57f5fc8c226271922647f2f3ff279ad3fdf1bbd17977e5c59661e0b3729d9694

Analysis

max time kernel
1200s
max time network
1189s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30/09/2024, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Molly.exe
Size

177.3MB
MD5

9dc4fefd3acc0d79986ea38ac2dc9ab6
SHA1

ef922903fa07071af9ec86172e0dd110cb1bc9d4
SHA256

38e6620b6bd437aa9cdc0be36e8a25de67bdcb147913d3da79585ec61a834fdd
SHA512

728de6eb34c4cc5158ce2edeebf45a39815fc9134775a6ad4d25dc275ed4016f6c0d32a03ed8e39d9f99b7e3ba0f092aacfac87c1186b4123416109289c290b7
SSDEEP

1572864:8+vbimZ3RqPfrrW/GDt+wy2tXgJdtEaxMz6lMp1rJ/Gk/QeF/anRq9A4CGdhVnau:8A5kyGScXQT

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32Kernal = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Molly.exe -silent"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
15	discord.com
5	raw.githubusercontent.com
11	raw.githubusercontent.com
18	discord.com
24	discord.com
7	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
3	raw.githubusercontent.com
6	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com
1	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
16	ipinfo.io

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
2244	cmd.exe
1700	cmd.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1364	tasklist.exe
1196	tasklist.exe
5032	tasklist.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Molly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Molly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Molly.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Molly.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Molly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Molly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Molly.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2552	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3476	WMIC.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2480	powershell.exe
1964	powershell.exe
2480	powershell.exe
1964	powershell.exe
1964	powershell.exe
2480	powershell.exe
444	powershell.exe
444	powershell.exe
1468	powershell.exe
1468	powershell.exe
2860	powershell.exe
2860	powershell.exe
968	Molly.exe
968	Molly.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2520	Molly.exe
Token: SeCreatePagefilePrivilege	2520	Molly.exe
Token: SeIncreaseQuotaPrivilege	2552	WMIC.exe
Token: SeSecurityPrivilege	2552	WMIC.exe
Token: SeTakeOwnershipPrivilege	2552	WMIC.exe
Token: SeLoadDriverPrivilege	2552	WMIC.exe
Token: SeSystemProfilePrivilege	2552	WMIC.exe
Token: SeSystemtimePrivilege	2552	WMIC.exe
Token: SeProfSingleProcessPrivilege	2552	WMIC.exe
Token: SeIncBasePriorityPrivilege	2552	WMIC.exe
Token: SeCreatePagefilePrivilege	2552	WMIC.exe
Token: SeBackupPrivilege	2552	WMIC.exe
Token: SeRestorePrivilege	2552	WMIC.exe
Token: SeShutdownPrivilege	2552	WMIC.exe
Token: SeDebugPrivilege	2552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2552	WMIC.exe
Token: SeRemoteShutdownPrivilege	2552	WMIC.exe
Token: SeUndockPrivilege	2552	WMIC.exe
Token: SeManageVolumePrivilege	2552	WMIC.exe
Token: 33	2552	WMIC.exe
Token: 34	2552	WMIC.exe
Token: 35	2552	WMIC.exe
Token: 36	2552	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3572	WMIC.exe
Token: SeSecurityPrivilege	3572	WMIC.exe
Token: SeTakeOwnershipPrivilege	3572	WMIC.exe
Token: SeLoadDriverPrivilege	3572	WMIC.exe
Token: SeSystemProfilePrivilege	3572	WMIC.exe
Token: SeSystemtimePrivilege	3572	WMIC.exe
Token: SeProfSingleProcessPrivilege	3572	WMIC.exe
Token: SeIncBasePriorityPrivilege	3572	WMIC.exe
Token: SeCreatePagefilePrivilege	3572	WMIC.exe
Token: SeBackupPrivilege	3572	WMIC.exe
Token: SeRestorePrivilege	3572	WMIC.exe
Token: SeShutdownPrivilege	3572	WMIC.exe
Token: SeDebugPrivilege	3572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3572	WMIC.exe
Token: SeRemoteShutdownPrivilege	3572	WMIC.exe
Token: SeUndockPrivilege	3572	WMIC.exe
Token: SeManageVolumePrivilege	3572	WMIC.exe
Token: 33	3572	WMIC.exe
Token: 34	3572	WMIC.exe
Token: 35	3572	WMIC.exe
Token: 36	3572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3476	WMIC.exe
Token: SeSecurityPrivilege	3476	WMIC.exe
Token: SeTakeOwnershipPrivilege	3476	WMIC.exe
Token: SeLoadDriverPrivilege	3476	WMIC.exe
Token: SeSystemProfilePrivilege	3476	WMIC.exe
Token: SeSystemtimePrivilege	3476	WMIC.exe
Token: SeProfSingleProcessPrivilege	3476	WMIC.exe
Token: SeIncBasePriorityPrivilege	3476	WMIC.exe
Token: SeCreatePagefilePrivilege	3476	WMIC.exe
Token: SeBackupPrivilege	3476	WMIC.exe
Token: SeRestorePrivilege	3476	WMIC.exe
Token: SeShutdownPrivilege	3476	WMIC.exe
Token: SeDebugPrivilege	3476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3476	WMIC.exe
Token: SeRemoteShutdownPrivilege	3476	WMIC.exe
Token: SeUndockPrivilege	3476	WMIC.exe
Token: SeManageVolumePrivilege	3476	WMIC.exe
Token: 33	3476	WMIC.exe
Token: 34	3476	WMIC.exe
Token: 35	3476	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 4132	2520	Molly.exe	79
PID 2520 wrote to memory of 4132	2520	Molly.exe	79
PID 2520 wrote to memory of 2788	2520	Molly.exe	81
PID 2520 wrote to memory of 2788	2520	Molly.exe	81
PID 2520 wrote to memory of 4616	2520	Molly.exe	82
PID 2520 wrote to memory of 4616	2520	Molly.exe	82
PID 2520 wrote to memory of 3568	2520	Molly.exe	83
PID 2520 wrote to memory of 3568	2520	Molly.exe	83
PID 2520 wrote to memory of 2968	2520	Molly.exe	84
PID 2520 wrote to memory of 2968	2520	Molly.exe	84
PID 2520 wrote to memory of 4648	2520	Molly.exe	86
PID 2520 wrote to memory of 4648	2520	Molly.exe	86
PID 2520 wrote to memory of 3132	2520	Molly.exe	87
PID 2520 wrote to memory of 3132	2520	Molly.exe	87
PID 2520 wrote to memory of 1628	2520	Molly.exe	88
PID 2520 wrote to memory of 1628	2520	Molly.exe	88
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 4004	2520	Molly.exe	95
PID 2520 wrote to memory of 872	2520	Molly.exe	96
PID 2520 wrote to memory of 872	2520	Molly.exe	96
PID 2788 wrote to memory of 2552	2788	cmd.exe	97
PID 2788 wrote to memory of 2552	2788	cmd.exe	97
PID 2788 wrote to memory of 4588	2788	cmd.exe	98
PID 2788 wrote to memory of 4588	2788	cmd.exe	98
PID 3568 wrote to memory of 3572	3568	cmd.exe	99
PID 3568 wrote to memory of 3572	3568	cmd.exe	99
PID 4648 wrote to memory of 3476	4648	cmd.exe	100
