warzonerat | 9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe
Size

10.6MB
MD5

584885e79b756d67adcacf22b63aa45f
SHA1

f82a8ccdd9c3249978b96bf97d246d093c0cdef7
SHA256

9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f
SHA512

11e8feaf2a5ec92b5270ed339a94cbd0d2911d4f3e68cf734bd55a9a3cb1135a51c543cfa08087438ab9f0b546bcdc5a2b5e127fe3c16b1463fec8834a42f794
SSDEEP

196608:PG9aKsMJK6aaZy/h2x4CI9Goz6VABDSrraGelaOV1HnkQpBtj8IxXDqQ7poZ:PnKsMJK65Y/h2x5Xoz6OBDgE5V1HkKto

Score

10^/10

warzonerat discovery infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

gggb.dvrdns.org:1515

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2540-193-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat

Executes dropped EXE 4 IoCs

pid	Process
1964	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
2152	AutoIt3.exe
2508	AutoIt3.exe

Loads dropped DLL 6 IoCs

pid	Process
2532	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe
1964	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
2332	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe
2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
1464	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dheeach = "\"C:\\caefhha\\AutoIt3.exe\" C:\\caefhha\\dheeach.a3x"	AutoIt3.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
3040	tasklist.exe
2172	tasklist.exe
2692	tasklist.exe
1764	tasklist.exe
1848	tasklist.exe
568	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 2540	2508	AutoIt3.exe	64

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2852	PING.EXE
1464	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2852	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	1764	tasklist.exe
Token: SeDebugPrivilege	1848	tasklist.exe
Token: SeDebugPrivilege	568	tasklist.exe
Token: SeDebugPrivilege	3040	tasklist.exe
Token: SeDebugPrivilege	2172	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1964	2532	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	30
PID 2532 wrote to memory of 1964	2532	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	30
PID 2532 wrote to memory of 1964	2532	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	30
PID 2532 wrote to memory of 1964	2532	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	30
PID 2532 wrote to memory of 1964	2532	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	30
PID 2532 wrote to memory of 1964	2532	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	30
PID 2532 wrote to memory of 1964	2532	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	30
PID 1964 wrote to memory of 2332	1964	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	31
PID 1964 wrote to memory of 2332	1964	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	31
PID 1964 wrote to memory of 2332	1964	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	31
PID 1964 wrote to memory of 2332	1964	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	31
PID 2332 wrote to memory of 2752	2332	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	32
PID 2332 wrote to memory of 2752	2332	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	32
PID 2332 wrote to memory of 2752	2332	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	32
PID 2332 wrote to memory of 2752	2332	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	32
PID 2332 wrote to memory of 2752	2332	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	32
PID 2332 wrote to memory of 2752	2332	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	32
PID 2332 wrote to memory of 2752	2332	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe	32
PID 2752 wrote to memory of 1232	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	33
PID 2752 wrote to memory of 1232	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	33
PID 2752 wrote to memory of 1232	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	33
PID 2752 wrote to memory of 1232	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	33
PID 1232 wrote to memory of 2692	1232	cmd.exe	35
PID 1232 wrote to memory of 2692	1232	cmd.exe	35
PID 1232 wrote to memory of 2692	1232	cmd.exe	35
PID 1232 wrote to memory of 2840	1232	cmd.exe	36
PID 1232 wrote to memory of 2840	1232	cmd.exe	36
PID 1232 wrote to memory of 2840	1232	cmd.exe	36
PID 2752 wrote to memory of 1836	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	38
PID 2752 wrote to memory of 1836	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	38
PID 2752 wrote to memory of 1836	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	38
PID 2752 wrote to memory of 1836	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	38
PID 1836 wrote to memory of 1764	1836	cmd.exe	40
PID 1836 wrote to memory of 1764	1836	cmd.exe	40
PID 1836 wrote to memory of 1764	1836	cmd.exe	40
PID 1836 wrote to memory of 2724	1836	cmd.exe	41
PID 1836 wrote to memory of 2724	1836	cmd.exe	41
PID 1836 wrote to memory of 2724	1836	cmd.exe	41
PID 2752 wrote to memory of 2804	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	42
PID 2752 wrote to memory of 2804	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	42
PID 2752 wrote to memory of 2804	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	42
PID 2752 wrote to memory of 2804	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	42
PID 2804 wrote to memory of 1848	2804	cmd.exe	44
PID 2804 wrote to memory of 1848	2804	cmd.exe	44
PID 2804 wrote to memory of 1848	2804	cmd.exe	44
PID 2804 wrote to memory of 2000	2804	cmd.exe	45
PID 2804 wrote to memory of 2000	2804	cmd.exe	45
PID 2804 wrote to memory of 2000	2804	cmd.exe	45
PID 2752 wrote to memory of 1808	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	46
PID 2752 wrote to memory of 1808	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	46
PID 2752 wrote to memory of 1808	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	46
PID 2752 wrote to memory of 1808	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	46
PID 1808 wrote to memory of 568	1808	cmd.exe	48
PID 1808 wrote to memory of 568	1808	cmd.exe	48
PID 1808 wrote to memory of 568	1808	cmd.exe	48
PID 1808 wrote to memory of 1444	1808	cmd.exe	49
PID 1808 wrote to memory of 1444	1808	cmd.exe	49
PID 1808 wrote to memory of 1444	1808	cmd.exe	49
PID 2752 wrote to memory of 584	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	50
PID 2752 wrote to memory of 584	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	50
PID 2752 wrote to memory of 584	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	50
PID 2752 wrote to memory of 584	2752	9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp	50
PID 584 wrote to memory of 3040	584	cmd.exe	52
PID 584 wrote to memory of 3040	584	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe
"C:\Users\Admin\AppData\Local\Temp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\is-HO4IO.tmp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HO4IO.tmp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp" /SL5="$40016,10105934,812544,C:\Users\Admin\AppData\Local\Temp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe
    "C:\Users\Admin\AppData\Local\Temp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe" /VERYSILENT /NORESTART
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\is-DHG77.tmp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DHG77.tmp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp" /SL5="$50016,10105934,812544,C:\Users\Admin\AppData\Local\Temp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
      - C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        6⤵
        
