Analysis
-
max time kernel
76s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 21:09
Behavioral task
behavioral1
Sample
TOOLS.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
TOOLS.exe
Resource
win10v2004-20240730-en
General
-
Target
TOOLS.exe
-
Size
15.7MB
-
MD5
09977e752efb440d5254d763821229ee
-
SHA1
6893f9b9ad20cb7604a1f2edceb411123dc47fc6
-
SHA256
4da7c57da36f317504fc1fa73b252d4d4ec8b67cafcf9fde0ef997d2c2e65664
-
SHA512
291bf5bd25ae952b16a313c8614e5d9d8e4695b522ce8458f84b3b9673931d40d5650b986d54d6c2e6470b21890667186917bd84336519398ada207887548e4e
-
SSDEEP
196608:0gYIgMmSQJ0sKYu/PaQZXGnDzwmJb3tQk5tIDOAWJlpZstQoS9Hf1DklKXqb536c:ih9SWQZXG37v5tI9gGt7G/I5Kfl3mh
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
pid Process 3516 powershell.exe 2272 powershell.exe 2556 powershell.exe 2132 powershell.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 4020 powershell.exe 4884 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOOLS.exe TOOLS.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOOLS.exe TOOLS.exe -
Loads dropped DLL 49 IoCs
pid Process 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x00070000000234d1-98.dat upx behavioral2/memory/1132-102-0x00007FF880EC0000-0x00007FF881325000-memory.dmp upx behavioral2/files/0x00070000000234ab-104.dat upx behavioral2/files/0x00070000000234cb-110.dat upx behavioral2/memory/1132-112-0x00007FF897B90000-0x00007FF897B9F000-memory.dmp upx behavioral2/files/0x00070000000234a9-113.dat upx behavioral2/files/0x00070000000234ae-116.dat upx behavioral2/memory/1132-111-0x00007FF891000000-0x00007FF891024000-memory.dmp upx behavioral2/memory/1132-134-0x00007FF8900B0000-0x00007FF8900DC000-memory.dmp upx behavioral2/files/0x00070000000234cf-135.dat upx behavioral2/memory/1132-133-0x00007FF896070000-0x00007FF896088000-memory.dmp upx behavioral2/files/0x00070000000234d4-140.dat upx behavioral2/files/0x00070000000234e3-144.dat upx behavioral2/memory/1132-150-0x00007FF886520000-0x00007FF88654B000-memory.dmp upx behavioral2/memory/1132-149-0x00007FF880C60000-0x00007FF880D1C000-memory.dmp upx behavioral2/memory/1132-148-0x00007FF886550000-0x00007FF88657E000-memory.dmp upx behavioral2/memory/1132-147-0x00007FF893EA0000-0x00007FF893EAD000-memory.dmp upx behavioral2/memory/1132-146-0x00007FF895DA0000-0x00007FF895DB9000-memory.dmp upx behavioral2/files/0x00070000000234d3-143.dat upx behavioral2/files/0x00070000000234d5-138.dat upx behavioral2/files/0x00080000000234b1-137.dat upx behavioral2/memory/1132-136-0x00007FF886580000-0x00007FF8865B5000-memory.dmp upx behavioral2/files/0x00070000000234b4-132.dat upx behavioral2/files/0x00070000000234b3-131.dat upx behavioral2/files/0x00070000000234b2-130.dat upx behavioral2/files/0x00070000000234b0-128.dat upx