6ad90664c6950679e713d4bc80d4622db4583a48964075bd1e78802ae0c421d0

Analysis

max time kernel
197s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unlicense-py3.11-x64.rar
Size

7.4MB
MD5

5253a27c2c6e5feeb0cf233a4dcaeed4
SHA1

215810b90d943a9fa3b05c7652edc22802e523d1
SHA256

6ad90664c6950679e713d4bc80d4622db4583a48964075bd1e78802ae0c421d0
SHA512

a8fb37be21c2939cf2ee21937774261ceaa5788b543a1a75a0750980351be36c4882b88ce39755ab2b8f7d9b64fae2662472a6f9508fd3bcc461abdb654626a4
SSDEEP

196608:12/Rw8P+xttopXs39J5wOrLAGYTUTiUDuN0DkTa84I:12/Rw80L083/OOHAGYTUTLyCot4I

Score

7^/10

themida

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1428	unpacked_Loader.exe
6076	unpacked_Loader.exe
5896	unpacked_Loader.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000700000002321e-17.dat	themida
behavioral1/files/0x000700000002321e-16.dat	themida
behavioral1/memory/1428-18-0x00007FF63C870000-0x00007FF63D4C6000-memory.dmp	themida
behavioral1/files/0x000700000002321e-39.dat	themida
behavioral1/files/0x000700000002321e-134.dat	themida

