agenttesla | 5ab0a800b90cc3a30a244cb23bcd76e7f060f7512b5b28cac0906ccf1bee3a4f

Analysis

max time kernel
115s
max time network
111s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07-09-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mairaj Cheats.exe
Size

2.2MB
MD5

e3a6a32e263cc8b3746d8dcb1c75ad23
SHA1

3cdc54b5486d8269c97d538d0ecfe88a62385f4b
SHA256

3f3d8e681557a2c490b3c3eccc11f9ae78933ed96803d3fe608b0352451f24f9
SHA512

1d5b8c6486a78f372b3adf025ad6bef53ef332317916a02d012de27804732e2f306ab0a184382f10bb42119c2ed12a08611132ff2a33532c71268822edc5e9f6
SSDEEP

49152:LyXzpqHkFAjys7tNQJ/W2nn2ITYbNbNWo4kSH3OqtwITw+W7SC+hd:JHk2jysHjZIT4bNJFY3OqtYSd

Score

10^/10

agenttesla discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/3268-26-0x00000168B2120000-0x00000168B2334000-memory.dmp	family_agenttesla

Executes dropped EXE 9 IoCs

pid	Process
996	svchost.exe
2292	Mairaj Cheats.exe
1060	svchost.exe
3268	mairaj cheats.exe
1684	icsys.icn.exe
2364	explorer.exe
5008	spoolsv.exe
2032	svchost.exe
1892	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.exe	explorer.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File created	C:\Windows\svchost.exe	Mairaj Cheats.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Mairaj Cheats.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mairaj Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mairaj Cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mairaj cheats.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	mairaj cheats.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	mairaj cheats.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
1684	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2364	explorer.exe
2032	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	mairaj cheats.exe
Token: SeDebugPrivilege	2788	taskmgr.exe
Token: SeSystemProfilePrivilege	2788	taskmgr.exe
Token: SeCreateGlobalPrivilege	2788	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2292	Mairaj Cheats.exe
2292	Mairaj Cheats.exe
1684	icsys.icn.exe
1684	icsys.icn.exe
2364	explorer.exe
2364	explorer.exe
5008	spoolsv.exe
5008	spoolsv.exe
2032	svchost.exe
2032	svchost.exe
1892	spoolsv.exe
1892	spoolsv.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 996	1180	Mairaj Cheats.exe	79
PID 1180 wrote to memory of 996	1180	Mairaj Cheats.exe	79
PID 1180 wrote to memory of 996	1180	Mairaj Cheats.exe	79
PID 996 wrote to memory of 2292	996	svchost.exe	80
PID 996 wrote to memory of 2292	996	svchost.exe	80
PID 996 wrote to memory of 2292	996	svchost.exe	80
PID 2292 wrote to memory of 3268	2292	Mairaj Cheats.exe	82
PID 2292 wrote to memory of 3268	2292	Mairaj Cheats.exe	82
PID 2292 wrote to memory of 1684	2292	Mairaj Cheats.exe	83
PID 2292 wrote to memory of 1684	2292	Mairaj Cheats.exe	83
PID 2292 wrote to memory of 1684	2292	Mairaj Cheats.exe	83
PID 1684 wrote to memory of 2364	1684	icsys.icn.exe	84
PID 1684 wrote to memory of 2364	1684	icsys.icn.exe	84
PID 1684 wrote to memory of 2364	1684	icsys.icn.exe	84
PID 2364 wrote to memory of 5008	2364	explorer.exe	85
PID 2364 wrote to memory of 5008	2364	explorer.exe	85
PID 2364 wrote to memory of 5008	2364	explorer.exe	85
PID 5008 wrote to memory of 2032	5008	spoolsv.exe	86
PID 5008 wrote to memory of 2032	5008	spoolsv.exe	86
PID 5008 wrote to memory of 2032	5008	spoolsv.exe	86
PID 2032 wrote to memory of 1892	2032	svchost.exe	87
PID 2032 wrote to memory of 1892	2032	svchost.exe	87
PID 2032 wrote to memory of 1892	2032	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\Mairaj Cheats.exe
"C:\Users\Admin\AppData\Local\Temp\Mairaj Cheats.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\Mairaj Cheats.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\Mairaj Cheats.exe
    "C:\Users\Admin\AppData\Local\Temp\Mairaj Cheats.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - \??\c:\users\admin\appdata\local\temp\mairaj cheats.exe
      "c:\users\admin\appdata\local\temp\mairaj cheats.exe "
      4⤵
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3268
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1684
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1060