behavioral2/files/0x00070000000234af-127.dat upx behavioral2/files/0x00070000000234ad-126.dat upx behavioral2/files/0x00070000000234ac-125.dat upx behavioral2/files/0x00070000000234aa-124.dat upx behavioral2/files/0x00070000000234e0-122.dat upx behavioral2/files/0x00070000000234df-121.dat upx behavioral2/files/0x00070000000234cc-118.dat upx behavioral2/files/0x00070000000234ca-117.dat upx behavioral2/memory/1132-152-0x00007FF8900A0000-0x00007FF8900AD000-memory.dmp upx behavioral2/memory/1132-156-0x00007FF880820000-0x00007FF880991000-memory.dmp upx behavioral2/memory/1132-155-0x00007FF887240000-0x00007FF88725E000-memory.dmp upx behavioral2/files/0x00070000000234ce-157.dat upx behavioral2/memory/1132-159-0x00007FF886500000-0x00007FF886518000-memory.dmp upx behavioral2/memory/1132-161-0x00007FF882710000-0x00007FF88273E000-memory.dmp upx behavioral2/memory/1132-166-0x00007FF8803E0000-0x00007FF880757000-memory.dmp upx behavioral2/memory/1132-165-0x00007FF880760000-0x00007FF880817000-memory.dmp upx behavioral2/files/0x00070000000234bb-173.dat upx behavioral2/memory/1132-175-0x00007FF8871E0000-0x00007FF8871EB000-memory.dmp upx behavioral2/memory/1132-178-0x00007FF881BA0000-0x00007FF881BC6000-memory.dmp upx behavioral2/memory/1132-174-0x00007FF891000000-0x00007FF891024000-memory.dmp upx behavioral2/memory/1132-172-0x00007FF881DE0000-0x00007FF881DF5000-memory.dmp upx behavioral2/files/0x00070000000234ba-171.dat upx behavioral2/memory/1132-169-0x00007FF880EC0000-0x00007FF881325000-memory.dmp upx behavioral2/memory/1132-179-0x00007FF8802C0000-0x00007FF8803D8000-memory.dmp upx behavioral2/files/0x000700000002347d-184.dat upx behavioral2/files/0x0007000000023478-186.dat upx behavioral2/files/0x0007000000023479-187.dat upx behavioral2/memory/1132-183-0x00007FF880280000-0x00007FF8802B8000-memory.dmp upx behavioral2/memory/1132-195-0x00007FF880240000-0x00007FF88024C000-memory.dmp upx behavioral2/memory/1132-196-0x00007FF880230000-0x00007FF88023C000-memory.dmp upx behavioral2/memory/1132-194-0x00007FF880250000-0x00007FF88025B000-memory.dmp upx behavioral2/memory/1132-193-0x00007FF880260000-0x00007FF88026C000-memory.dmp upx behavioral2/memory/1132-192-0x00007FF880270000-0x00007FF88027B000-memory.dmp upx behavioral2/memory/1132-191-0x00007FF881DC0000-0x00007FF881DCC000-memory.dmp upx behavioral2/memory/1132-190-0x00007FF881DD0000-0x00007FF881DDB000-memory.dmp upx behavioral2/memory/1132-197-0x00007FF887240000-0x00007FF88725E000-memory.dmp upx behavioral2/memory/1132-208-0x00007FF880190000-0x00007FF88019C000-memory.dmp upx behavioral2/memory/1132-207-0x00007FF882710000-0x00007FF88273E000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 18 raw.githubusercontent.com 19 raw.githubusercontent.