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Resources\rust.png	curl.exe
File opened for modification	C:\Windows\Resources\logoo.png	curl.exe
File created	C:\Windows\Resources\online.png	curl.exe
File opened for modification	C:\Windows\Resources\val.png	curl.exe
File opened for modification	C:\Windows\Resources\cod.png	curl.exe
File opened for modification	C:\Windows\Resources\apexleg.png	curl.exe
File opened for modification	C:\Windows\Resources\online.png	curl.exe
File created	C:\Windows\Resources\logoo.png	curl.exe
File created	C:\Windows\Resources\cod.png	curl.exe
File created	C:\Windows\Resources\apexleg.png	curl.exe
File opened for modification	C:\Windows\Resources\fn.png	curl.exe
File opened for modification	C:\Windows\Resources\rust.png	curl.exe
File created	C:\Windows\Resources\discord.png	curl.exe
File created	C:\Windows\Resources\fn.png	curl.exe
File created	C:\Windows\Resources\val.png	curl.exe
File created	C:\Windows\Resources\w11.png	curl.exe
File opened for modification	C:\Windows\Resources\discord.png	curl.exe
File opened for modification	C:\Windows\Resources\w11.png	curl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3196	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	3196	7zFM.exe
Token: 35	3196	7zFM.exe
Token: SeSecurityPrivilege	3196	7zFM.exe
Token: 33	5692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5692	AUDIODG.EXE
Token: SeDebugPrivilege	3372	firefox.exe
Token: SeDebugPrivilege	3372	firefox.exe
Token: SeDebugPrivilege	3372	firefox.exe
Token: SeDebugPrivilege	3372	firefox.exe
Token: SeDebugPrivilege	3372	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3196	7zFM.exe
3196	7zFM.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3372	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 3196	1216	cmd.exe	92
PID 1216 wrote to memory of 3196	1216	cmd.exe	92
PID 4344 wrote to memory of 4500	4344	cmd.exe	106
PID 4344 wrote to memory of 4500	4344	cmd.exe	106
PID 4500 wrote to memory of 3960	4500	net.exe	107
PID 4500 wrote to memory of 3960	4500	net.exe	107
PID 4344 wrote to memory of 3828	4344	cmd.exe	111
PID 4344 wrote to memory of 3828	4344	cmd.exe	111
PID 4344 wrote to memory of 1980	4344	cmd.exe	112
PID 4344 wrote to memory of 1980	4344	cmd.exe	112
PID 4344 wrote to memory of 1164	4344	cmd.exe	113
PID 4344 wrote to memory of 1164	4344	cmd.exe	113
PID 4344 wrote to memory of 3864	4344	cmd.exe	114
PID 4344 wrote to memory of 3864	4344	cmd.exe	114
PID 4344 wrote to memory of 4824	4344	cmd.exe	115
PID 4344 wrote to memory of 4824	4344	cmd.exe	115
PID 4344 wrote to memory of 4324	4344	cmd.exe	116
PID 4344 wrote to memory of 4324	4344	cmd.exe	116
PID 4344 wrote to memory of 4268	4344	cmd.exe	117
PID 4344 wrote to memory of 4268	4344	cmd.exe	117
PID 4344 wrote to memory of 1924	4344	cmd.exe	119
PID 4344 wrote to memory of 1924	4344	cmd.exe	119
PID 4344 wrote to memory of 3832	4344	cmd.exe	120
PID 4344 wrote to memory of 3832	4344	cmd.exe	120
PID 3632 wrote to memory of 1116	3632	cmd.exe	126
PID 3632 wrote to memory of 1116	3632	cmd.exe	126
PID 1116 wrote to memory of 5040	1116	net.exe	127
PID 1116 wrote to memory of 5040	1116	net.exe	127
PID 3632 wrote to memory of 5220	3632	cmd.exe	129
PID 3632 wrote to memory of 5220	3632	cmd.exe	129
PID 3632 wrote to memory of 5252	3632	cmd.exe	130
PID 3632 wrote to memory of 5252	3632	cmd.exe	130
PID 3632 wrote to memory of 5288	3632	cmd.exe	131
PID 3632 wrote to memory of 5288	3632	cmd.exe	131
PID 3632 wrote to memory of 5348	3632	cmd.exe	132
PID 3632 wrote to memory of 5348	3632	cmd.exe	132
PID 3632 wrote to memory of 5420	3632	cmd.exe	134
PID 3632 wrote to memory of 5420	3632	cmd.exe	134
PID 3632 wrote to memory of 5568	3632	cmd.exe	136
PID 3632 wrote to memory of 5568	3632	cmd.exe	136
PID 3632 wrote to memory of 5768	3632	cmd.exe	139
PID 3632 wrote to memory of 5768	3632	cmd.exe	139
PID 3632 wrote to memory of 5836	3632	cmd.exe	140
PID 3632 wrote to memory of 5836	3632	cmd.exe	140
PID 3632 wrote to memory of 5972	3632	cmd.exe	142
PID 3632 wrote to memory of 5972	3632	cmd.exe	142
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 5180 wrote to memory of 3372	5180	firefox.exe	145
PID 3372 wrote to memory of 5228	3372	firefox.exe	146
PID 3372 wrote to memory of 5228	3372	firefox.exe	146
PID 3372 wrote to memory of 5328	3372	firefox.exe	147
PID 3372 wrote to memory of 5328	3372	firefox.exe	147
PID 3372 wrote to memory of 5328	3372	firefox.exe	147
PID 3372 wrote to memory of 5328	3372	firefox.exe	147
PID 3372 wrote to memory of 5328	3372	firefox.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\unlicense-py3.11-x64.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\unlicense-py3.11-x64.rar"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\unlicense-py3.11-x64\firsttimelaunch.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3960
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/Vil16XQ.png --output C:\Windows\\Resources\\logoo.png
  2⤵
  - Drops file in Windows directory
  PID:3828
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/kB2KQVG.png --output C:\Windows\\Resources\\discord.png
  2⤵
  - Drops file in Windows directory
  PID:1980
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/t1rTg7k.png --output C:\Windows\\Resources\\fn.png
  2⤵
  - Drops file in Windows directory
  PID:1164
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/BPQTBz7.png --output C:\Windows\\Resources\\val.png
  2⤵
  - Drops file in Windows directory
  PID:3864
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/2wkn0qq.png --output C:\Windows\\Resources\\cod.png
  2⤵
  - Drops file in Windows directory
  PID:4824
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/j4GODeK.png --output C:\Windows\\Resources\\rust.png
  2⤵
  - Drops file in Windows directory
  PID:4324
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/X9q7TTf.png --output C:\Windows\\Resources\\w11.png
  2⤵
  - Drops file in Windows directory
  PID:4268
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/Iig1i3j.png --output C:\Windows\\Resources\\apexleg.png
  2⤵
  - Drops file in Windows directory
  PID:1924
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/mQ2RyXW.png --output C:\Windows\\Resources\\online.png
  2⤵
  - Drops file in Windows directory
  PID:3832