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mairaj Cheats.exe

Filesize
2.1MB

MD5
82be11f6d05fd62a720f495790ee7a73

SHA1
26cbade92d3422b6ae47fb546ddf93ba8bc81dc3

SHA256
80c279da7ad1e6cc5e2786657328080b7d7f1879a1c76f98527d3c6c274d561c

SHA512
479dbd525dd76012dbe481207845c140bda5b37a099ea002cf06b48702518805650126f02d9a2691a72d2e08a68bb42b5ec488dde51aef7faa67eb94033cd3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mairaj cheats.exe

Filesize
2.0MB

MD5
eb778164ba6a7a90988e3445a1a6012c

SHA1
ae2c867d6337189cd3f267006be784dd4ca28380

SHA256
2037419f5e3a00bd98d53237c3a0e2e9c310daeea06149d22d030b61281454ec

SHA512
d8d07a8e77ce0a8527e7eb5e7e911c572fc71940c049298bf9473da5eb5e9d5a6a39447ec19890fb8924fa79d05a40384d9430c0cf202d3210da9f4f0f261e0f

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
cecd2892d27ef2f0d109026436e68430

SHA1
7dd7961e875894ea1229be0aa20ab447bc9b8867

SHA256
a0d5ae1fef2d3b11dce64b3ed28df8f07b4b2388503aa1523b1f9f1c52217c36

SHA512
75ca308a5ed2a39e63fba2389d4d34a98315f0ba5b9909ecaf6f939c8d9a7eb97407602fb4cefbf590adf76db5a5a41305b73714768fff9dc2dea710acd4f5b0

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
84804aa2acc29fe3df409dc9e8b38aee

SHA1
838dcb067991d21a0f88d860f92d2bb4e7125253

SHA256
05636cec032f17313da83721214f0b541f4a732b26a3570ccbed65c5c6694e9c

SHA512
5ad5dc1e06a409014874279e04ae471e0405a076654e14aa045c016137277395223ce1c3a0515c68d8a83036d582b72deaa0f085b1464c13594cb6ebcb2c7fe8

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
fd7ef32ceac2423b09a5d96f802391e0

SHA1
c86cb9e5b508ce704d811478383f49b021c96a27

SHA256
cd25dc10ec76eaeec8cd0506ff914ae93af10e9237fa0dde08e6419a30a0db26

SHA512
21f80535b29d400b0544a38bf75618a8abcdffef175d6849b4d8c513d64766e473c22b2d9e2b197750137f6adf8408b611617d3812cab237dc51c0f74c4682f4

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
f35e240c3bfe9187e1ff951de64ed9b8

SHA1
60100af753167f4483bfa8a4685d06cd46e8196f

SHA256
708507afe7aee88c823f812376ffcd60b57234160e09348aa645a18b4a6cf172

SHA512
f102fc8fdaab7967b7bac0980dee988cc6642e166027772958c6c2ed101c409030c46c148f2728af81db424aa228fce9da5c3e68b125adb38e2991bbb4418f4a

Download Submit
memory/996-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1060-71-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1180-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1684-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1892-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1892-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2292-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2292-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2364-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2788-84-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/2788-83-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/2788-82-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/2788-85-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/2788-86-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/2788-87-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/2788-88-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/2788-76-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/2788-77-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/2788-78-0x0000020BEF3B0000-0x0000020BEF3B1000-memory.dmp

Filesize
4KB

Download
memory/3268-26-0x00000168B2120000-0x00000168B2334000-memory.dmp

Filesize
2.1MB

Download
memory/3268-70-0x00007FFE44EF0000-0x00007FFE459B2000-memory.dmp

Filesize
10.8MB

Download
memory/3268-69-0x00007FFE44EF3000-0x00007FFE44EF5000-memory.dmp

Filesize
8KB

Download
memory/3268-68-0x00000168B6F50000-0x00000168B6F8C000-memory.dmp

Filesize
240KB

Download
memory/3268-27-0x00007FFE44EF0000-0x00007FFE459B2000-memory.dmp

Filesize
10.8MB

Download
memory/3268-25-0x00000168B1D80000-0x00000168B1D92000-memory.dmp

Filesize
72KB

Download
memory/3268-24-0x0000016897760000-0x0000016897964000-memory.dmp

Filesize
2.0MB

Download
memory/3268-23-0x00007FFE44EF3000-0x00007FFE44EF5000-memory.dmp

Filesize
8KB

Download
memory/3268-97-0x00007FFE44EF0000-0x00007FFE459B2000-memory.dmp

Filesize
10.8MB

Download
memory/5008-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download