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 api.ipify.org 13 api.ipify.org 24 api.ipify.org -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 8 cmd.exe 1136 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1412 cmd.exe 1872 netsh.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3848 WMIC.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1136 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 4020 powershell.exe 4020 powershell.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 1132 TOOLS.exe 3516 powershell.exe 3516 powershell.exe 2132 powershell.exe 2132 powershell.exe 2556 powershell.exe 2556 powershell.exe 2272 powershell.exe 2272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1132 TOOLS.exe Token: SeIncreaseQuotaPrivilege 1152 WMIC.exe Token: SeSecurityPrivilege 1152 WMIC.exe Token: SeTakeOwnershipPrivilege 1152 WMIC.exe Token: SeLoadDriverPrivilege 1152 WMIC.exe Token: SeSystemProfilePrivilege 1152 WMIC.exe Token: SeSystemtimePrivilege 1152 WMIC.exe Token: SeProfSingleProcessPrivilege 1152 WMIC.exe Token: SeIncBasePriorityPrivilege 1152 WMIC.exe Token: SeCreatePagefilePrivilege 1152 WMIC.exe Token: SeBackupPrivilege 1152 WMIC.exe Token: SeRestorePrivilege 1152 WMIC.exe Token: SeShutdownPrivilege 1152 WMIC.exe Token: SeDebugPrivilege 1152 WMIC.exe Token: SeSystemEnvironmentPrivilege 1152 WMIC.exe Token: SeRemoteShutdownPrivilege 1152 WMIC.exe Token: SeUndockPrivilege 1152 WMIC.exe Token: SeManageVolumePrivilege 1152 WMIC.exe Token: 33 1152 WMIC.exe Token: 34 1152 WMIC.exe Token: 35 1152 WMIC.exe Token: 36 1152 WMIC.exe Token: SeIncreaseQuotaPrivilege 1152 WMIC.exe Token: SeSecurityPrivilege 1152 WMIC.exe Token: SeTakeOwnershipPrivilege 1152 WMIC.exe Token: SeLoadDriverPrivilege 1152 WMIC.exe Token: SeSystemProfilePrivilege 1152 WMIC.exe Token: SeSystemtimePrivilege 1152 WMIC.exe Token: SeProfSingleProcessPrivilege 1152 WMIC.exe Token: SeIncBasePriorityPrivilege 1152 WMIC.exe Token: SeCreatePagefilePrivilege 1152 WMIC.exe Token: SeBackupPrivilege 1152 WMIC.exe Token: SeRestorePrivilege 1152 WMIC.exe Token: SeShutdownPrivilege 1152 WMIC.exe Token: SeDebugPrivilege 1152 WMIC.exe Token: SeSystemEnvironmentPrivilege 1152 WMIC.exe Token: SeRemoteShutdownPrivilege 1152 WMIC.exe Token: SeUndockPrivilege 1152 WMIC.exe Token: SeManageVolumePrivilege 1152 WMIC.exe Token: 33 1152 WMIC.exe Token: 34 1152 WMIC.exe Token: 35 1152 WMIC.exe Token: 36 1152 WMIC.exe Token: SeDebugPrivilege 4020 powershell.exe Token: SeDebugPrivilege 3516 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeIncreaseQuotaPrivilege 3340 WMIC.exe Token: SeSecurityPrivilege 3340 WMIC.exe Token: SeTakeOwnershipPrivilege 3340 WMIC.exe Token: SeLoadDriverPrivilege 3340 WMIC.exe Token: SeSystemProfilePrivilege 3340 WMIC.exe