phemedrone | 976ab5ad4822144756c44ce8fb0426f62e26d9d579d0cb5211c1701be681e775

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
15-11-2023 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
Size

4.9MB
MD5

e74b8c7dfcf9ccf4cce06b7481bc06c0
SHA1

c1b3d72fb4b04462d894e5478ea1da26af0932c6
SHA256

976ab5ad4822144756c44ce8fb0426f62e26d9d579d0cb5211c1701be681e775
SHA512

7dad6ebde32bb186dda82c8efda7f46dc2523ac4180f78c9368c0d35eb757b48525dbcf5f65c42f38a42f3253fcee7246646075e22a3ef4a1a6e64b769e875ef
SSDEEP

98304:usadS1IAMpZL6DZ4x0z5vzg2ObHhpfkKmCNHBANF1bkzTtwOUcO:u/ZAaMxZZiBeCNHyzbklwOUcO

Score

10^/10

phemedrone spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot6526296839:AAHf93IZJTXM1F9tUJGQR-zriuV-RU7enBM/sendMessage?chat_id=872309541

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Executes dropped EXE 3 IoCs

Processes:

fluxus2_protected.exeFluxus V7.execrypt.exe

pid process

2060 fluxus2_protected.exe
2952 Fluxus V7.exe
2296 crypt.exe

Loads dropped DLL 21 IoCs

Processes:

NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exefluxus2_protected.exeWerFault.exeWerFault.exe

pid	process
2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
2060	fluxus2_protected.exe
2060	fluxus2_protected.exe
2060	fluxus2_protected.exe
2060	fluxus2_protected.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

fluxus2_protected.execrypt.exe

pid process

2060 fluxus2_protected.exe
2296 crypt.exe
2296 crypt.exe
2296 crypt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1860 2952 WerFault.exe Fluxus V7.exe
1976 2296 WerFault.exe crypt.exe

flow	ioc
3	ip-api.com

pid	pid_target	process	target process
1860	2952	WerFault.exe	Fluxus V7.exe
1976	2296	WerFault.exe	crypt.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Fluxus V7.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fluxus V7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fluxus V7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fluxus V7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Fluxus V7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Fluxus V7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Fluxus V7.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

fluxus2_protected.execrypt.exe

pid	process
2060	fluxus2_protected.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe
2296	crypt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

crypt.exeFluxus V7.exe

description pid process

Token: SeDebugPrivilege 2296 crypt.exe
Token: SeDebugPrivilege 2952 Fluxus V7.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fluxus2_protected.execrypt.exe

pid process

2060 fluxus2_protected.exe
2296 crypt.exe

description	pid	process
Token: SeDebugPrivilege	2296	crypt.exe
Token: SeDebugPrivilege	2952	Fluxus V7.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exefluxus2_protected.exeFluxus V7.execrypt.exe

description	pid	process	target process
PID 2136 wrote to memory of 2060	2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	fluxus2_protected.exe
PID 2136 wrote to memory of 2060	2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	fluxus2_protected.exe
PID 2136 wrote to memory of 2060	2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	fluxus2_protected.exe
PID 2136 wrote to memory of 2060	2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	fluxus2_protected.exe
PID 2136 wrote to memory of 2952	2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	Fluxus V7.exe
PID 2136 wrote to memory of 2952	2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	Fluxus V7.exe
PID 2136 wrote to memory of 2952	2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	Fluxus V7.exe
PID 2136 wrote to memory of 2952	2136	NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe	Fluxus V7.exe
PID 2060 wrote to memory of 2296	2060	fluxus2_protected.exe	crypt.exe
PID 2060 wrote to memory of 2296	2060	fluxus2_protected.exe	crypt.exe
PID 2060 wrote to memory of 2296	2060	fluxus2_protected.exe	crypt.exe
PID 2060 wrote to memory of 2296	2060	fluxus2_protected.exe	crypt.exe
PID 2952 wrote to memory of 1860	2952	Fluxus V7.exe	WerFault.exe
PID 2952 wrote to memory of 1860	2952	Fluxus V7.exe	WerFault.exe
PID 2952 wrote to memory of 1860	2952	Fluxus V7.exe	WerFault.exe
PID 2952 wrote to memory of 1860	2952	Fluxus V7.exe	WerFault.exe
PID 2296 wrote to memory of 1976	2296	crypt.exe	WerFault.exe
PID 2296 wrote to memory of 1976	2296	crypt.exe	WerFault.exe
PID 2296 wrote to memory of 1976	2296	crypt.exe	WerFault.exe
PID 2296 wrote to memory of 1976	2296	crypt.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e74b8c7dfcf9ccf4cce06b7481bc06c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\crypt.exe
    "C:\Users\Admin\AppData\Local\Temp\crypt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1800
      4⤵
      Loads dropped DLL
      Program crash
      PID:1976
- C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe
  "C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1636
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6f8e9e7c41b086a5ea2009992193192

SHA1
a65e6fcfa4b9a7c01a56163b347c95f4ebd2d4d4

SHA256
dd11d0bc9e12643ae6f9f838875514fc52bd2df34f785e10e36bb593950d54f5

SHA512
6ca7c41df09a35a2b43a28b1cb8a43924f55833b051ef484e3da3279ca0bf99fd2c2ba2dafcdabc10295b886a16664bbcb701d71a9ea13a64d502f96191fd014

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBDA6.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBE45.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe

