Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
10-10-2024 11:54
General
-
Target
1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
-
Size
1.8MB
-
MD5
1ffa4102583628826fa4536dbbf521a0
-
SHA1
c3cc8501e03cd7b7694c634bc78948dd493c6168
-
SHA256
1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69
-
SHA512
8a8b16f9b0d4073cb65fcc2c127ac1d724f5fe198ef1f80e0429b158fd7904fdaf627b4042a077bba79ab6b13c22a1e4c20712815c7850fe4b8395ee1d097c21
-
SSDEEP
24576:0ecBq+jT6+HkDP6KYigqqUpqjNdoBnMz45cRBTjUW8+AqaOeIJNJ472db8Onu9I7:sVTSDCIgqqmqb4qAnXoJ47Sb8OoIKjS
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
lumma
https://drawwyobstacw.sbs
https://condifendteu.sbs
https://ehticsprocw.sbs
https://vennurviot.sbs
https://resinedyw.sbs
https://enlargkiw.sbs
https://allocatinow.sbs
https://mathcucom.sbs
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Extracted
stealc
default_valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
stealc
doma
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 22 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 49 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 9 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of FindShellTrayWindow 16 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe"C:\Users\Admin\AppData\Local\Temp\1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1485⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 964⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nTpPMYq9Xn.exe"C:\Users\Admin\AppData\Roaming\nTpPMYq9Xn.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\K9xbKzMqpV.exe"C:\Users\Admin\AppData\Roaming\K9xbKzMqpV.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 524⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000354001\e32d09a575.exe"C:\Users\Admin\AppData\Local\Temp\1000354001\e32d09a575.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000355001\6924c8673a.exe"C:\Users\Admin\AppData\Local\Temp\1000355001\6924c8673a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000332001\85643054ac.exe"C:\Users\Admin\AppData\Local\Temp\1000332001\85643054ac.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.0.280509401\1166547768" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1176 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d1eb195-feed-4b5e-868f-bd754d1e8cc4} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 1280 ffd6758 gpu8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.1.1723077625\1076907325" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f632f44a-a875-4cce-a7f4-fd51d562ff61} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 1532 4bed958 socket8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.2.572771533\2049215563" -childID 1 -isForBrowser -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77d9880a-2521-46ec-bb14-c45405c83f6c} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2120 19054258 tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.3.1227116468\164754808" -childID 2 -isForBrowser -prefsHandle 2516 -prefMapHandle 2512 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7265a2cd-0c27-4406-a4ca-27d82dd9e5d9} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2560 e69e58 tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.4.127166720\980754429" -childID 3 -isForBrowser -prefsHandle 1048 -prefMapHandle 3424 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3bdec18-16ec-4a2d-b2e6-754ef961a858} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 3880 1f7b5558 tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.5.2145284247\609478473" -childID 4 -isForBrowser -prefsHandle 3984 -prefMapHandle 3988 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15be3fcd-be06-46ea-987c-8dbdf8ab71fc} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 3972 1f7b5e58 tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.6.1624547149\887711021" -childID 5 -isForBrowser -prefsHandle 4116 -prefMapHandle 4120 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {907ba0ef-78a7-4693-ad3b-a546698c5dec} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 4104 20a82658 tab8⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1000349001\a422b24284.exe"C:\Users\Admin\AppData\Local\Temp\1000349001\a422b24284.