C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe
"C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe"
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\unlicense-py3.11-x64\firsttimelaunch.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:5040
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/Vil16XQ.png --output C:\Windows\\Resources\\logoo.png
  2⤵
  - Drops file in Windows directory
  PID:5220
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/kB2KQVG.png --output C:\Windows\\Resources\\discord.png
  2⤵
  - Drops file in Windows directory
  PID:5252
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/t1rTg7k.png --output C:\Windows\\Resources\\fn.png
  2⤵
  - Drops file in Windows directory
  PID:5288
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/BPQTBz7.png --output C:\Windows\\Resources\\val.png
  2⤵
  - Drops file in Windows directory
  PID:5348
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/2wkn0qq.png --output C:\Windows\\Resources\\cod.png
  2⤵
  - Drops file in Windows directory
  PID:5420
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/j4GODeK.png --output C:\Windows\\Resources\\rust.png
  2⤵
  - Drops file in Windows directory
  PID:5568
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/X9q7TTf.png --output C:\Windows\\Resources\\w11.png
  2⤵
  - Drops file in Windows directory
  PID:5768
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/Iig1i3j.png --output C:\Windows\\Resources\\apexleg.png
  2⤵
  - Drops file in Windows directory
  PID:5836
- C:\Windows\system32\curl.exe
  curl --silent https://i.imgur.com/mQ2RyXW.png --output C:\Windows\\Resources\\online.png
  2⤵
  - Drops file in Windows directory
  PID:5972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x348 0x34c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe
"C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe"
1⤵
- Executes dropped EXE
PID:6076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5180
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.0.1107308301\790031639" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa55c5bb-b849-4e6e-bb37-da794f469d72} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 1996 1d7355f0458 gpu
    3⤵
    PID:5228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.1.173412278\71883190" -parentBuildID 20221007134813 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86778710-6f5c-42fb-ba53-96f12ecf5465} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 2412 1d7354e4858 socket
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.2.190771251\2068461792" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 1788 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10a5b7bf-341e-4cbe-894b-f40c47a481c6} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 3004 1d73959ed58 tab
    3⤵
    PID:5444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.3.444996914\1316823709" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22227ee8-e891-4f95-8e51-991c9c9be60c} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 3592 1d737e77858 tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.4.169241163\833670561" -childID 3 -isForBrowser -prefsHandle 2820 -prefMapHandle 4192 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0f04950-0a8f-4fe7-bd6f-06b0125995dd} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 4352 1d73adacf58 tab
    3⤵
    PID:5876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.5.802876424\585090900" -childID 4 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6313436e-777f-4b08-92d9-6968869a2316} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5160 1d73bf83258 tab
    3⤵
    PID:2164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.6.1509543791\930369963" -childID 5 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eed84740-cf71-4f17-8c57-6f649f72bac6} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5288 1d73bfdb358 tab
    3⤵
    PID:5916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.7.1481644745\858657290" -childID 6 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c93d0163-b66a-401f-a167-086d0f345581} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5488 1d73bfdc258 tab
    3⤵
    PID:5888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.8.1424379811\433480837" -childID 7 -isForBrowser -prefsHandle 4516 -prefMapHandle 5708 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e981923-a1ec-4258-b58e-6c37e6a0e93d} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5764 1d7399bb558 tab
    3⤵
    PID:2172

C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe
"C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe"
1⤵
- Executes dropped EXE
PID:5896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tooqwtv0.default-release\cache2\entries\75618D4814E59EE271AAA434B222669E870291B3

Filesize
59KB

MD5
3fd2780c7bb3369c63400e61f09228b0

SHA1
88a2163147567e62ec2ce2497fc10c314e08f804

SHA256
538e0d376736d889d50af53f73af916767fd9fec6b2a1a8e9b524b9099b858b8

SHA512
9f8fc4cab761eac36697e731b68ab12ca829b188cf6bb166a1f915159e0ae3ffca782c64d96114154b27e3a27852936b9cdc8457ff51421a82acad34b8a25292

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c76ab64c18c77cfe0a4b5debb6719942

SHA1
8c859648d357807df48a041d59888db4ee81cd29

SHA256
982d477b06ed6ce031ab1edcb3eec3abfafd57ba4918cca881993fa5feda3ae6

SHA512
42c04651fffc23d010bed0bae41fc26b207e92ee46e77b8a081e7f51248162763de71d797169e97408d458880a586c4929198ae04be685faa63c28c327c4761e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\293d70ec-e897-44e2-87b7-7ad2b04ff95c

Filesize
12KB

MD5
2fc3307122920d54f14d269e47cbe0c8

SHA1
e34e5ae851b088fa5b7587f76a7626dc60a92afa

SHA256
c8ae76d87db33a17df60418ebf9cc09387c5ca215c124c1839af57be81a91b56

SHA512
c51c37d24d9ae2f3d562aed501c618986b69df312114b18966d2240b96e2981a8722fe4a3849475dece831b1a497751aa8b32aa424cdb5217533d0731806de36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\4cec0a21-cb74-444c-a6fb-a0f431d65591

