc14b0a977ccebb53789

SHA256
a42c56999d2837f01e3d1e04b7ce70fb17b1357a3ffb08d1e29eb09f8f8b0c05

SHA512
153ae58e82e37e0e13475e82df39937c175d48824e9ccee1cbe868d2fd32fcfcb967323df8db6eb1ecbecbc78a59c9dff232607936c16169e915a8d38f92b7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\sse.exe
MD5
6eaeb3b2575361e191ee34c0baacf7b7

SHA1
673bf4970b55bf5d4a89cc14b0a977ccebb53789

SHA256
a42c56999d2837f01e3d1e04b7ce70fb17b1357a3ffb08d1e29eb09f8f8b0c05

SHA512
153ae58e82e37e0e13475e82df39937c175d48824e9ccee1cbe868d2fd32fcfcb967323df8db6eb1ecbecbc78a59c9dff232607936c16169e915a8d38f92b7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\sse.exe
MD5
6eaeb3b2575361e191ee34c0baacf7b7

SHA1
673bf4970b55bf5d4a89cc14b0a977ccebb53789

SHA256
a42c56999d2837f01e3d1e04b7ce70fb17b1357a3ffb08d1e29eb09f8f8b0c05

SHA512
153ae58e82e37e0e13475e82df39937c175d48824e9ccee1cbe868d2fd32fcfcb967323df8db6eb1ecbecbc78a59c9dff232607936c16169e915a8d38f92b7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\wix.exe
MD5
c509c11adc8929e2a932b4bda1216791

SHA1
985cf44ab37c06fe2d544cc350210e4a65eb3136

SHA256
40d656064f338170882f2de5b2983bd751d102c5986a84ab6a8bd6c61adbf0fc

SHA512
e537eb81f104dd55e818f6d516fa11fb9e5f7407436d570b76b5e69fc1cf33e5b114404000d02d1bdea0b2ae2bd4c632f3d3a84bdb4af63ed821e4dae7a9187c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wix.exe
MD5
c509c11adc8929e2a932b4bda1216791

SHA1
985cf44ab37c06fe2d544cc350210e4a65eb3136

SHA256
40d656064f338170882f2de5b2983bd751d102c5986a84ab6a8bd6c61adbf0fc

SHA512
e537eb81f104dd55e818f6d516fa11fb9e5f7407436d570b76b5e69fc1cf33e5b114404000d02d1bdea0b2ae2bd4c632f3d3a84bdb4af63ed821e4dae7a9187c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wix.exe
MD5
c509c11adc8929e2a932b4bda1216791

SHA1
985cf44ab37c06fe2d544cc350210e4a65eb3136

SHA256
40d656064f338170882f2de5b2983bd751d102c5986a84ab6a8bd6c61adbf0fc

SHA512
e537eb81f104dd55e818f6d516fa11fb9e5f7407436d570b76b5e69fc1cf33e5b114404000d02d1bdea0b2ae2bd4c632f3d3a84bdb4af63ed821e4dae7a9187c

Download Submit
memory/3104-178-0x00000000776E0000-0x0000000077883000-memory.dmp

Filesize
1.6MB

Download
memory/3104-176-0x00000000776E0000-0x0000000077883000-memory.dmp

Filesize
1.6MB

Download
memory/3104-175-0x00007FFD489B0000-0x00007FFD48BA5000-memory.dmp

Filesize
2.0MB

Download
memory/3104-174-0x0000000002230000-0x0000000002258000-memory.dmp

Filesize
160KB

Download
memory/3232-182-0x00000000776E0000-0x0000000077883000-memory.dmp

Filesize
1.6MB

Download
memory/3232-188-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3232-181-0x00007FFD489B0000-0x00007FFD48BA5000-memory.dmp

Filesize
2.0MB

Download
memory/3232-180-0x0000000001660000-0x0000000001940000-memory.dmp

Filesize
2.9MB

Download
memory/3232-179-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3860-194-0x0000000001660000-0x00000000017F0000-memory.dmp

Filesize
1.6MB

Download
memory/3860-215-0x00007FFD489B0000-0x00007FFD48BA5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-216-0x00000000776E0000-0x0000000077883000-memory.dmp

Filesize
1.6MB

Download
memory/3860-217-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3900-191-0x00007FFD489B0000-0x00007FFD48BA5000-memory.dmp

Filesize
2.0MB

Download
memory/3900-189-0x00000000020D0000-0x00000000020F7000-memory.dmp

Filesize
156KB

Download
memory/3900-193-0x00000000776E0000-0x0000000077883000-memory.dmp

Filesize
1.6MB

Download
memory/3960-158-0x0000023DEE732000-0x0000023DEE734000-memory.dmp

Filesize
8KB

Download
memory/3960-138-0x00007FFD060D0000-0x00007FFD060E0000-memory.dmp

Filesize
64KB

Download
memory/3960-134-0x00007FFD08A30000-0x00007FFD08A40000-memory.dmp

Filesize
64KB

Download
memory/3960-133-0x00007FFD08A30000-0x00007FFD08A40000-memory.dmp

Filesize
64KB

Download
memory/3960-132-0x00007FFD08A30000-0x00007FFD08A40000-memory.dmp

Filesize
64KB

Download
memory/3960-149-0x0000023DEE2B0000-0x0000023DEE354000-memory.dmp

Filesize
656KB

Download
memory/3960-168-0x0000023DEE73C000-0x0000023DEE73F000-memory.dmp

Filesize
12KB

Download
memory/3960-130-0x00007FFD08A30000-0x00007FFD08A40000-memory.dmp

Filesize
64KB

Download
memory/3960-137-0x00007FFD060D0000-0x00007FFD060E0000-memory.dmp

Filesize
64KB

Download
memory/3960-169-0x0000023DEE73A000-0x0000023DEE73C000-memory.dmp

Filesize
8KB

Download
memory/3960-167-0x0000023DEE739000-0x0000023DEE73A000-memory.dmp

Filesize
4KB

Download
memory/3960-211-0x00007FFD08A30000-0x00007FFD08A40000-memory.dmp

Filesize
64KB

Download
memory/3960-213-0x00007FFD08A30000-0x00007FFD08A40000-memory.dmp

Filesize
64KB

Download
memory/3960-212-0x00007FFD08A30000-0x00007FFD08A40000-memory.dmp

Filesize
64KB

Download
memory/3960-214-0x00007FFD08A30000-0x00007FFD08A40000-memory.dmp

Filesize
64KB

Download
memory/3960-165-0x0000023DEE734000-0x0000023DEE736000-memory.dmp

Filesize
8KB

Download
memory/3960-166-0x0000023DEE737000-0x0000023DEE739000-memory.dmp

Filesize
8KB

Download
memory/3960-157-0x0000023DEE730000-0x0000023DEE732000-memory.dmp

Filesize
8KB

Download
memory/3960-131-0x00007FFD08A30000-0x00007FFD08A40000-memory.dmp

Filesize
64KB

Download