6c3d0aec1057e3783db453fb638ad9dd3cb72051326e09b4396921b1b85074c2

Analysis

max time kernel
29s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VExploit 7.5.exe
Size

3.0MB
MD5

b576d503248249aa9d80c75812735b95
SHA1

07e528c971ee71afbf67381424a94278ddb168a8
SHA256

26e99147a71dab9e54af91b164c7d6755e91d7e84b01907e74ef55aedcd00f44
SHA512

0646222a0bc2fa3daa0ac9e79783c96c1ca6e7d59968ac2456865d5f030fbbbe87582fe22626cf86590b81d8a312275fb6358e632ba7a11ad18826928788cdaa
SSDEEP

49152:NPlxT9CAot1ZewmTyGlj0cmGVmCWK0IK9LBRv3OUDr95NwmWWD3KpbQTV3:NPlDCjZkHluoTl49LBx3OU/N3MbQp

Score

9^/10

credential_access spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/3580-0-0x00007FF7499A0000-0x00007FF74A212000-memory.dmp	upx
behavioral4/memory/3580-2-0x00007FF7499A0000-0x00007FF74A212000-memory.dmp	upx
behavioral4/memory/3580-4-0x00007FF7499A0000-0x00007FF74A212000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io
11 ipinfo.io
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3336 systeminfo.exe

flow	ioc
3	ipinfo.io
11	ipinfo.io

pid	process
3336	systeminfo.exe

Kills process with taskkill 17 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5080	taskkill.exe
5044	taskkill.exe
2524	taskkill.exe
996	taskkill.exe
3928	taskkill.exe
3484	taskkill.exe
3644	taskkill.exe
4020	taskkill.exe
1512	taskkill.exe
5064	taskkill.exe
4292	taskkill.exe
2792	taskkill.exe
4356	taskkill.exe
2800	taskkill.exe
1800	taskkill.exe
4524	taskkill.exe
4396	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

VExploit 7.5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	VExploit 7.5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	VExploit 7.5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	VExploit 7.5.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

VExploit 7.5.exe

pid	process
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe
3580	VExploit 7.5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	3484	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4596	wmic.exe
Token: SeSecurityPrivilege	4596	wmic.exe
Token: SeTakeOwnershipPrivilege	4596	wmic.exe
Token: SeLoadDriverPrivilege	4596	wmic.exe
Token: SeSystemProfilePrivilege	4596	wmic.exe
Token: SeSystemtimePrivilege	4596	wmic.exe
Token: SeProfSingleProcessPrivilege	4596	wmic.exe
Token: SeIncBasePriorityPrivilege	4596	wmic.exe
Token: SeCreatePagefilePrivilege	4596	wmic.exe
Token: SeBackupPrivilege	4596	wmic.exe
Token: SeRestorePrivilege	4596	wmic.exe
Token: SeShutdownPrivilege	4596	wmic.exe
Token: SeDebugPrivilege	4596	wmic.exe
Token: SeSystemEnvironmentPrivilege	4596	wmic.exe
Token: SeRemoteShutdownPrivilege	4596	wmic.exe
Token: SeUndockPrivilege	4596	wmic.exe
Token: SeManageVolumePrivilege	4596	wmic.exe
Token: 33	4596	wmic.exe
Token: 34	4596	wmic.exe
Token: 35	4596	wmic.exe
Token: 36	4596	wmic.exe
Token: SeIncreaseQuotaPrivilege	4596	wmic.exe
Token: SeSecurityPrivilege	4596	wmic.exe
Token: SeTakeOwnershipPrivilege	4596	wmic.exe
Token: SeLoadDriverPrivilege	4596	wmic.exe
Token: SeSystemProfilePrivilege	4596	wmic.exe
Token: SeSystemtimePrivilege	4596	wmic.exe
Token: SeProfSingleProcessPrivilege	4596	wmic.exe
Token: SeIncBasePriorityPrivilege	4596	wmic.exe
Token: SeCreatePagefilePrivilege	4596	wmic.exe
Token: SeBackupPrivilege	4596	wmic.exe
Token: SeRestorePrivilege	4596	wmic.exe
Token: SeShutdownPrivilege	4596	wmic.exe
Token: SeDebugPrivilege	4596	wmic.exe
Token: SeSystemEnvironmentPrivilege	4596	wmic.exe
Token: SeRemoteShutdownPrivilege	4596	wmic.exe
Token: SeUndockPrivilege	4596	wmic.exe
Token: SeManageVolumePrivilege	4596	wmic.exe
Token: 33	4596	wmic.exe
Token: 34	4596	wmic.exe
Token: 35	4596	wmic.exe
Token: 36	4596	wmic.exe
Token: SeIncreaseQuotaPrivilege	1980	wmic.exe
Token: SeSecurityPrivilege	1980	wmic.exe
Token: SeTakeOwnershipPrivilege	1980	wmic.exe
Token: SeLoadDriverPrivilege	1980	wmic.exe
Token: SeSystemProfilePrivilege	1980	wmic.exe
Token: SeSystemtimePrivilege	1980	wmic.exe
Token: SeProfSingleProcessPrivilege	1980	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VExploit 7.5.execmd.exenet.exe