Filesize
746B

MD5
43f2d4a3e8e99e2611f57fc381ee98c6

SHA1
44c4bc3758b24970204254b080efc37ee4ca61b8

SHA256
25b7cf85a21d30f3b998f426fee43ac9a64c8ff6eaaa3f9de888650b5270d291

SHA512
0dd1ec2cc2393ee671d199acb98a80c8ead9dfb0271b1cd24b7f0f157e3347edf8e0de2b56f5d0640cbd68665f1ec45a4251d0df223d4395090fd98cef37dfaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs-1.js

Filesize
6KB

MD5
6ffa3f28191a7e24a4c4548816604464

SHA1
8f5c75b9e2ef494886e64d927a6cf04aa2ed6572

SHA256
ca72ff760429eb074e2eb113a3bc38d92a04c2e191e0f5b44f4ff04d870825a4

SHA512
5534a07254b624209584ce3f2206ba9b7c15d7de2589f45be29f11b08d2901f6f9a624ff6c819709b4941d79f82517f8e217a2018d9928ed4cda1a7b8ecb420f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs-1.js

Filesize
6KB

MD5
9ff2f58ace98884d146b2a0d5a719e45

SHA1
6f3bf2e69460ed494c93fa5beb98d729c5857f7c

SHA256
fb05f539dbe81da5c2e0f55e4f8e546d09becd73dc93d764fbfc4fc3eaba3641

SHA512
a25a48f673bfc56ecff14cb0ae71371b8d1b3e2695e7c418b7ae8cfc5343b09dae5d0368a51a13f605fcbe2ed18451cb4ca5865fd9fd174e46b212828c84c153

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs.js

Filesize
6KB

MD5
9f6e89ed28e02da01b564effef74dbcd

SHA1
bda95f355acd3d9aef4df44f2297a39c6bfe2e23

SHA256
de2baebb5b81ffcb0df131656e4e1543bd98ceee33661255cb7561078e9c0b8b

SHA512
3eeb2ae231bd980eead766a753f9dcac0fa03877002b92f4523fa506128521d907f49f2fcce90da1b1cff9cce320a5fae2cda3687a57ccf72f1c73bb459f763d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\prefs.js

Filesize
6KB

MD5
3b886cc6d46cec70bfc0f88803c6c6e0

SHA1
8fc50a0fd4fa1ebad7821d79ed22fbf16daeee6f

SHA256
0253ce1ba72408b6bc9b327d5bb5d0201d18ca35ea7e68a515f26fd22e7b8b24

SHA512
833e32cdd9b8bdeb8fb49055f1c1914b1f1fb3fc6c5e85140814967d2a621e26c21a9df15034d6462f3889eef1d85c3f51d4b09b4c9ec4339527feffb6f7eb93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
2c72f7a95a99baea65eb4716d49d68f0

SHA1
5a6a77034a5fa5bb14b9d485d80067d28097779b

SHA256
761bf3719a94c2b811dc647f43096331999ee7ea303e7a924c4e0f491f353c1c

SHA512
014d5342eb6a8abc5383d73bc7d4e169118195939096cbffc2fcedcf94e74be42056c2abeaed9c9e10a13e37719903d706006f690b9df8b33d9f42a5bddc7de9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
292f9030ac3211391ab34002b8c2e4f4

SHA1
53696488b85faab682d3abf0f5c79ac2979de195

SHA256
9ce0f6dc7f9f0e5aa4f629d6df276bd45b92df08953632b4d73db09b18043f69

SHA512
606363ebff86fae8131550cec4d911f7accb888a4f394cb973f04faa48f83adb6378b50d9ea5103f08bf8ff0b76a6f80ee20706f09f81fa5729b0caf75c31a73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
35f6c6dd94f8eaf74698b705d038b435

SHA1
6b35ce7760a43da9437c788c1342b40907b1e018

SHA256
ef3a125525b4470a4b4a6a37e04414e3230d3567d83dbb6f9eb8bcc311b48064

SHA512
f977fa05897b0cf7487bad7d0f02e88d4a25d554a852689fbcbd2987ef27cce3b91c4ce1c71b534ce10c4a91b1cc3f9867d4469720b0d93d149dea3440f56c73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
702e5853d790419a730892e5edb75136

