Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 14:06
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
333366f899b1211c3259144abeb6e7d0
-
SHA1
b0cd88a3cfb3153a6f40682143b7872ed7abb0a5
-
SHA256
f6b3275a6874dfae98dd683ff84c5d9894a17d86eb45c1cf0b621ad54a680580
-
SHA512
9697d94ef6f11fcee853bc3615fd3441bc39a529a9eb5a18f8ba81d719485ac3119f260e93b62f90f4f0521e23851c508e12ae258ba29cf914dd1b3f8d3cd1f5
-
SSDEEP
49152:nHFaJdOn16Mp9hamBcxdgirXtyBik8CqX/odohVgmaH:n8a16+3dKdgiAva/hVg
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 62 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Frequently Frequently.cmd & Frequently.cmd4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3906415⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ConventionTroopsStudiedTooth" Version5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Accessing + ..\Entire + ..\Peripherals + ..\Et B5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comImposed.com B5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comC:\Users\Admin\AppData\Local\Temp\390641\Imposed.com6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007680001\858459d65a.exe"C:\Users\Admin\AppData\Local\Temp\1007680001\858459d65a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaa8cccc40,0x7ffaa8cccc4c,0x7ffaa8cccc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,1624251791010255927,2281550655011023639,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1988 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1584,i,1624251791010255927,2281550655011023639,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,1624251791010255927,2281550655011023639,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2268 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,1624251791010255927,2281550655011023639,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,1624251791010255927,2281550655011023639,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,1624251791010255927,2281550655011023639,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 13204⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007681001\370183b465.exe"C:\Users\Admin\AppData\Local\Temp\1007681001\370183b465.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007682001\e708f479b6.exe"C:\Users\Admin\AppData\Local\Temp\1007682001\e708f479b6.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007683001\16b7866116.exe"C:\Users\Admin\AppData\Local\Temp\1007683001\16b7866116.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {926329c0-fadb-41a4-809a-799eb14d36b0} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfd527a1-f097-4f81-8e64-3643b0f6ef66} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3448 -childID 1 -isForBrowser -prefsHandle 3660 -prefMapHandle 3328 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c45f4ef1-be7c-47a1-82b0-d82b83e6fb4c} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3476 -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3468 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b107c96-85ca-492c-86b5-0f8d2d335e86} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4168 -prefMapHandle 2800 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {190d6ebc-8885-425c-a535-3e6b457ffb3a} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 3 -isForBrowser -prefsHandle 5580 -prefMapHandle 5588 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e99f8625-e860-4752-83f5-4928c61f76b8} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 4 -isForBrowser -prefsHandle 5708 -prefMapHandle 5724 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {271eced8-6363-42e4-9852-1ccc9dae08f6} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6008 -childID 5 -isForBrowser -prefsHandle 5928 -prefMapHandle 5932 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {346d8593-360d-41cd-9250-097e0ed35a2e} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007684001\38777644e4.exe"C:\Users\Admin\AppData\Local\Temp\1007684001\38777644e4.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1784 -ip 17841⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD587df942ff14aacd57c47f18974300959
SHA19f5a42e38871b8c67693a4cfc3945c75dca26b7e