PID 4648 wrote to memory of 3476	4648	cmd.exe	100
PID 3568 wrote to memory of 3028	3568	cmd.exe	101
PID 3568 wrote to memory of 3028	3568	cmd.exe	101
PID 4648 wrote to memory of 1332	4648	cmd.exe	102
PID 4648 wrote to memory of 1332	4648	cmd.exe	102
PID 4132 wrote to memory of 1364	4132	cmd.exe	103
PID 4132 wrote to memory of 1364	4132	cmd.exe	103
PID 4616 wrote to memory of 1272	4616	cmd.exe	104
PID 4616 wrote to memory of 1272	4616	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\Molly.exe
"C:\Users\Admin\AppData\Local\Temp\Molly.exe"
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size | more +1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get size
    3⤵
    - Collects information from the system
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:2968
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4320
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:3132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2480
- C:\Users\Admin\AppData\Local\Temp\Molly.exe
  "C:\Users\Admin\AppData\Local\Temp\Molly.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\molly" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2132,i,14346351860965850527,1644374853181464871,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\Molly.exe
  "C:\Users\Admin\AppData\Local\Temp\Molly.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\molly" --field-trial-handle=2336,i,14346351860965850527,1644374853181464871,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:11
  2⤵
  PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2520 get ExecutablePath"
  2⤵
  PID:1904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=2520 get ExecutablePath
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v System32Kernal /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Molly.exe -silent" /f"
  2⤵
  PID:3056
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v System32Kernal /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Molly.exe -silent" /f
    3⤵
    - Adds Run key to start application
    PID:4276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:692
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2936
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,24,151,86,239,181,76,93,74,158,134,220,155,64,229,251,244,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,3,45,153,119,94,6,85,2,45,204,46,171,30,224,211,129,179,152,164,104,230,54,137,115,91,63,243,153,57,247,212,78,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,142,217,162,112,77,45,109,215,179,110,85,185,86,43,219,103,64,216,215,116,136,73,31,166,124,208,118,185,161,100,115,48,0,0,0,8,180,55,228,201,237,74,45,9,171,204,202,99,14,72,140,211,75,133,116,223,211,62,92,178,188,66,154,95,58,87,219,170,159,73,166,151,82,98,191,183,120,189,193,60,73,65,132,64,0,0,0,105,129,254,82,169,57,21,52,41,247,87,18,60,78,236,154,64,228,83,155,14,36,224,221,112,15,138,108,170,194,69,80,144,223,128,151,195,83,142,221,252,57,89,65,98,243,64,148,90,222,172,38,37,231,19,230,235,107,185,204,163,93,157,178), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:2244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,24,151,86,239,181,76,93,74,158,134,220,155,64,229,251,244,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,3,45,153,119,94,6,85,2,45,204,46,171,30,224,211,129,179,152,164,104,230,54,137,115,91,63,243,153,57,247,212,78,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,212,142,217,162,112,77,45,109,215,179,110,85,185,86,43,219,103,64,216,215,116,136,73,31,166,124,208,118,185,161,100,115,48,0,0,0,8,180,55,228,201,237,74,45,9,171,204,202,99,14,72,140,211,75,133,116,223,211,62,92,178,188,66,154,95,58,87,219,170,159,73,166,151,82,98,191,183,120,189,193,60,73,65,132,64,0,0,0,105,129,254,82,169,57,21,52,41,247,87,18,60,78,236,154,64,228,83,155,14,36,224,221,112,15,138,108,170,194,69,80,144,223,128,151,195,83,142,221,252,57,89,65,98,243,64,148,90,222,172,38,37,231,19,230,235,107,185,204,163,93,157,178), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,24,151,86,239,181,76,93,74,158,134,220,155,64,229,251,244,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,71,143,197,19,85,1,5,87,4,161,213,40,79,109,161,161,17,82,152,14,204,39,215,13,25,12,24,72,26,11,41,42,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,190,236,94,74,48,72,249,189,135,100,175,17,227,145,137,172,143,16,10,150,16,158,210,100,176,252,96,140,80,91,240,20,48,0,0,0,101,71,169,123,217,120,70,236,126,22,244,87,234,31,195,173,121,102,130,22,9,99,2,216,172,165,29,176,232,0,251,8,155,213,119,16,208,94,254,196,131,250,128,115,166,174,32,101,64,0,0,0,205,126,197,64,250,142,0,155,123,194,151,240,244,237,250,35,92,232,223,18,138,63,86,178,20,136,230,21,37,16,3,115,143,179,244,160,81,61,178,76,102,54,188,93,172,220,230,103,100,34,174,203,248,196,74,236,17,80,2,213,81,146,97,198), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,24,151,86,239,181,76,93,74,158,134,220,155,64,229,251,244,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,71,143,197,19,85,1,5,87,4,161,213,40,79,109,161,161,17,82,152,14,204,39,215,13,25,12,24,72,26,11,41,42,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,190,236,94,74,48,72,249,189,135,100,175,17,227,145,137,172,143,16,10,150,16,158,210,100,176,252,96,140,80,91,240,20,48,0,0,0,101,71,169,123,217,120,70,236,126,22,244,87,234,31,195,173,121,102,130,22,9,99,2,216,172,165,29,176,232,0,251,8,155,213,119,16,208,94,254,196,131,250,128,115,166,174,32,101,64,0,0,0,205,126,197,64,250,142,0,155,123,194,151,240,244,237,250,35,92,232,223,18,138,63,86,178,20,136,230,21,37,16,3,115,143,179,244,160,81,61,178,76,102,54,188,93,172,220,230,103,100,34,174,203,248,196,74,236,17,80,2,213,81,146,97,198), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
- C:\Users\Admin\AppData\Local\Temp\Molly.exe
  "C:\Users\Admin\AppData\Local\Temp\Molly.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\molly" --gpu-preferences=UAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1796,i,14346351860965850527,1644374853181464871,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1068 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\e0623ce6d27fcfe365b3d129fd927393\Browsers\Passwords.txt