SHA1
e07005278dc238a528d963b28742e6dff9775824

SHA256
2c79d53b684edcb267e6ccbafde0c49654a0fa10d40f1bf2a8b11c72bffd71e2

SHA512
225ff2d17f4cf7b1ad93c3bc13c0c1113281b3894839a2789243046c74f6de6fc8ffee671bf63b45726f2b487f0e3606aaa424a9cee3915cabd5c171964b1e1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
cf82cdd0cb85037c80c73f60cee685cb

SHA1
f675346119e99771bd19453dab2b0e3b0d8e0620

SHA256
b656108e0afc1689366fe48a3641bd454194c1a3054c5bcb6da063c12cd0bf04

SHA512
dbfe38777de9bfaa144e26ea41870879a2ddb6429e3c1eebb0df44b7817c94e8e0913b3435b5efa9438724843cee136abed8445f0af051e973ff2205f0a02a30

Download Submit
C:\Users\Admin\Desktop\unlicense-py3.11-x64\firsttimelaunch.bat

Filesize
1KB

MD5
b32c9e47f633dd9c858568df6f2a8fd6

SHA1
a0295fed9898f99c5979e7f676a63eaa188f7037

SHA256
affcd7ec4ac07746bfffff25d9b47dad26bf72bd8f8e41f412ad65df81e39373

SHA512
08be1dc4a2e23de46814b237d44f6f3b4ec7e5ada1acde0fb3d1ce9703c15b5de3fda12f7c90f77c1cb25f83870cdfe3d47bd430bf857c9c52c306530adcbe6f

Download Submit
C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe

Filesize
12.1MB

MD5
6968d99b706c3f2d18a4d7f17b322fe4

SHA1
ac34554b8419d63a63ff188af47fecb86553a263

SHA256
36184061726179aacaed31ecbaf4bcf51750d58d5b9e94d11e1bebc672bb3979

SHA512
10f84b754526e1e9d30dd34d90f5bce2d93c4f5c9ace2bae629ad19a92ce9bef3072fe2763c5a88f1b7cfb9a8c1e3419a22ba95022e226f84d51492d4df6d82c

Download Submit
C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe

Filesize
8.6MB

MD5
685e54cb0b46f8c7aa03c953fcabde00

SHA1
ff305fddf2db7a4d55198995a5f6ce8ec28d3771

SHA256
f035510a9ea3f001bf166c41eec99abda88576dec0bfc0f401c98fc5d5eb74f4

SHA512
ffe25da416e51340401815aa04ccd1f6ec5826d8f5d449462b4ce850e867aa675509831e4ae3289f8f205f69096e1603b199520a9b21ba95ca42e5acf9eada11

Download Submit
C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe

Filesize
6.0MB

MD5
ae691165bb8847f78fc81778c1ad42bb

SHA1
4dc5f5322dd57de18acc82e51787f4fe120232ed

SHA256
fea0ccb0a7383c8701a6cdbe66dcef52d3b9539eb53e0f2b803a3f1281fdc9ea

SHA512
2e5711114ed22b1ed2c55cae891ee6aebf8a97d11b53b6836c7a44feba3fd33e5a263995e8dfd98f0b6815ca77f36bd1178f4b460de25f518dd2691bb1bb0233

Download Submit
C:\Users\Admin\Desktop\unlicense-py3.11-x64\unpacked_Loader.exe

Filesize
11.7MB

MD5
66018f7ab23c7b292e93ae91f75b12c2

SHA1
eaba51cecf0e44cb8708ce952aaeecd3210e2961

SHA256
064d2629cca0e22943d004921803f81e39234b131bef774696f03f1b28153a3a

SHA512
6f9673c0efa0e29c216bea1c198775d7b2e568b864b0e29e0f4502ec27ad1cb5edbde4a37edd3ca6712fe3b6071ee95bade2c22cc42ef9e11622050f18731440

Download Submit
C:\Windows\Resources\apexleg.png

Filesize
16KB

MD5
c5cbf4d0bcc3bdf0e829bcece685f497

SHA1
bc308b0a73a1ae1925ab00161cbead78cba6c7be

SHA256
e147f93708a3bedb620d7f3ce7acf1dbc5dd15f8f0bb10acfc0330d364abc5ad

SHA512
17bc93816c1a58a2bfadd26012320ae4278e6ceccddb77a256300d31d40aed005cc3092b2e04b0f87fecfbf7c05761b693f7a7fd5e961e4138f9b66d63369149