Token: SeSystemtimePrivilege 3340 WMIC.exe Token: SeProfSingleProcessPrivilege 3340 WMIC.exe Token: SeIncBasePriorityPrivilege 3340 WMIC.exe Token: SeCreatePagefilePrivilege 3340 WMIC.exe Token: SeBackupPrivilege 3340 WMIC.exe Token: SeRestorePrivilege 3340 WMIC.exe Token: SeShutdownPrivilege 3340 WMIC.exe Token: SeDebugPrivilege 3340 WMIC.exe Token: SeSystemEnvironmentPrivilege 3340 WMIC.exe Token: SeRemoteShutdownPrivilege 3340 WMIC.exe Token: SeUndockPrivilege 3340 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4220 wrote to memory of 1132 4220 TOOLS.exe 86 PID 4220 wrote to memory of 1132 4220 TOOLS.exe 86 PID 1132 wrote to memory of 4604 1132 TOOLS.exe 87 PID 1132 wrote to memory of 4604 1132 TOOLS.exe 87 PID 1132 wrote to memory of 2524 1132 TOOLS.exe 89 PID 1132 wrote to memory of 2524 1132 TOOLS.exe 89 PID 2524 wrote to memory of 1152 2524 cmd.exe 91 PID 2524 wrote to memory of 1152 2524 cmd.exe 91 PID 1132 wrote to memory of 1412 1132 TOOLS.exe 93 PID 1132 wrote to memory of 1412 1132 TOOLS.exe 93 PID 1412 wrote to memory of 1872 1412 cmd.exe 95 PID 1412 wrote to memory of 1872 1412 cmd.exe 95 PID 1132 wrote to memory of 4884 1132 TOOLS.exe 96 PID 1132 wrote to memory of 4884 1132 TOOLS.exe 96 PID 4884 wrote to memory of 4020 4884 cmd.exe 98 PID 4884 wrote to memory of 4020 4884 cmd.exe 98 PID 1132 wrote to memory of 1916 1132 TOOLS.exe 99 PID 1132 wrote to memory of 1916 1132 TOOLS.exe 99 PID 1916 wrote to memory of 3516 1916 cmd.exe 101 PID 1916 wrote to memory of 3516 1916 cmd.exe 101 PID 1916 wrote to memory of 2132 1916 cmd.exe 102 PID 1916 wrote to memory of 2132 1916 cmd.exe 102 PID 1916 wrote to memory of 2556 1916 cmd.exe 103 PID 1916 wrote to memory of 2556 1916 cmd.exe 103 PID 1916 wrote to memory of 2272 1916 cmd.exe 104 PID 1916 wrote to memory of 2272 1916 cmd.exe 104 PID 1132 wrote to memory of 3012 1132 TOOLS.exe 105 PID 1132 wrote to memory of 3012 1132 TOOLS.exe 105 PID 3012 wrote to memory of 3340 3012 cmd.exe 107 PID 3012 wrote to memory of 3340 3012 cmd.exe 107 PID 1132 wrote to memory of 1484 1132 TOOLS.exe 108 PID 1132 wrote to memory of 1484 1132 TOOLS.exe 108 PID 1132 wrote to memory of 4600 1132 TOOLS.exe 110 PID 1132 wrote to memory of 4600 1132 TOOLS.exe 110 PID 4600 wrote to memory of 3848 4600 cmd.exe 112 PID 4600 wrote to memory of 3848 4600 cmd.exe 112 PID 1132 wrote to memory of 4308 1132 TOOLS.exe 113 PID 1132 wrote to memory of 4308 1132 TOOLS.exe 113 PID 4308 wrote to memory of 3048 4308 cmd.exe 115 PID 4308 wrote to memory of 3048 4308 cmd.exe 115 PID 1132 wrote to memory of 3240 1132 TOOLS.exe 116 PID 1132 wrote to memory of 3240 1132 TOOLS.exe 116 PID 3240 wrote to memory of 1224 3240 cmd.exe 118 PID 3240 wrote to memory of 1224 3240 cmd.exe 118 PID 1132 wrote to memory of 8 1132 TOOLS.exe 119 PID 1132 wrote to memory of 8 1132 TOOLS.exe 119 PID 8 wrote to memory of 1136 8 cmd.exe 121 PID 8 wrote to memory of 1136 8 cmd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\TOOLS.exe"C:\Users\Admin\AppData\Local\Temp\TOOLS.