Filesize
2.4MB

MD5
a768c386ac833969acd939af76af2968

SHA1
f41bd3d0e7c8330e9f08ff5ca23d6096ea6519fa

SHA256
7d247252300633c5823d6b0241794448731b9d5a306cf1e43ecc5d4c83c1d676

SHA512
3fbc4fa7ffa2803135d918a156a5c4d3fcf709cd6e3500fdb2367c2355ecb31b5cc6e05a283d99f5fcea3e8e623065c6c89935fe3ca5896a950c308d34ae4e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe

Filesize
2.4MB

MD5
a768c386ac833969acd939af76af2968

SHA1
f41bd3d0e7c8330e9f08ff5ca23d6096ea6519fa

SHA256
7d247252300633c5823d6b0241794448731b9d5a306cf1e43ecc5d4c83c1d676

SHA512
3fbc4fa7ffa2803135d918a156a5c4d3fcf709cd6e3500fdb2367c2355ecb31b5cc6e05a283d99f5fcea3e8e623065c6c89935fe3ca5896a950c308d34ae4e94

Download Submit
\??\c:\users\admin\appdata\local\temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\??\c:\users\admin\appdata\local\temp\fluxus2_protected.exe

Filesize
2.4MB

MD5
a768c386ac833969acd939af76af2968

SHA1
f41bd3d0e7c8330e9f08ff5ca23d6096ea6519fa

SHA256
7d247252300633c5823d6b0241794448731b9d5a306cf1e43ecc5d4c83c1d676

SHA512
3fbc4fa7ffa2803135d918a156a5c4d3fcf709cd6e3500fdb2367c2355ecb31b5cc6e05a283d99f5fcea3e8e623065c6c89935fe3ca5896a950c308d34ae4e94

Download Submit
\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
b4f9cbca656fd34c4dbb1d706a7f1ad3

SHA1
2b95d88a80ccb619b581c420f7435c660cfbb28e

SHA256
1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d

SHA512
5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
1.1MB

MD5
9c3fce3559267764af96c25e4ca8f6c7

SHA1
7093daa7954d11248f371c143f1d0825dc87fd85

SHA256
badd2b7ef518bf58283b4180cce248396e8beecdaacf6b5d1b5c3ef12da2c238

SHA512
957250a44d22f91f342e2a6290121c583770879598f848c4aa20ddb4fc8ed4404ae382f03ab75368d19ae4d90030c44262c6084ac7e83cccd4542a0344be66b0

Download Submit
\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe

Filesize
2.4MB

MD5
a768c386ac833969acd939af76af2968

SHA1
f41bd3d0e7c8330e9f08ff5ca23d6096ea6519fa

SHA256
7d247252300633c5823d6b0241794448731b9d5a306cf1e43ecc5d4c83c1d676

SHA512
3fbc4fa7ffa2803135d918a156a5c4d3fcf709cd6e3500fdb2367c2355ecb31b5cc6e05a283d99f5fcea3e8e623065c6c89935fe3ca5896a950c308d34ae4e94

Download Submit
\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe

Filesize
2.4MB

MD5
a768c386ac833969acd939af76af2968

SHA1
f41bd3d0e7c8330e9f08ff5ca23d6096ea6519fa

SHA256
7d247252300633c5823d6b0241794448731b9d5a306cf1e43ecc5d4c83c1d676

SHA512
3fbc4fa7ffa2803135d918a156a5c4d3fcf709cd6e3500fdb2367c2355ecb31b5cc6e05a283d99f5fcea3e8e623065c6c89935fe3ca5896a950c308d34ae4e94

Download Submit
\Users\Admin\AppData\Local\Temp\fluxus2_protected.exe

Filesize
2.4MB

MD5
a768c386ac833969acd939af76af2968

SHA1
f41bd3d0e7c8330e9f08ff5ca23d6096ea6519fa

SHA256
7d247252300633c5823d6b0241794448731b9d5a306cf1e43ecc5d4c83c1d676

SHA512
3fbc4fa7ffa2803135d918a156a5c4d3fcf709cd6e3500fdb2367c2355ecb31b5cc6e05a283d99f5fcea3e8e623065c6c89935fe3ca5896a950c308d34ae4e94

Download Submit
memory/2060-47-0x0000000000A30000-0x0000000000E21000-memory.dmp

Filesize
3.9MB

Download
memory/2060-48-0x0000000000A30000-0x0000000000E21000-memory.dmp

Filesize
3.9MB

Download
memory/2136-17-0x00000000036C0000-0x0000000003AB1000-memory.dmp

Filesize
3.9MB

Download
memory/2136-15-0x00000000036C0000-0x0000000003AB1000-memory.dmp

Filesize
3.9MB

Download
memory/2296-133-0x0000000000B50000-0x0000000000ED0000-memory.dmp

Filesize
3.5MB

Download
memory/2296-49-0x0000000000B50000-0x0000000000ED0000-memory.dmp

Filesize
3.5MB

Download
memory/2296-53-0x0000000000B50000-0x0000000000ED0000-memory.dmp

Filesize
3.5MB

Download
memory/2296-134-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2296-51-0x0000000000B50000-0x0000000000ED0000-memory.dmp

Filesize
3.5MB

Download
memory/2296-57-0x0000000005CA0000-0x0000000005CE0000-memory.dmp

Filesize
256KB

Download
memory/2296-54-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2952-56-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download
memory/2952-58-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2952-60-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download
memory/2952-52-0x0000000001390000-0x0000000001784000-memory.dmp

Filesize
4.0MB

Download
memory/2952-55-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2952-59-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2952-135-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2952-137-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download
memory/2952-138-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2952-140-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download