Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

10e6863438...dN.exe

windows7-x64

10

10e6863438...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2024, 12:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10e6863438c559243979cfaf3e750d3244dbb7588dff6f12565cc8aa71c9b44dN.exe

  • Size

    3.8MB

  • MD5

    6adf7c0d3e770b9962d9c976abd5d660

  • SHA1

    3c595298d93f1bc8c456f06c517097aa98275974

  • SHA256

    10e6863438c559243979cfaf3e750d3244dbb7588dff6f12565cc8aa71c9b44d

  • SHA512

    9a7ce9b89a26643b5e5dd24713228c0280dd8de1fcf88286c4e84940597f98ab74499701492433bbe80cb23c5288fa3540012f971a996a885f27fad8145c2f12

  • SSDEEP

    98304:Dg2KK3z9OP+9Rqc7h2BSUXfcrRk0kq4DfT:E2KKjQ+9RZ7lr23r

Score
10/10
blackmoongozixmrigbankerdiscoveryevasionisfbminerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

gozi

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 64 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\10e6863438c559243979cfaf3e750d3244dbb7588dff6f12565cc8aa71c9b44dN.exe
    "C:\Users\Admin\AppData\Local\Temp\10e6863438c559243979cfaf3e750d3244dbb7588dff6f12565cc8aa71c9b44dN.exe"
    1⤵
    • UAC bypass
    • Event Triggered Execution: Image File Execution Options Injection
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2288
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4556

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=181BE1C8987560941CF8F4EF9973619C; domain=.bing.com; expires=Sun, 23-Nov-2025 12:38:50 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FE5629F75C9D436BA628F5AF8CB33A17 Ref B: LON601060108029 Ref C: 2024-10-29T12:38:50Z
    date: Tue, 29 Oct 2024 12:38:49 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=181BE1C8987560941CF8F4EF9973619C
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=Nt8f6X_MO1KowIi2s6yQTU2sm9h2SllOO3MXSBA9INA; domain=.bing.com; expires=Sun, 23-Nov-2025 12:38:50 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C0B1435B5A47489AB2B8D62206A9C400 Ref B: LON601060108029 Ref C: 2024-10-29T12:38:50Z
    date: Tue, 29 Oct 2024 12:38:49 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=181BE1C8987560941CF8F4EF9973619C; MSPTC=Nt8f6X_MO1KowIi2s6yQTU2sm9h2SllOO3MXSBA9INA
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7C2C0D440A4744EEAE9A3C1A319EFC2E Ref B: LON601060108029 Ref C: 2024-10-29T12:38:50Z
    date: Tue, 29 Oct 2024 12:38:49 GMT
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.99.105.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.99.105.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • flag-us
    DNS
    mine.ppxxmr.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mine.ppxxmr.com
    IN A
    Response
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=
    tls, http2
    2.0kB
     9.4kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6ffa70ed9de46288426158ed6e26e3f&localId=w:E8C31A05-90CA-DE8F-A29D-2E3C02D092EA&deviceId=6966572651686081&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    58.99.105.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    58.99.105.20.in-addr.arpa

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

  • 8.8.8.8:53
    mine.ppxxmr.com
    dns
    svchost.exe
    61 B
     133 B
     1
    1

    DNS Request

    mine.ppxxmr.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
    Filesize

    5.9MB

    MD5

    ff4053d3a42db233f75cd760560e153f

    SHA1

    60a36ecba5a1a43987c2032ef528e913a9a3045f

    SHA256

    ce459c2298e23a6df87c2965e62849012008e3b63f7148ce0e02174254b79610

    SHA512

    862da989f98b2574dffad740a529dfe700a4f796c888a29e3eb758edf5f5d48c4b593540c67f15ee2ef1ef6ea223b86ee205a8598fd37a9889b709b34c9416cd

    Download Submit

  • C:\Windows\config.json
    Filesize

    1KB

    MD5

    88c5c5706d2e237422eda18490dc6a59

    SHA1

    bb8d12375f6b995301e756de2ef4fa3a3f6efd39

    SHA256

    4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e

    SHA512

    a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    833KB

    MD5

    4a87a4d6677558706db4afaeeeb58d20

    SHA1

    7738dc6a459f8415f0265d36c626b48202cd6764

    SHA256

    08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7

    SHA512

    bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

    Download Submit

  • C:\vcredist2010_x86.log.html
    Filesize

    81KB

    MD5

    ef5828b416418ef39b7d89c59d94feb3

    SHA1

    47b6da7def9f6d2693259db0902bf47d4578beee

    SHA256

    6e7b7b3f55664a91dd6ca913dcc574dc8dc0fca3d523cd94e4b1ce52b9d172ce

    SHA512

    bd2d5a6e91644cbd2a7b10af7bcea3cd03db0e2de4352618a2e478d70c4f790eb15f2f0266fc58fa3043c38840d055668fc1c9a8f07946537bdf4605984de71e

    Download Submit

  • memory/2288-530-0x0000000000400000-0x0000000000617000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2288-387-0x0000000000400000-0x0000000000617000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2288-0-0x0000000000400000-0x0000000000617000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4556-422-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-388-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-424-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-459-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-412-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-392-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-531-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-532-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-533-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-534-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4556-535-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.