81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d

Analysis

max time kernel
151s
max time network
161s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
Size

1.3MB
MD5

c58c1846fa7e64b14d7de0690d5f0296
SHA1

f10788dd72d677d68657ab834dddf99d1ab3ab88
SHA256

81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d
SHA512

28609874a0faf86a33146757d78d252e070fab2d231992357528dce306ecd63ba70c6adf7c5aadee2a67e61ac553bba6b0664a5dd6bc1bec4e20dfdbe9e1dcef
SSDEEP

24576:GjdvkUZ0pDZe+Bczu3+ZO0IRR3wTkgr9BNpiUU11Wsp1Igj20wqEiGK8xyw:GjdvkY0pDZe+Bczu3+ZO0IRR3eFr9B/B

Score

9^/10

Malware Config

Signatures

Detects executables containing URLs to raw contents of a Github gist 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015c76-19.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0007000000016ad6-36.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0007000000016ad6-104.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0007000000016ad6-102.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0007000000016ad6-232.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Downloads MZ/PE file

Executes dropped EXE 22 IoCs

pid	Process
2660	update.exe
1684	clayylauncher.exe
2336	update.exe
1556	clayylauncher.exe
2828	update.exe
1076	clayylauncher.exe
1324	update.exe
1964	clayylauncher.exe
2540	update.exe
276	clayylauncher.exe
564	update.exe
2644	clayylauncher.exe
2772	update.exe
2828	clayylauncher.exe
1232	update.exe
1240	clayylauncher.exe
2508	update.exe
2572	clayylauncher.exe
1692	update.exe
528	clayylauncher.exe
3012	update.exe
2848	clayylauncher.exe

Loads dropped DLL 26 IoCs

pid	Process
1972	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
1212	Process not Found
1212	Process not Found
2660	update.exe
1212	Process not Found
1212	Process not Found
1684	clayylauncher.exe
2336	update.exe
1556	clayylauncher.exe
2828	update.exe
1076	clayylauncher.exe
1324	update.exe
1964	clayylauncher.exe
2540	update.exe
276	clayylauncher.exe
564	update.exe
2644	clayylauncher.exe
2772	update.exe
2828	clayylauncher.exe
1232	update.exe
1240	clayylauncher.exe
2508	update.exe
2572	clayylauncher.exe
1692	update.exe
528	clayylauncher.exe
3012	update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
8	raw.githubusercontent.com
23	raw.githubusercontent.com
32	raw.githubusercontent.com
17	raw.githubusercontent.com
41	raw.githubusercontent.com
57	raw.githubusercontent.com
53	raw.githubusercontent.com
4	raw.githubusercontent.com
36	raw.githubusercontent.com
38	raw.githubusercontent.com
40	raw.githubusercontent.com
47	raw.githubusercontent.com
55	raw.githubusercontent.com
3	raw.githubusercontent.com
10	raw.githubusercontent.com
13	raw.githubusercontent.com
24	raw.githubusercontent.com
26	raw.githubusercontent.com
15	raw.githubusercontent.com
21	raw.githubusercontent.com
28	raw.githubusercontent.com
45	raw.githubusercontent.com
49	raw.githubusercontent.com
12	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
51	raw.githubusercontent.com