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\1000350002\0014c93397.exe"C:\Users\Admin\1000350002\0014c93397.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1000082001\sadsay.exe"C:\Users\Admin\AppData\Local\Temp\1000082001\sadsay.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start context.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\context.execontext.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 7326⤵
- Loads dropped DLL
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "InstallUtil.exe"6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5AED2633-AE79-462E-A9C8-57EEE8E060CA} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5887dd87d006b94420625ba556f53799a
SHA1b8c702e943c02ae4485633a5b79156f3b783d777
SHA256a6b4ae8327f5b69ba9e29dac21340e048739251d0bdcf78c0f9071f8996eb028
SHA51272c8f22262648bb7ab7e34ceb816b8744ed4cffbc619633fc3456495d7942f060cd4a3874626ae78d91158ddec7eb55cbab76450730549040f2ca85fdc99e2d8
-
Filesize
27KB
MD5c648b9e97dfd3dc2fe1d2223d60af286
SHA1dec597bb26200c6ce1b7abb82e78c01681cbc5f3
SHA256e3e298302ad62f691b550bf4b1298f04dca8eff5fc49ee1b285a8484acd2bc64
SHA5128de7dc80a7f4aa3ee2a7886756fc26d02cdd91c2a09e2670b5d4463db78e1c5e3bd6b5688fb518e8e68e163e107356939dcb91beb281b42dd6be02b8e667bc5e
-
Filesize
566KB
MD5049b6fe48a8cfb927648ad626aba5551
SHA19555d23104167e4fad5a178b4352831ce620b374
SHA256b78402483c46cd37e2c204d95690aa2a213616a1f904d779ceec0e22fcdd6531
SHA512ed787f90966ca1ea4b1e67c4026dd44393c7d312cd52e376f4ba5e5c49616938ec9e913044def29b40b441eb4c913a5134bb78317a179f62067bef3f9d913c7e
-
Filesize
1.4MB
MD5e6d27b60afe69ac02b1eaec864c882ae
SHA1a72b881867b7eaa9187398bd0e9e144af02ffff4
SHA256aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75
SHA5124f11fc2b36589fc9ff7dc5afd27cb91614f6a89bfd60942baebef025f53cb56ed7413abeff57fc7c85b3a2a4b0feec2649d5c5a856d3e2e9c13f6a0d8c777764
-
Filesize
307KB
MD568a99cf42959dc6406af26e91d39f523
SHA1f11db933a83400136dc992820f485e0b73f1b933
SHA256c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA5127342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75
-
Filesize
18B
MD5174ef859dfe296a48628dc40ef8e05ed
SHA159a0e43e3ae9c8f638932b9cf83bf62ad91fb2b7
SHA25684520353f099eee2117b00aa16cde461e573a835e8ddd64334efd871d4ce292c
SHA512c6d0e9d1842a4ce05929f8941b8e30729567626cf1594f3b11958cde9347e1d8e8cde5f9f9584953122fd035fedec0b09c0bd184abc0f33eac4862d85e164ebe
-
Filesize
7.4MB
MD5735bb5f55a17215700840c04a8b40a03
SHA155e0828c6d08653939eee2b1af8fd737e92266c4
SHA2565ea6a5e3bc6c02cc41637028050c3738c38a07917e373637928b314c5d22f84d
SHA5127e742677e35099d8cd4a5163eea6633e3ec7deeb4840aba1f8adad8f0022e72f7416ac6367802eceab8f9f2e9dd04e1546b141e911495d025b98575a92f3865c
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
898KB
MD50ad2049d8b4df183c06164d94d4b6508
SHA148961f704a95e903fa891703508da8e06e8eba8f
SHA25689b7c67769013b26ca8c34cb2cd64c4de25a24f30073995064ea4364a7004ffc
SHA512e32b7be09d8d654086af0f339de9aed19e6fcd672b6028944493904efb1dfd6a1dfc28baaf70c633faa9c846f2a53faaf3a35cb281892d55c5cd23262b0c5e9e
-
Filesize
307KB
MD5791fcee57312d4a20cc86ae1cea8dfc4
SHA104a88c60ae1539a63411fe4765e9b931e8d2d992
SHA25627e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d
SHA5122771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c
-
Filesize
1.8MB
MD5048b91203c2fdaa52742e70aa99f2760
SHA1f019f2f95da287543af40f0c41b4d004847fbfec