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\TOOLS.exe"C:\Users\Admin\AppData\Local\Temp\TOOLS.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "3⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name3⤵PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:1224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\TOOLS.exe""3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1136
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2720
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5e0dd54d1a4a8b3f4a2b7fb67bc2e6297
SHA1b184c2ed3dd46d527df992ffe0c57ef8eb364eea
SHA256b6b7cce003744af2342afef0f2536cdbbccd3a271f15f72aefc740332312281e
SHA512960f3e6e3a6168ba65d690cb9c94541de8f5a8afb456b5db8d7c0392d0d935cf47245eb88160606be12d54c32f1dc1e1ebf7c6049a310654847e0d473d1726a6
-
Filesize
10KB
MD5534fc55a686a5e2993b5f0f55de816b6
SHA1b4f4d659ed48e7a0ebee924c46df981351bf5ccd
SHA25665f991b7e0831110acb0556d5fbe2054a9ea696a7f4b373d86cd21d7c9c60b78
SHA512fec49bcf30ed50fe652cbdaf33c3a8cde430fdc04d86b078f9a69ac9be0f5fdc5a81420bc713ca9275e622a49040b1413a5789b3d2675941ed88cfb33e1e7ec1
-
Filesize
9KB
MD51a48e6e2a3243a0e38996e61f9f61a68
SHA1488a1aa38cd3c068bdf24b96234a12232007616c
SHA256c7b01a0290bc43910ee776bd90de05e37b77f5bd33feaf7d38f4c362e255e061
SHA512d7acd779b7cab5577289511f137dc664966fcaac39748e33ca4d266a785b17766106944df21c8f2452fd28e008529f3e0097282ad3c69f1069a93df25c6da764
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
36KB
MD5135359d350f72ad4bf716b764d39e749
SHA12e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA25634048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba
-
Filesize
44KB
MD52fe457932ef5b6d31027341c36cc861f
SHA13feb5a3880555dab1b8f81a461a354bdaf9449f3
SHA256ad1654d88dca0102ee2f6364323cc960dcac9d6f7957314ffd55221d63d8cc58
SHA51239210ff4d9a3079ee90934dda7807e2ac6a3f0ac244090170a22ca78edd8d016815653f3570d5f30c7a920634fd4282f917ca1d229f7294c06a9ef1f5ea545cf
-
Filesize
71KB
MD52c10963a86452d7598ea524b9432b0ba
SHA11061560d76835415d600879e43e04d3315b0af67
SHA2563cd74813744062712d08fadc0d980c541d92d4ac6bbee91daf2b1599d9c3e5f7
SHA512c179c256de828da85294a052e5db531ba43ab32f018f4c7d777f9dcda89432bed0042764d1259fd6796756fd05009b0aa0c33f6e6c8b7e898931262e0aadb32f
-
Filesize
55KB
MD510919db111de50d39df5c829dac91715
SHA17e308bb3b4f1eb47fbd5143cb4e169cf2b437ab6
SHA256963ace74612bcfb459a28517f34cd6734c0fdd3b9197a504a9ab21d257b06644