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2660	update.exe
2336	update.exe
2828	update.exe
1324	update.exe
2540	update.exe
564	update.exe
2772	update.exe
1232	update.exe
2508	update.exe
1692	update.exe
3012	update.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1972	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
1972	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
2660	update.exe
2660	update.exe
1684	clayylauncher.exe
1684	clayylauncher.exe
2336	update.exe
2336	update.exe
1556	clayylauncher.exe
1556	clayylauncher.exe
2828	update.exe
2828	update.exe
1076	clayylauncher.exe
1076	clayylauncher.exe
1324	update.exe
1324	update.exe
1964	clayylauncher.exe
1964	clayylauncher.exe
2540	update.exe
2540	update.exe
276	clayylauncher.exe
276	clayylauncher.exe
564	update.exe
564	update.exe
2644	clayylauncher.exe
2644	clayylauncher.exe
2772	update.exe
2772	update.exe
2828	clayylauncher.exe
2828	clayylauncher.exe
1232	update.exe
1232	update.exe
1240	clayylauncher.exe
1240	clayylauncher.exe
2508	update.exe
2508	update.exe
2572	clayylauncher.exe
2572	clayylauncher.exe
1692	update.exe
1692	update.exe
528	clayylauncher.exe
528	clayylauncher.exe
3012	update.exe
3012	update.exe
2848	clayylauncher.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
1972	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
1972	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
2660	update.exe
2660	update.exe
1684	clayylauncher.exe
1684	clayylauncher.exe
2336	update.exe
2336	update.exe
1556	clayylauncher.exe
1556	clayylauncher.exe
2828	update.exe
2828	update.exe
1076	clayylauncher.exe
1076	clayylauncher.exe
1324	update.exe
1324	update.exe
1964	clayylauncher.exe
1964	clayylauncher.exe
2540	update.exe
2540	update.exe
276	clayylauncher.exe
276	clayylauncher.exe
564	update.exe
564	update.exe
2644	clayylauncher.exe
2644	clayylauncher.exe
2772	update.exe
2772	update.exe
2828	clayylauncher.exe
2828	clayylauncher.exe
1232	update.exe
1232	update.exe
1240	clayylauncher.exe
1240	clayylauncher.exe
2508	update.exe
2508	update.exe
2572	clayylauncher.exe
2572	clayylauncher.exe
1692	update.exe
1692	update.exe
528	clayylauncher.exe
528	clayylauncher.exe
3012	update.exe
3012	update.exe
2848	clayylauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2660	1972	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe	29
PID 1972 wrote to memory of 2660	1972	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe	29
PID 1972 wrote to memory of 2660	1972	81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe	29
PID 2660 wrote to memory of 1684	2660	update.exe	31
PID 2660 wrote to memory of 1684	2660	update.exe	31
PID 2660 wrote to memory of 1684	2660	update.exe	31
PID 1684 wrote to memory of 2336	1684	clayylauncher.exe	33
PID 1684 wrote to memory of 2336	1684	clayylauncher.exe	33
PID 1684 wrote to memory of 2336	1684	clayylauncher.exe	33
PID 2336 wrote to memory of 1556	2336	update.exe	35
PID 2336 wrote to memory of 1556	2336	update.exe	35
PID 2336 wrote to memory of 1556	2336	update.exe	35
PID 1556 wrote to memory of 2828	1556	clayylauncher.exe	39
PID 1556 wrote to memory of 2828	1556	clayylauncher.exe	39
PID 1556 wrote to memory of 2828	1556	clayylauncher.exe	39
PID 2828 wrote to memory of 1076	2828	update.exe	41
PID 2828 wrote to memory of 1076	2828	update.exe	41
PID 2828 wrote to memory of 1076	2828	update.exe	41
PID 1076 wrote to memory of 1324	1076	clayylauncher.exe	43
PID 1076 wrote to memory of 1324	1076	clayylauncher.exe	43
PID 1076 wrote to memory of 1324	1076	clayylauncher.exe	43
PID 1324 wrote to memory of 1964	1324	update.exe	45
PID 1324 wrote to memory of 1964	1324	update.exe	45
PID 1324 wrote to memory of 1964	1324	update.exe	45
PID 1964 wrote to memory of 2540	1964	clayylauncher.exe	47
PID 1964 wrote to memory of 2540	1964	clayylauncher.exe	47
PID 1964 wrote to memory of 2540	1964	clayylauncher.exe	47
PID 2540 wrote to memory of 276	2540	update.exe	49
PID 2540 wrote to memory of 276	2540	update.exe	49
PID 2540 wrote to memory of 276	2540	update.exe	49
PID 276 wrote to memory of 564	276	clayylauncher.exe	50
PID 276 wrote to memory of 564	276	clayylauncher.exe	50
PID 276 wrote to memory of 564	276	clayylauncher.exe	50
PID 564 wrote to memory of 2644	564	update.exe	52
PID 564 wrote to memory of 2644	564	update.exe	52
PID 564 wrote to memory of 2644	564	update.exe	52
PID 2644 wrote to memory of 2772	2644	clayylauncher.exe	53
PID 2644 wrote to memory of 2772	2644	clayylauncher.exe	53
PID 2644 wrote to memory of 2772	2644	clayylauncher.exe	53
PID 2772 wrote to memory of 2828	2772	update.exe	55
PID 2772 wrote to memory of 2828	2772	update.exe	55
PID 2772 wrote to memory of 2828	2772	update.exe	55
PID 2828 wrote to memory of 1232	2828	clayylauncher.exe	57
PID 2828 wrote to memory of 1232	2828	clayylauncher.exe	57
PID 2828 wrote to memory of 1232	2828	clayylauncher.exe	57
PID 1232 wrote to memory of 1240	1232	update.exe	59
PID 1232 wrote to memory of 1240	1232	update.exe	59
PID 1232 wrote to memory of 1240	1232	update.exe	59
PID 1240 wrote to memory of 2508	1240	clayylauncher.exe	61
PID 1240 wrote to memory of 2508	1240	clayylauncher.exe	61
PID 1240 wrote to memory of 2508	1240	clayylauncher.exe	61
PID 2508 wrote to memory of 2572	2508	update.exe	63
PID 2508 wrote to memory of 2572	2508	update.exe	63
PID 2508 wrote to memory of 2572	2508	update.exe	63
PID 2572 wrote to memory of 1692	2572	clayylauncher.exe	65
PID 2572 wrote to memory of 1692	2572	clayylauncher.exe	65
PID 2572 wrote to memory of 1692	2572	clayylauncher.exe	65
PID 1692 wrote to memory of 528	1692	update.exe	67
PID 1692 wrote to memory of 528	1692	update.exe	67
PID 1692 wrote to memory of 528	1692	update.exe	67
PID 528 wrote to memory of 3012	528	clayylauncher.exe	69
PID 528 wrote to memory of 3012	528	clayylauncher.exe	69
PID 528 wrote to memory of 3012	528	clayylauncher.exe	69
PID 3012 wrote to memory of 2848	3012	update.exe	71