Filesize
19B

MD5
c4efd9a7b61ebf43b608440be5e33369

SHA1
926418256c277f1b11b575ec6e92ce6a844612f7

SHA256
ed4280859199da5a8f25c0c6d533d0873460ac63368c14a69bbd863ea4bfb30f

SHA512
9ea97363868d61d3d51bd3804d638b71ba8dc65260800b3a54051b4725cf08e9d9880a12422a549d94a339c7267e858a7ff5ca9428d64051657134b5c6c20745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f4af71653365c849f80f9300cdd4722b

SHA1
464e9bfbc2cf266ad93ab70c1132a09d2cb51c94

SHA256
585b3fc56e040a5d00a63137c9ef57c2bd43cc477944f749c34f4849e0995c00

SHA512
7bcda75518c5bf23eb095b11f10ce3915e2ceb744bd9123713ba162098f87729d94b6281591df9e1f187b4aecad8efe3ecb03d98842d0a72e1944af3d9efd5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_24lgf1wd.olx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/968-97-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/968-99-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/968-98-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/968-109-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/968-108-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/968-107-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/968-106-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/968-105-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/968-103-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/968-104-0x000001E2FA1F0000-0x000001E2FA1F1000-memory.dmp

Filesize
4KB

Download
memory/1468-60-0x0000027563A30000-0x0000027563A80000-memory.dmp

Filesize
320KB

Download
memory/2480-9-0x00000264407C0000-0x00000264407E2000-memory.dmp

Filesize
136KB

Download