SHA256cde9b0a7742f4ed0bfe52113b99df9f1f19c3220a8684d6ecf56858c603da8e6
SHA512735cd553bac41c0dfdf173af979edfaa7599665155d59d601c133ca1c64f03678e6246a2868b5c4e0de44c998c139e3b5e5f14b5022d6e4797b72754b692327b
-
Filesize
1.7MB
MD5c3dee17f7a6e04c6a94900e983d7b1de
SHA1abf9960500584291502a13c673b1d61a532abea7
SHA256cdae0c43f4c349865f4102d5245233090455ca440d90c3def212fbf67f9ed3ab
SHA5127bb07b0cc46566ac49783ae49b9dbb876c792ffd49921a622f936471d8adda717aa54d5a5b31422eb86519e15e031c3f603cc22b9140da58a8b7885eb1618da6
-
Filesize
1.8MB
MD580e870365fc11d4d9719aa90ac55e9b1
SHA110c4a55d2efa7fbdd66c45472db32265697fe22b
SHA2565113adc392bf57e65e9c8acc1daca89897837d169572b9b8ec2d226b5efe8d56
SHA512aadf3549cd8c7dbad88c18619a0a244d7d2a55ba8d6f42e10382cc2e6310fe7c2fb826666624929fad55314b5ec6edd0ce289a96e3877b038c334eb6c8d842a4
-
Filesize
314KB
MD5ff5afed0a8b802d74af1c1422c720446
SHA17135acfa641a873cb0c4c37afc49266bfeec91d8
SHA25617ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA51211724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
6KB
MD5c042782226565f89ce3954489075e516
SHA1256dd5ba42837a33c7aa6cb71cef33d5617117ee
SHA256a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6
SHA5129f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd
-
Filesize
1.1MB
MD5ed9393d5765529c845c623e35c1b1a34
SHA1d3eca07f5ce0df847070d2d7fe5253067f624285
SHA25653cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a
SHA512565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8
-
Filesize
1.8MB
MD51ffa4102583628826fa4536dbbf521a0
SHA1c3cc8501e03cd7b7694c634bc78948dd493c6168
SHA2561f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69
SHA5128a8b16f9b0d4073cb65fcc2c127ac1d724f5fe198ef1f80e0429b158fd7904fdaf627b4042a077bba79ab6b13c22a1e4c20712815c7850fe4b8395ee1d097c21
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
393KB
MD57d7366ab79d6d3d8d83d13a8b30de999
SHA175c6c49a6701d254c3ce184054a4a01329c1a6f3
SHA2563d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465
SHA51264f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022
-
Filesize
11KB
MD53cb77806da844dbc886aeaa023d891db
SHA1b7e1b9f1aa47ebbe47f350582c643244eaef46ca
SHA256e2c9fb8858e9878ff0747b50abfc59b21ff0f2d85c8082a7c28761be8de49b76
SHA5127b55eabe5d5668387d2d338a5520c7960f20500f444bed95b86b3e883281043519bd6ca998ccfdc76d77062f22531c84117b33ed60e148960dba3ffda45d89d1
-
Filesize
745B
MD5af8e151dcdaf9563adfd5f88a0ab4bac
SHA14b509d5caee79ffa6a78e277674afc5f465dcc58
SHA256bddcd2988c3c7cb6143393042e8d3b17104e2530d62402f454d801e67e1ba1c7
SHA5126d8b63ebe5bf83a71fe45b887cf38ec91252e4b2bca06d79ca5711b1558bbc16247b4ada189bd83e20457c2de520402b98874e8d226f6f32f8a9a985d5bf0186
-
Filesize
6KB
MD558ca7e512217449fddf054cf14f870da
SHA1b6c23e01cea0854a52978e0c62d0bec92c0ebc5e
SHA256254bc889fc0263de50c392b7cdc0ff9bc529dafc627b8f4cde7fef5534f61832
SHA512ddae9dae86db49b10eeebce481e37504b26cbd44c9aa6ba68ecd3d3273527091717bedeba2135a70b5b44f736a1a5159a15c10d6354b8d6b524de30e95343c91
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
602KB
MD5e4fc58d334930a9d6572c344e5129f6b
SHA1d38fbd0c4c86eee14722f40cc607e2128c01b00f
SHA256973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a
SHA512a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
972KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
336KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
4KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
624KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.4MB
-
Filesize
4.7MB
-
Filesize
6.5MB
-
Filesize
2.4MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.7MB
-
Filesize
6.5MB
-
Filesize
1.1MB
-
Filesize
528KB
-
Filesize
416KB
-
Filesize
6.5MB
-
Filesize
2.4MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
1.1MB
-
Filesize
6.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.5MB
-
Filesize
6.5MB