C:\Users\Admin\AppData\Local\Temp\81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe
"C:\Users\Admin\AppData\Local\Temp\81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\update.exe
  update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
    clayylauncher.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\update.exe
      update.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\update.exe
        
        update.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe
        
        clayylauncher.exe
        23⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
572ea307898c8c6eaa8dc4985a77e177

SHA1
07f16d7a86f8b799364a5c654253e9a2058667af

SHA256
a0af8a9e91c0c0e591be7382e2e875d6ad52eb6fa86dbba599704a5d5189e298

SHA512
01f77c6cd80e50006476a66170dcf4238b6b8d5173a20c071605411dc49610d88950b52d6d8935e07301dd69a42c84c713fa50f7d6bc75686b452f77a5a6d191

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7b1d5804716a4a65411274d4675441b

SHA1
90bc2042fd5efeeb53f852f3372d3c90fe1ad3a3

SHA256
c260fe93b4569b37b2b274e56502934110ae9117cd84a8a550e8b092035ef440

SHA512
2ddcdbfaa941a3dfd8556701fd54a48ccdf746c1743aee34ec5f81600db2052887ad48fd5e4474934666648a92837fdb5d90d649f4b24c4a4e30a211eab46301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
bd6bcfe35553e6cc1a52257cea345cdd

SHA1
a8792dba46e08c49e5b35cb9d76558b5fdfda73f

SHA256
e965c134571b8dde9492af52666fc400a5c41102d983a9030908ee7efa374bc1

SHA512
2cc396966d9c969bff4b45754085d481f3b804810602f35b382869bc9020d3671f6067ccb4531b4f2076886bc66df078004e346d897fdd8b1b770417f62ed1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab74E2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8D91.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe

Filesize
315KB

MD5
e4c3a942d7dc81e0eae0abae3ec1ea32

SHA1
8221657ff0fe83a2a091910b08ab05b70580ce59

SHA256
7da78198bba92bae1659630b6568240b7be63651f041f074e2aeff4425d4d857

SHA512
e40f5e006f7a08ecbead125d21b18a097d659faecb973b8b8b8b9b916bacf16fef23f712c2edeb9aa217783a110fd292a3d8ccf5baf88acf0d74c90b677a3848