Download Submit
C:\Windows\Resources\cod.png

Filesize
16KB

MD5
897f826cffd987e61ce1a867093762d4

SHA1
27490d3da7c7105018976d2619c843a747413e07

SHA256
2151e6b6e30a9906de2e43a79e1657d26584ff201d2817d186b428181895ed46

SHA512
4ca330286ac017f2d24bc481c802beeb1c0255b36765222c29119b7c208fc997011ac77e8534e2d026a536156fb5e84267254a7c2070299e009938d80e646415

Download Submit
C:\Windows\Resources\discord.png

Filesize
637B

MD5
11bc666743f0b73dd5a7c27f4c2de2bc

SHA1
5e02ce7d457d056234036b267bbe17082dac1456

SHA256
ad879b1136718ac516ee34f241f412573d7ef57db7c2f1e95b1b33a353df064b

SHA512
6d2f1917b4b4ec64eb2d21be4a7af9f150fe65a88258d5e33d875473ae8c7a3f1b40896aad47865f1f025ede2d6297de7a9e11fec4a8ec0d487d0eb9712ad505

Download Submit
C:\Windows\Resources\fn.png

Filesize
5KB

MD5
03414aca0e206aae9292b37b2fd42a52

SHA1
8641ebdc5e6651eb4ed0c2d2eb6f4fe3f041977a

SHA256
1721f7d8d03ed219e261cd70cb587c6b31264c885bd7d273be44e7150fadc4d4

SHA512
254e83c643c288f707f7199d2fba1cf0a005687b5492a8b6e0c41b376ed620e6f88978a93922f4a61490e84ae3f23008e3202e2684c53b0e0f3c696825ed3473

Download Submit
C:\Windows\Resources\logoo.png

Filesize
8KB

MD5
fbd98e82dcf37310704164e96c8e4b44

SHA1
9ecfa4ec27edf2883889574a3822939b4e5123af

SHA256
88c8eb1550d30389ee8527cb46e434926e117f075f5f606fb402ca9142df5fcc

SHA512
e58c8ea68c84a8710d833cb37b853cb052a3d2099b2e5e10e4b785130aa15bd33faca3e4a35b8975d15a871c9a13b3a1a372c0a88713557702ac43482de40a85

Download Submit
C:\Windows\Resources\online.png

Filesize
32KB

MD5
100042ed354e4373736e736dc8badf65

SHA1
2f9c021fe3d0b3411218cb6881b76ff827533153

SHA256
b3ec8567f525cd6ea1f323216391d9fbc47033b66507dbb82aacff17f1103ab2

SHA512
6ce000af0f0031ed0b24954ddc43ad86631180e0d8408b7a52f29c0c39fd836062fb2b1e019b8ede86787b88db7ad813464e309d25ef04f957be09a3b0c9f6cf

Download Submit
C:\Windows\Resources\rust.png

Filesize
1KB

MD5
703a6c18468ca1d1f4072dbeb42be90b

SHA1
5aa27c01ccfdc07f9d530afbedbc553b8558c893

SHA256
f1037fe3b4c93d47e145624c6f995d4e29d9226137be13cfe0d8d5ae3dce9df8

SHA512
208d278845adba612ce6a264864a9c770e279768337fa2a5ae1020d88445af1df5559196086ee357f6f5a4714616d6fe572c40d9f4eee75ca91c4f36da989b54

Download Submit
C:\Windows\Resources\val.png

Filesize
4KB

MD5
ad19a10db017aac159ed0703f82e86ad

SHA1
cbe400266817f702321cc20617023bfa13f67055

SHA256
282ded0485eb3bde5db2fa17c88b982219b6342de0ad34e5118e6c98ea24597c

SHA512
c2918db86827a2b49d04f1bfe94bb576bffb1c6fec6576033f515f2f3ec04bb518000eb8316f847af3cc817b1cc72adc4fd5595bc13ab7c54a840a133ab56632

Download Submit
C:\Windows\Resources\w11.png

Filesize
4KB

MD5
c6e741d0ae586d2e8321566cb006aad3

SHA1
1af9b3f2ab0201d619a3c168f1cd654c08d71b5c

SHA256
8fc8be063deaef3a655b0e82e144d917e46d4d2633f5df6cc3652f8754f51ed6

SHA512
f4bc8f910c62dda03f10278d180ab81590515f5bab5e8680134ddefa9cf978ff65d72ac437e0e83be6dc4acc9e7102b37b2ce1d4f0e062f7ab134cf5ead0162e

Download Submit
memory/1428-18-0x00007FF63C870000-0x00007FF63D4C6000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads