Resubmissions
25-05-2024 06:40
240525-he96gahf3t 10Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 06:40
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1177635929616293979/1243043455706337391/Cloud_Engine_v10.3_rar_pass_1.rar?ex=6652acee&is=66515b6e&hm=a3d36fcd53f0720b9bf35532bf9962e1ef5c3cec6cb79ab07e3d8ecd0e48367f&
Resource
win10v2004-20240426-en
windows10-2004-x64
18 signatures
150 seconds
General
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/5056-65-0x000001AA56380000-0x000001AA56594000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Cloud Engine v10.3.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Cloud Engine v10.3.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Cloud Engine v10.3.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Cloud Engine v10.3.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Cloud Engine v10.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Cloud Engine v10.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Cloud Engine v10.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Cloud Engine v10.3.exe -
Executes dropped EXE 2 IoCs
pid Process 5056 Cloud Engine v10.3.exe 3492 Cloud Engine v10.3.exe -
Loads dropped DLL 2 IoCs
pid Process 5056 Cloud Engine v10.3.exe 3492 Cloud Engine v10.3.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Cloud Engine v10.3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Cloud Engine v10.3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Cloud Engine v10.3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Cloud Engine v10.3.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Cloud Engine v10.3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Cloud Engine v10.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Cloud Engine v10.3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Cloud Engine v10.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Cloud Engine v10.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Cloud Engine v10.3.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610928245562213" chrome.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4080 chrome.exe 4080 chrome.exe 232 chrome.exe 232 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeRestorePrivilege 2176 7zG.exe Token: 35 2176 7zG.exe Token: SeSecurityPrivilege 2176 7zG.exe Token: SeSecurityPrivilege 2176 7zG.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeDebugPrivilege 5056 Cloud Engine v10.3.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe Token: SeCreatePagefilePrivilege 4080 chrome.exe Token: SeShutdownPrivilege 4080 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 2176 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4624 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4080 wrote to memory of 2468 4080 chrome.exe 85 PID 4080 wrote to memory of 2468 4080 chrome.exe 85 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 3024 4080 chrome.exe 89 PID 4080 wrote to memory of 372 4080 chrome.exe 90 PID 4080 wrote to memory of 372 4080 chrome.exe 90 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91 PID 4080 wrote to memory of 5092 4080 chrome.exe 91
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1177635929616293979/1243043455706337391/Cloud_Engine_v10.3_rar_pass_1.rar?ex=6652acee&is=66515b6e&hm=a3d36fcd53f0720b9bf35532bf9962e1ef5c3cec6cb79ab07e3d8ecd0e48367f&1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa443cab58,0x7ffa443cab68,0x7ffa443cab782⤵PID:2468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:22⤵PID:3024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:82⤵PID:372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:82⤵PID:5092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:12⤵PID:4976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:12⤵PID:2140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:82⤵PID:3640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:82⤵PID:1056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:82⤵PID:4400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4148 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:12⤵PID:3504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4416 --field-trial-handle=1924,i,6207544159770323064,15695993819953945185,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:232
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4960
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4624
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3200
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2070:120:7zEvent298291⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2176
-
C:\Users\Admin\Downloads\Cloud Engine v10.3.exe"C:\Users\Admin\Downloads\Cloud Engine v10.3.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
C:\Users\Admin\Downloads\Cloud Engine v10.3.exe"C:\Users\Admin\Downloads\Cloud Engine v10.3.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Enumerates system info in registry
PID:3492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD557db1559dd5a80dd30068c88081e39da
SHA11dcf8a432ea4cf1f96a753c19bb7a33a3d10cf6d
SHA2568e387589a60aab6c5f9a3c53f35338a03a5a0c86c2a88a9f32a760efa50f7ccf
SHA512fff29a530f1ae063fcda92f52ac550467a439da5d97024cb2c9109583d7126f971a6b0cbd14f6db9b3a06c6c0a5c31789ffb2e3dabeedbbfbc959930e147bd12
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD59f180f43def0ad055f3fbfa6eabdb6da
SHA1d7587e0d1591fd22bd7788584f519a617df860d0
SHA2566b9582101d88005e8ec4e2d56d2f33c7572328d8910271aa9a1fdda38a7af95c
SHA5127d7c433799cc60b5d2495b637d5808539b8d711541b0879f2c220e5234438e0e854c1a8315550f94802ce9d5802e23f78e9151d540eb8f1b5a96d55fd98a180d
-
Filesize
130KB
MD561866769db5ff1044174b11dacd27518
SHA1766ced48c634b25bd460438a793a4c156a16a45f
SHA2564a971e2fb2095c31399e96c6d9b6ee8f88d1322bc5bae305b5b6dd1f7ebae19a
SHA51263910bc85798bce795ddb374288676d0a8d4277abdf390e8294d4a6f231a956dff0aad6ba758472b85c255140fd665e706a09df517ff27417128386f232cc80b
-
Filesize
1KB
MD50ddb03882318d6a420eb469a78cd1359
SHA1fb177227f2929e88a36b5289f21d298e30acf00b
SHA2564b6ce414322fa2da0ace9e815ee5c663d30bb9af952bbb7315c32848c36b5bcf
SHA512dfca8cfeeb66ab9c15fe758ed9278ce1fb0abde1910c0890bba78e9093cc093349537def75cae71f113cdddf00d70cf33f7e6769b8dd95aaaf43820a9f70c2ab
-
Filesize
39KB
MD5d80d1b6d9a6d5986fa47f6f8487030e1
SHA18f5773bf9eca43b079c1766b2e9f44cc90bd9215
SHA256446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3
SHA5129fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc
-
Filesize
6.2MB
MD59c71d81cc9e18baf08830cc0646d9885
SHA10072d8a154bda7eb92c18674d884fe7734fb1caa
SHA2567d181705fecbbf365f9985a2f08b2286ec8879f122bbebfc90b7179967299f1f
SHA512a063200d010ea5c7c0f099fb3a506a5b4b09b69a3a20fc03519054e49a0fc6d7a1ddd8049dc26657e8664106a584ea5089b6e92bdb5a3ce3d554e284f878281c
-
Filesize
5.9MB
MD55a21a199ecc397ea44c45ce7d184dfbb
SHA15bba99a92e6399413341a24fe7b11030f2c13bfb
SHA2569c25d920d3c02158a41570d702f0c52fc8cab62385c1e36aa2c4822052d421a6
SHA512ca69f3f290c37c20ac96118d311975737eb693d36235e116b91b26a52673cb5a2f1cf7043659811e0fcb2d1e332ab1c679030406ae50bc29326316d2ce178e69