Download Submit
C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe

Filesize
1.1MB

MD5
86404f65f29bc4e9b1fcb816f254db53

SHA1
d186c05f07fe855895bf664881478e32945f7559

SHA256
c458bab8d681d8107991eb93b2333a238e72c948ecab81eca92bed923fac03da

SHA512
08655465c432b5060785ac22c01fbfc1f524ad357369f7693170c22edfb87f7ec2d09ddae4c5f75432fe3c3cdbfb07ec693cf1652e8271ae759567b29a77d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe

Filesize
12KB

MD5
13d9432c4db1ac02d460740fd80b67a3

SHA1
3658685ced8eb430e73ae269e77978ac0d0ff02e

SHA256
41f9e3add697419f5f4d8bd66b6c5513eee4c3f881d196b468383c8123164e52

SHA512
82a1c0e089e8ce3f17cd395d5773fd31281570d9039a742953172d83ad46acf424c641d3a43790e4a87dc28b3814b8c252d3775187a44736e76ff0b13780025b

Download Submit
C:\Users\Admin\AppData\Local\Temp\clayylauncher.exe

Filesize
60KB

MD5
ac3698ec5fe1408517ccd1fb28e8468a

SHA1
17d5054d4ed75f6f96fedd6ab478b556dafe7c1e

SHA256
a1e27dadd2db743cc5b82777a3fa733a9d851c5fada122aba61a502764e1a51e

SHA512
6de79a67ad04233cf0710af941c94c4a27fd2c42192a2f4b6a39271a811a748efe67af8ae04afdecafa244bfd3a6a4bf2ba93b168e4904b2add907794a6f6ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\version

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\manifests\launcher.manifest

Filesize
109B

MD5
146bf1189db2d64cc369d3a9767773ef

SHA1
f7e8b48e4cdaa7aa6e062dc8ce9925ddd5a4e954

SHA256
2458bbb1948fe3d51cc9cbeef699e826e3510d157e6e39f93a72bfee295767c0

SHA512
ea3e937a2d9e71b7e62810abced93c2924292c8492716fa1d272ec87f6dba5114466ee5a10d72e4bc1c0a1a9b006141644d67996149c29c93988f81ba10a242f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
12KB

MD5
e9abe6689c5450b22930bbdecc657dfc

SHA1
1ec6ca00d9189245177fafaa4331f387e66433a4

SHA256
b6cd4b17cc20ccc23a04220b44489e2b5b992d7d1e0e0aa2d4f138a618043e29

SHA512
241789c4acdd025f1c336fe8f79e9dbc73a4698172fdeabbd28023785b2660888a544b1ab72af979e88dc3f27fcc3d909633b6b3c9f099a09d8ca598ad839079

Download Submit
\Users\Admin\AppData\Local\Temp\clayylauncher.exe

Filesize
704KB

MD5
93820226352ea378489480af5e5d6f2a

SHA1
e787e07dd14f44acba60b2248c8a460411e19b13

SHA256
1357300ca40d90f1c2f7019c7950bfdc467d7c5a21a811d3dd004c2b3959b490

SHA512
6467d19a4d348efc86ae61348deac0e999420e06f3724a707c3a97db32aeae20dcdaf4c56afd41ec065510cb4e1bd61046065f0393e3212f1af03db090b6c8f1

Download Submit
\Users\Admin\AppData\Local\Temp\clayylauncher.exe

Filesize
1.3MB

MD5
c58c1846fa7e64b14d7de0690d5f0296

SHA1
f10788dd72d677d68657ab834dddf99d1ab3ab88

SHA256
81bdedb1e5b2c9183559fe921c5e708992eb6939c1529708d112f599ac24476d

SHA512
28609874a0faf86a33146757d78d252e070fab2d231992357528dce306ecd63ba70c6adf7c5aadee2a67e61ac553bba6b0664a5dd6bc1bec4e20dfdbe9e1dcef

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.3MB

MD5
2da574ba0c16a05b6e62cea06efb0e84

SHA1
c2f51dddc1e73064e7a77a1e178d67094291cb09

SHA256
1daa9bf491ef2e1420c7eaa4cf707a26d3985748cd94a7fed9598a8ac064eb43

SHA512
f1f2b3d8871f7b8b971f970858318ffc9510b816e78aa1abd92f0a71ce75f6e2fd09691ccc77eb8c3b49b6f128339abd2466f8fdb250f01f64229c71228578d2

Download Submit