description	pid	process	target process
PID 3580 wrote to memory of 2644	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 2644	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 4476	3580	VExploit 7.5.exe	cmd.exe
PID 3580 wrote to memory of 4476	3580	VExploit 7.5.exe	cmd.exe
PID 3580 wrote to memory of 2940	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 2940	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 1812	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 1812	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 4384	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 4384	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 5056	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 5056	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 4524	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 4524	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 1512	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 1512	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 5064	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 5064	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 2524	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 2524	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 5080	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 5080	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 996	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 996	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 4396	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 4396	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 3928	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 3928	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 3484	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 3484	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 4292	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 4292	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 4356	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 4356	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 3644	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 3644	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 5044	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 5044	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 2792	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 2792	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 4020	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 4020	3580	VExploit 7.5.exe	taskkill.exe
PID 3580 wrote to memory of 1948	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 1948	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 4596	3580	VExploit 7.5.exe	wmic.exe
PID 3580 wrote to memory of 4596	3580	VExploit 7.5.exe	wmic.exe
PID 3580 wrote to memory of 4848	3580	VExploit 7.5.exe	cmd.exe
PID 3580 wrote to memory of 4848	3580	VExploit 7.5.exe	cmd.exe
PID 4848 wrote to memory of 1840	4848	cmd.exe	net.exe
PID 4848 wrote to memory of 1840	4848	cmd.exe	net.exe
PID 1840 wrote to memory of 744	1840	net.exe	net1.exe
PID 1840 wrote to memory of 744	1840	net.exe	net1.exe
PID 3580 wrote to memory of 3336	3580	VExploit 7.5.exe	systeminfo.exe
PID 3580 wrote to memory of 3336	3580	VExploit 7.5.exe	systeminfo.exe
PID 3580 wrote to memory of 3420	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 3420	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 1980	3580	VExploit 7.5.exe	wmic.exe
PID 3580 wrote to memory of 1980	3580	VExploit 7.5.exe	wmic.exe
PID 3580 wrote to memory of 1324	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 1324	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 4352	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 4352	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 208	3580	VExploit 7.5.exe	curl.exe
PID 3580 wrote to memory of 208	3580	VExploit 7.5.exe	curl.exe

C:\Users\Admin\AppData\Local\Temp\VExploit 7.5.exe
"C:\Users\Admin\AppData\Local\Temp\VExploit 7.5.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2644
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c
  2⤵
  PID:4476
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2940
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:1812
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4384
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:5056
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM brave.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM yandex.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM vivaldi.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM safari.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "opera gx.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "opera neon.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "opera beta.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "opera developer.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "opera next.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "opera portable.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:1948
- C:\Windows\System32\Wbem\wmic.exe
  wmic desktopmonitor get "screenheight, screenwidth"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\system32\cmd.exe
  cmd /C net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:744
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3336
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3420
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:1324
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4352
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:208
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3064
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:4932
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:216
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2736
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:1436
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2840
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3868
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2676
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:852
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:1204
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2524
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:2592
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:892
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Telegram.exe
  2⤵
  - Kills process with taskkill
  PID:2800
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Telegram.exe
  2⤵
  - Kills process with taskkill
  PID:1800
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:3484
- C:\Windows\system32\curl.exe
  curl -s ipinfo.io/country
  2⤵
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GB194.110.13.70\google-chrome\creditcard.txt

Filesize
1KB

MD5
dea7fabb1b7cf2df9681fdef82889e76

SHA1
0557a00f80857b8718805f6df479bba59a727b32

SHA256
6eaca42ff0ed132865abc8bcb40dc514b92508980f0ee9432e9602fb64131f49

SHA512
c82ca9bde13fe5e196856c21efe68178f4d732cd7d59c708c6ff8b6c34b38f143d2cec112a777d8e616fdee6941de42777b1ac152b814427deff23a006fa8638

Download Submit
memory/3580-0-0x00007FF7499A0000-0x00007FF74A212000-memory.dmp

Filesize
8.4MB

Download
memory/3580-2-0x00007FF7499A0000-0x00007FF74A212000-memory.dmp

Filesize
8.4MB

Download
memory/3580-4-0x00007FF7499A0000-0x00007FF74A212000-memory.dmp

Filesize
8.4MB

Download