SHA512130468e5026d32cd9a9fb9cb1df5a1f36a54cfde07cb799d68abb0152e075fdd48f05a6580852f0cfec8e490814cfa588fa02552bcdb858e1b722d9105bf37b4
-
Filesize
102KB
MD58d7486b569d058b132e472de72d907cf
SHA1851e1254bd51315ec2a6b0645ae31fb35a293014
SHA2566e413ed4d5eb81c321388f6ef529db6063d6d564f8649e7256ce3c87afbacd32
SHA5125a264f8a86af7f9a41906359cc417bd39e6d6ad5b6bf2ae7e389d6eeb0e718da242565ad0a8e40f5afc26e9797e9694251044fc2662242303feb50b21360e4d7
-
Filesize
32KB
MD51556f897857e3f0bf0007cd351d8938d
SHA1c47427f97c6107337693e480c207faa3947d1e0b
SHA256469596bd849e4f357ea7358809541897b8ba7db23e14270c427d14820b61bbc8
SHA51278b44c863f476c7cde863dd95336add9ee8e59baa73a40ef290f5e830151a51f7ddcd161a26e941dd073a64d1f6ec1c8a42f48a89e4fb1e533f0a1f0480ae76e
-
Filesize
82KB
MD59c1c78dcccce27935662a21897108798
SHA18efb7b56645dede4365527fcdfb72ab4615763a3
SHA25696f0d15cbc8572636acc8a9e89220937f07265de7f6a2c000b9f1b9de76ea8ea
SHA5124d0297adf3c1e0ab02ef5efbb38680cb0685b08c7944461c2d924975f01643202eff2676c37f6566181e615a8805f5ede0d8227350f9e3a2e3f9f6e8e782a156
-
Filesize
23KB
MD5dfd574bbb69d8322851dc2b87b5d03a5
SHA15ba1d0798a7b9e50555c3d598f960a97f6bf568f
SHA256b99d65b4444ab19226191ea6a6a431034195ab95ae22488a2debfee070f3ce33
SHA51200b13ff6b6a53406c69d7a85855a9ddca6820eb440e90d3b61261d3d82fc333cf0736f0ede2adbbb2d80867eaa677ad6e5391e72be48873a9450c254e18dedb4
-
Filesize
22KB
MD512a247e7df51ba1ca2bb8d1a51e155bb
SHA1c310e1eca2c8bdab025757099bb4a4bd5a9b1b8f
SHA256b03e4d5e244850b94842c18e8e3066dc2233e7056ea190f44f42435d52087325
SHA51253b81950e15e245d0d7bc13ca3464b3ab178b3ed53dbede13e643184538ebe69dbbdc95df8f0d74d24f9c489975f42594e0d6657b81a567318d4a6d3faab929c
-
Filesize
39KB
MD534a855ce59f2073f8ca43a98a2539b63
SHA146c932f25ec4a5a7a64df0f3162a9ccafb0a63cd
SHA256a53e3e0434f72ef7a645882705267cfbce2eaaaf83b84464bc84b40eec517c08
SHA5129add1c8eb3ba167e7720be2e5fe147c3b55205eb133948eafa7a419a442f38e85879892c4c20e35273843c64500849a28abe3df3305e17079743b2e16cd797ac
-
Filesize
47KB
MD5f2c0219488cf6910c14ae68a65a4d364
SHA183032921dfed68f0ce9272efb40aed3247c8c44a
SHA256d0679b355162dca4898131a4ad617ddae6a14c9d6262856d68f1ab1d639250d0
SHA5122e3a88c62d53d5bb8c2db7f97e0dcbb21f991bcc4c5b748447a0f30c929114f867ce377dd195d6b57da36e0e23c10a9ee66ffde42552766b85dead0f08dea086
-
Filesize
59KB
MD5d6188f49230356c75c47538111399761
SHA1dedb75c4371baf697fd91728dece0fbb9cc95aec
SHA256b121c5129642afacff657c1c98231d5b1ed2307144ce4b23badbbd96ea7ca007
SHA51299915882c43c3fae77acf5eedda2a17033eeffcd877444f8a491fa1b852424283d7f73b6cf4bcd3316b8f9a804dcf91d017e9bcba36995a7dee5eda85f64b713
-
Filesize
20KB
MD5d5f07590132a951cd06df53c9e3c2770
SHA1b763ea9dea02e5360f98f083ba4dfc40a6736b8b
SHA25652134692a89f5bd2be4604eb2f46b7a47a3cae52092b2d74eec677e4852b9c54
SHA512cabc53768698e70e5456593bd69b78f47de3009259ed359d7e7720102d10c16ea0936bd21c509bc21e8a40a9077a506a355491756c882d7463449528d2d68364
