Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
Resource
win10v2004-20240802-en
General
-
Target
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
-
Size
11.2MB
-
MD5
4fa734db8e9f7ce5ecd217b34ecc6969
-
SHA1
fbfc15ded2ebd130c92d812c26dc052561f7ff83
-
SHA256
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
-
SHA512
76ffd5839721ba668762c4458fd8da8fa8edc656c232e5957c253acc67c599846b89bc9acda1ec8dc5b07d229e143d3deca415c528ba4c04bf9264670f74f48a
-
SSDEEP
196608:FfhVx6cyJczra+6msUjFD8rXPLJy5rRUlXmBPzLMAoUsJBK7iskeDqQ7poZ:FfrABJq2+6mnD8b9y9RU8zLMAoUsJBKK
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1784-188-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AutoIt3.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation AutoIt3.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp -
Executes dropped EXE 4 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpAutoIt3.exeAutoIt3.exepid Process 468 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 464 AutoIt3.exe 1288 AutoIt3.exe -
Loads dropped DLL 2 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmppid Process 468 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AutoIt3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" AutoIt3.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid Process 512 tasklist.exe 3292 tasklist.exe 4044 tasklist.exe 856 tasklist.exe 528 tasklist.exe 1440 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AutoIt3.exedescription pid Process procid_target PID 1288 set thread context of 1784 1288 AutoIt3.exe 122 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AutoIt3.exePING.EXEAutoIt3.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpcmd.exeMSBuild.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEcmd.exepid Process 1396 PING.EXE 3724 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AutoIt3.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpMSBuild.exepid Process 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 1784 MSBuild.exe 1784 MSBuild.exe 1784 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exeMSBuild.exedescription pid Process Token: SeDebugPrivilege 512 tasklist.exe Token: SeDebugPrivilege 3292 tasklist.exe Token: SeDebugPrivilege 4044 tasklist.exe Token: SeDebugPrivilege 856 tasklist.exe Token: SeDebugPrivilege 528 tasklist.exe Token: SeDebugPrivilege 1440 tasklist.exe Token: SeDebugPrivilege 1784 MSBuild.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmppid Process 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid Process 1784 MSBuild.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpcmd.execmd.execmd.execmd.execmd.execmd.exeAutoIt3.execmd.exeAutoIt3.exedescription pid Process procid_target PID 1684 wrote to memory of 468 1684 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 82 PID 1684 wrote to memory of 468 1684 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 82 PID 1684 wrote to memory of 468 1684 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 82 PID 468 wrote to memory of 3768 468 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 83 PID 468 wrote to memory of 3768 468 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 83 PID 468 wrote to memory of 3768 468 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 83 PID 3768 wrote to memory of 4844 3768 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 84 PID 3768 wrote to memory of 4844 3768 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 84 PID 3768 wrote to memory of 4844 3768 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 84 PID 4844 wrote to memory of 2700 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 85 PID 4844 wrote to memory of 2700 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 85 PID 2700 wrote to memory of 512 2700 cmd.exe 87 PID 2700 wrote to memory of 512 2700 cmd.exe 87 PID 2700 wrote to memory of 4916 2700 cmd.exe 88 PID 2700 wrote to memory of 4916 2700 cmd.exe 88 PID 4844 wrote to memory of 4124 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 90 PID 4844 wrote to memory of 4124 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 90 PID 4124 wrote to memory of 3292 4124 cmd.exe 92 PID 4124 wrote to memory of 3292 4124 cmd.exe 92 PID 4124 wrote to memory of 3304 4124 cmd.exe 93 PID 4124 wrote to memory of 3304 4124 cmd.exe 93 PID 4844 wrote to memory of 4340 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 94 PID 4844 wrote to memory of 4340 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 94 PID 4340 wrote to memory of 4044 4340 cmd.exe 96 PID 4340 wrote to memory of 4044 4340 cmd.exe 96 PID 4340 wrote to memory of 3340 4340 cmd.exe 97 PID 4340 wrote to memory of 3340 4340 cmd.exe 97 PID 4844 wrote to memory of 2428 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 98 PID 4844 wrote to memory of 2428 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 98 PID 2428 wrote to memory of 856 2428 cmd.exe 100 PID 2428 wrote to memory of 856 2428 cmd.exe 100 PID 2428 wrote to memory of 3080 2428 cmd.exe 101 PID 2428 wrote to memory of 3080 2428 cmd.exe 101 PID 4844 wrote to memory of 540 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 102 PID 4844 wrote to memory of 540 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 102 PID 540 wrote to memory of 528 540 cmd.exe 104 PID 540 wrote to memory of 528 540 cmd.exe 104 PID 540 wrote to memory of 1536 540 cmd.exe 105 PID 540 wrote to memory of 1536 540 cmd.exe 105 PID 4844 wrote to memory of 4400 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 106 PID 4844 wrote to memory of 4400 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 106 PID 4400 wrote to memory of 1440 4400 cmd.exe 108 PID 4400 wrote to memory of 1440 4400 cmd.exe 108 PID 4400 wrote to memory of 1312 4400 cmd.exe 109 PID 4400 wrote to memory of 1312 4400 cmd.exe 109 PID 4844 wrote to memory of 464 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 110 PID 4844 wrote to memory of 464 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 110 PID 4844 wrote to memory of 464 4844 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 110 PID 464 wrote to memory of 3724 464 AutoIt3.exe 117 PID 464 wrote to memory of 3724 464 AutoIt3.exe 117 PID 464 wrote to memory of 3724 464 AutoIt3.exe 117 PID 3724 wrote to memory of 1396 3724 cmd.exe 119 PID 3724 wrote to memory of 1396 3724 cmd.exe 119 PID 3724 wrote to memory of 1396 3724 cmd.exe 119 PID 3724 wrote to memory of 1288 3724 cmd.exe 121 PID 3724 wrote to memory of 1288 3724 cmd.exe 121 PID 3724 wrote to memory of 1288 3724 cmd.exe 121 PID 1288 wrote to memory of 1784 1288 AutoIt3.exe 122 PID 1288 wrote to memory of 1784 1288 AutoIt3.exe 122 PID 1288 wrote to memory of 1784 1288 AutoIt3.exe 122 PID 1288 wrote to memory of 1784 1288 AutoIt3.exe 122 PID 1288 wrote to memory of 1784 1288 AutoIt3.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp"C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$70048,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp"C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$D0044,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:512
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵PID:3304
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵PID:3340
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵PID:3080
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵PID:1536
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵PID:1312
-
-
-
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\bZmNBr.a3x && del C:\ProgramData\\bZmNBr.a3x6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1396
-
-
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exeAutoIt3.exe C:\ProgramData\\bZmNBr.a3x7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1784
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
Filesize3.1MB
MD581636f80b1e7c0b8f946c8ff0081436a
SHA19e7b01f8324e089b925cb9050ce74cd099c58370
SHA256ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35
SHA51267432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
940KB
MD50bc6d1c595e440233c6daa45813657a0
SHA13a04c1fcd93642fe7b0ad47d67c29344ebddc9a3
SHA2561841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac
SHA5120fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f
-
Filesize
62KB
MD5647d824a19511783d1a011f8b775c1d4
SHA146b0213afa55d27a688e9729ac120d4574318cb5
SHA2568674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b
SHA512ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f