        PID:2840
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
      - C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        6⤵
        
        PID:2724
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
      - C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        6⤵
        
        PID:2000
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
      - C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        6⤵
        
        PID:1444
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:584
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
      - C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        6⤵
        
        PID:1784
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        5⤵
        
        PID:1976
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
      - C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        6⤵
        
        PID:2480
    - - C:\Users\Admin\AppData\Local\yellowbill\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Local\yellowbill\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\yellowbill\\facewise1.a3x"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\VdnyAEJb.a3x && del C:\ProgramData\\VdnyAEJb.a3x
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\yellowbill\AutoIt3.exe
        
        AutoIt3.exe C:\ProgramData\\VdnyAEJb.a3x
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        
        PID:1276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\yellowbill\facewise.csv

Filesize
323KB

MD5
b0bfc94b7178a02db27a20f19984f2aa

SHA1
5cf87b30dc35a36befb2be64630e7c0eeb02c886

SHA256
4bdb2abb3896ef2b4ff1a118cd41e4480e8d6e7f6c7f8542a79c4a2bb9fd84b5

SHA512
a5327e9c4c00883090339e3cb57d54a7767cdc54f75cfd6ba3baac64dfce492bd44b3623e4b9b9fbe9ce8ca9301f6cdc9d105bb97cf61dc90da799f48acfabe6

Download Submit
C:\Users\Admin\AppData\Local\yellowbill\facewise1.a3x

Filesize
59KB

MD5
b88a09ae0d50c4c49cd2df094ba4b2c8

SHA1
c82be81541102df29c5afd976b3d4cbfb120d4af

SHA256
1e959dce9a123e16e5d8650a5f5f14e2989ee5a985fe02ad90f0a0cf69368576

SHA512
55174d283d4e45a37b586f57bf533d25f94ad2e3423d7197df3d62e9298d76408219012aab6b093e23eccfdd90ccee370dfe97d5f36731965a16470f1abc13c9

Download Submit
\Users\Admin\AppData\Local\Temp\is-0952D.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-HO4IO.tmp\9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f.tmp

Filesize
3.1MB

MD5
9ac4a827a4d69f331fe1e35ef8409c7f

SHA1
57351bfbcf6096c25bad92d14706094220792ac3

SHA256
f8f9771ca792839ffc044e8213b9cb7ad95ce18be060cfcba132ba7d1deee51a

SHA512
44b671008fce57e86c5ba7dced950131e81eeafa06a23f756eabe512c74fa704b54e5f409fad1b37180b27c582cee95872b2ed41f287d5b1c5e5a3c9eeb7f4ea

Download Submit
\Users\Admin\AppData\Local\yellowbill\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
memory/1964-17-0x0000000000CB0000-0x0000000000FE4000-memory.dmp

Filesize
3.2MB

Download
memory/1964-8-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2332-181-0x0000000000A70000-0x0000000000B44000-memory.dmp

Filesize
848KB

Download
memory/2332-15-0x0000000000A70000-0x0000000000B44000-memory.dmp

Filesize
848KB

Download
memory/2532-19-0x0000000000A70000-0x0000000000B44000-memory.dmp

Filesize
848KB

Download
memory/2532-0-0x0000000000A70000-0x0000000000B44000-memory.dmp

Filesize
848KB

Download
memory/2532-2-0x0000000000A71000-0x0000000000B19000-memory.dmp

Filesize
672KB

Download
memory/2540-192-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2540-193-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2752-179-0x0000000000E50000-0x0000000001184000-memory.dmp

Filesize
3.2MB

Download