-
Filesize
859KB
MD57189563ca7d7bc1d2973a0a9452eb127
SHA15652d5e4fa3b3bf55c6b1c79efab9c4f078f5415
SHA2566f50b4dc2129ff8e22807dcce0bd93f74f803d7893abf8fd55a7ae7dfc5de06c
SHA5126baa17b84707472ad4ab9548438c062099fe9160aec9b6a449af79618143f0342640ff135cd28ceb3b036e90cfa173bcfa2952ac9481a411880539b73a885946
-
Filesize
284KB
MD5181ac9a809b1a8f1bc39c1c5c777cf2a
SHA19341e715cea2e6207329e7034365749fca1f37dc
SHA256488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee
SHA512e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85
-
Filesize
9KB
MD5aee1fe0f4ed7a4860d1e80aa7f93c41e
SHA1ad318a3c47da5977841024892b8675bbf423ba78
SHA256612bf067dc69a86ca6bcaf314ca24b30f2abc774640abd0d2445e638810cb5b7
SHA512c265e549f9d3b38fb7d95878e323b79ad6c1d9b6677577bdd288369820b88b695eb60cf0cc04b2fff229f93c9d9d39833efd468ff655dbc45ebfd0a5674b149a
-
Filesize
39KB
MD52d5a2a59ef7d0885edc341535e42e4f4
SHA16e98703a9f09cb6241fabbc1906b2b662d51cebf
SHA256d7fe07386b0ce109ed00022e1d1bc741c24c269470d32600bd6e2376d5d1d37c
SHA512f2ce7cd672074aedc5a3d3f0d5586094e65c1e653371fa00128a8fc59d300570f46a7bda5bee54260e31ce89f3408f7dc96c6a365f85f073f06add4b00958999
-
Filesize
1.1MB
MD597aae56a9a70cd181bb83e47a0818c79
SHA18fb01cbe59e857322891e8cfdc264651fda58745
SHA256ceaad3bc4a31298320568f6507297e37557f0fc39ab8d0bbb2becfd1f26c70c6
SHA512ef84fde8f2c5926598f646a266e650520b5400f3b056c3f0dfcd9dbc4d4a8d60e97bb50f211e962b890bb0300bbdbc7ee0d46a18ff28c49b0163b6ac648064ff
-
Filesize
23KB
MD53e91e70021fcbe76c38d87a62f9f424f
SHA1067d8076aba98177bc1aaaf0102ac5ed411f8312
SHA256e2880494d9509fb0314fc77ab4c9a68a39cdb8a0a24838d04d4ac252fa12f270
SHA5127908116d924c1b5a424a5d998caa5f21587a622b3a1811293406b331934cc57077fe078e3e62ea471db37c59e108bba4e285e1caaa54a4e4ceb71c04382c649a
-
Filesize
200KB
MD5668a30bd23391009cc57b85e6f874484
SHA19d035b8495549f4d7862f5e25239da3f5d86a2dd
SHA2561782bbf740b8ac3c5b4044a7031167e9571f556a6af77a0e06dffda0d70b863d
SHA5121165f7fb424ba70562d327fe8c05ff6466c287ae99708e73da32257620dd1799a22c01bcfeae8b50881cdc00e98ddf5288d2726c6680ff8e0c203df5f126f906
-
Filesize
31KB
MD546bf915b914e0f596e14aa018cb39f01
SHA1b28aeb56ea8273ba86a0404441a1380d6cc75f6e
SHA256af90d250bb9648144a4ec79fb29b702f264dd07a26520b792360a3ee51f2a8c2
SHA512e6e24bfd5697c92ade00b93504a1da93bf6428ffb52370e59fa08d9667aceea86b4c88fc0a0f0f6ecb12ed98afc092da45d0e4c15aee7133bdd8123aad2e903d
-
Filesize
84KB
MD58985fa7cb8b8bea7476b650b35aa643f
SHA181e4d0df08e183751e9fb65e4bbece7063eac105
SHA256e8cfe479e478747d031d30c2df70f531aaab231cc928d6cff27783d0d049ed1a
SHA512ae0933f37231c352c0241f2bc58b489e3994c8a35081c0571863cb99fb450325c421dfbceca877dce12444e7e9286b8b1685146d80109de5f6f1a36c16f46c5c
-
Filesize
61KB
MD5704d647d6921dbd71d27692c5a92a5fa
SHA16f0552ce789dc512f183b565d9f6bf6bf86c229d
SHA256a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769
SHA5126b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4
-
Filesize
1.4MB
MD5c636d4d09f0c3ec969c9114ac7f3b5c8
SHA157f6716562d75dfff70945b503ab9615cf54262b
SHA2561073c9c6d2c7a3a0feaf5fb3f405d9ec70101247eeee7f31a1e84a44aaf128f6
SHA51275d54e5dd850e32794c261192f34a69c67c883aed358c8df92290a88dd426450b8f101ce41676dd6100d7856e969a66e76fd1dd3a7078fd5ffebb2a69e505bf9
-
Filesize
193KB
MD594f9a7b80ddcbc0623be6e796ce119bd
SHA149a29ee4054dd8c2547c065b651102705024593d
SHA25643f57b57e3e8666f52a7f6525cf107ca8b685c582a111e6891e23fd4742a502b
SHA512c2be1ac0bcfabfb331e67b9652bc02ab40a22c8c6bad053d646773a1ecdc4cbe57b4f024602ec48e1214110fa56191a6cf732de1c0871226c9462a25b15d7aff
-
Filesize
62KB
MD54834c005c00a4ea31e940da3e2c75354
SHA1cac4d010d0ee8b9d87106b4a5f1f1b63ce91bdfc
SHA2562dc712b833e26819296ae2918cf297a1efabb37e5802a6738aa3a12906861e02
SHA512368b98894049b8fa77bd7ce2a3fecb949f53bd39f0927828e97e2f77ec9ada056a1ee426d456c126537d4205aabf55867a0710ea3bf6539baca5c73f86242a5c
-
Filesize
22KB
MD5b4f1632444f04e066eeab4378d52ecea
SHA1b14fcc9ec52ba5b512a798a43bede271fa7a83a8
SHA2566471685de4a8b4cb99e5e22bdfa7d53d5fd2c5bf26ea4d9ec948edb4da05fbf3
SHA512d148e7a36608525823f1992742e33165496cf6c7d6b84e553ea0319f52dbcc6bc7712bca944c0778bc28f699f932208816173adf02b2918e54821160a52bad1a
-
Filesize
612KB
MD5b350764b70bb6545685ea622ca563443
SHA138862bd90f0e872b0da7591e7a2fe55e0bf74063
SHA256e4a5514b4ad19d6250732833889d8a25567885b0a594a5ecb7448c12e003a4e3
SHA512ec87e32e8cf07157aab6ff3c672de7912d70795c35428707f7f3acef78a79fb122d3383e2c475072d174101ae0b2568e7d53b0d9df11de840662ad1dd7f79dcf
-
Filesize
286KB
MD52224618453656d966a55ad6b6d28c9c6
SHA1ffebf20a63c0ca7962026e6dd80219d2902c648b
SHA256e20abfc3c575867115314c9bf88c8c5d0f1892ea5be10db2f48dbf4b0553327c
SHA5120143cd69b61b9b57e2628f6c21d202c86ddb873b7296936944679129a8c099b74f68abdb0395748010152b7c2dac01d98a7a656c531836fe27f207830d412ecd
-
Filesize
48KB
MD54de3f5e30d9c378ad545eb01450da7f5
SHA1effbbb776bd64b9aef4134b7475675c77a646e8d
SHA256bc28f70df94e15fbc3bcc23097ca68609786c2b0ed063aa3da6b0c071e0ca03c
SHA5123a2a8044235eb4e40c14fc13ce68d68885971c707c2b7966f64c0e1cce51c5535eb3e56d8ac2770cd5e2e1a6e3133cb4b2456831a2610af1c235deffbc9bef50
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
91B
MD55aa796b6950a92a226cc5c98ed1c47e8
SHA16706a4082fc2c141272122f1ca424a446506c44d
SHA256c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad
-
Filesize
23B
MD55638715e9aaa8d3f45999ec395e18e77
SHA14e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA2564db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA51278c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b