SHA2564cddbac3cea8a40f842be1bc91fa15444982c2294857f7b4dfb3dafcb55b0f6a
SHA512905a7870e4b4b20715ef5e3cc268102390a5eb09d09245f3d22c859bf7a8294079fae63f24e1576b0fabb22d1fc5c5f45de6554ac715d7bb027bd04d5b85ff61
-
Filesize
13KB
MD58c0e88f10977f8ef22211745da0c3931
SHA1f8902e9055d8aea9e38461fe050a540eabe3ce62
SHA2561ff9c4e8bc50f1589fbe464830c83f4ae62f1bea404d2939a1cbe158751052f2
SHA512210e040fef66d73bd792c2a15c8bfdd1aaee4e2982c648116c305781c3fa32bf35a543d42e618c0887792003399c78bce7d46a33815ada16c876e9a9dc75260b
-
Filesize
741KB
MD5211dd0cc3da148c5bc61389693fd284f
SHA175e6bd440e37240fee4bf7ae01109093490ac5a7
SHA256645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
SHA512628bb927b5a85674ed1f762d4c42e8e9f55859cd626ab0f01b7d47ee4c74ff5775ceafc4a45864344d5dd13e588fe60b6a121b00dac79276689d0a9970d12e89
-
Filesize
298B
MD52743e30e43eb1ce82c66a468baaab1fb
SHA1e0677bf2c2e61be4ad9298760bb5f4c549596f85
SHA256698e2f245644603eef413b2a980713ce689d3464fe3ad3cbd89da2290e7e5b6e
SHA5124d16001390bf3e933c02b197f711eca14a751372024826b5b3c2d221c1f77a28687522fc91c3671d23586b0cdbb6456df9757b91a74437d532e6fb106178cd88
-
Filesize
4.2MB
MD591118d3b44b4a457cf5acadc62b39b5d
SHA17dea33e33708ee07d3e2475b9e5511e1722a7906
SHA2568e63a9969e3c9db4816c69fe88c5d323daae5e0de24d547a73104a89694d8901
SHA512fc1ce7eb30f2cb38e23fac0111933f0550b838db8274b1d7b509826b66d10ee21b51dba3356639ddd8463258e3ce8f11c96f2df49f550ee15d7f861acc60bec4
-
Filesize
1.7MB
MD5fe4356d29b3bb9d3ebf32984fd46bb00
SHA18c5423e8ad916cb272dfe8043f659807b196253e
SHA2563d57ed7ea8ceed067458d706e5c7ef5d3d843723b1a83919536134f14d925655
SHA5129249ff698e50fc1e9c2663901c16b09c626b83354a72dec7a3494548fd5f2e6645cf9e7beb49e9b9b091c895262dddf35d7561b2c3f56a77e63413e3a30ff947
-
Filesize
1.7MB
MD51fb763b01e1ffa3ab02b53ce4b2a88fd
SHA1881d6869788ced3bb3be507abea78f569af3775e
SHA256f98936eaa24f4c5b0339ad375b53e45e505c9c65cef4480cff417157252f77b4
SHA512c714e1043a8a0121ff30ba80a19fd11a61dab6494f760474e433487a21eeec8fcf5af56b3514e00723d348538920d94ff57edd8ba7b75308ae490c4bc4c54023
-
Filesize
901KB
MD5b0302cbf18ab90a0e43b26f4b4940c46
SHA1804696c2bf2f8e35ef2dcfeb1b33c50eced20b4c
SHA2567d09a69f6aa77fa98e6a6973963b776178a53a6a7c4b48f05a66e573696b0239
SHA5121aa4e5767f4a1948cd0776ccf01865763398bc1ce72cc6df3768e74d6d30ab79006aa31ff0ee1880db99ab068fe0f2c741c55fa08697ed68f5cd54c5d362e15d
-
Filesize
2.7MB
MD5478da8ccb212d832e72cc74a96f5d373
SHA1b118765c3e0e8d4ebd05184097d8bd92bf4febfb
SHA25624727171607fbcb404b5f51928012c5893e8f751a4e11f94fda0e9479fa58616
SHA512ce399d8c8ee6bf0318ce1cf52160a67b4485fc539fed2969f2af4680a48a4c3f660545084c4fa90aa25ed17ccfa3d1942a2e26003fca753054dde9c415ce876a
-
Filesize
224KB
MD56aaa6156bca65c60437b9dcf21a8566e
SHA174c4917b5006a2af825ed9e9d3bdaff7884aa11c
SHA256fe153e9df223598b0c2bba4c345b9680b52e1e5b1f7574d649e6af6f9d08be05
SHA51202f8a158815b29cfbad62403b5177ea5e073d84103e640441d901e12b2fbc4f2cd113924d2b06b09cf045c99b58a5527f2c68e6a664d8015f646672c11567199
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
52KB
MD50487661a3be3e516ecf90432e0f1a65b
SHA1548f56668cdfde2d71e714cd4e12e3a1419dfc31
SHA2561dbfc503087ed424d8befd455c6554ba03aa4c4c5e77f7b388dc412b6a99a70e
SHA5127f9027e567876bae2302652a2d63b457bc39f439ec6cd4d7d170423c5f27aa5b0479113b7d8c436cbc08ac76450b0e56c2d8dd42a219c7ad3dbbf693f935cf77
-
Filesize
919KB
MD5c09756dea58e68a563c05c98f2ee5822
SHA190675ae3c1a7f575dee20ceee5cbf3d761aee432
SHA2560d43333d98724395292ff88d573ad31c6ff65a0ec117e3a605b1009478f91ac8
SHA512c5b0bff60c4b44f62e224a58dbd508efb20f1324c85c62de13134f909a1cfd63349402d7472940992b6447685fbb665fd28929dc6693a5f3f1222173a8c477c7
-
Filesize
82KB
MD509d17ffb85794728c964c131c287c800
SHA1a1d7a2dea5e0763de64fb28892786617d6340a86
SHA256f913264e2aa6be78dae1261782f192ae4ef565439c5ad68a51c0397b33ee1475
SHA512d174de399777b691443de3abff35dde5040d84ea06f252e86ec5b76bc2c02dc0c5c430f0ed9bab83a69e128a7cea989a1a24c6f579947e448db1cc393838b1d6
-
Filesize
32KB
MD50e9173e00715288b2d6b61407a5a9154
SHA1c7ba999483382f3c3aba56a4799113e43c3428d5
SHA256aa4685667dd6031db9c85e93a83679051d02da5a396a1ad2ef41c0bdf91baf66
SHA512bb13d5de52ea0a0178f8474fceb7e9fc2d633baceacb4e057b976cac9131152076544891d0959fa22fe293eeee942ae0f6a2fdd3d3a4c050a39549baa2cb5ecd
-
Filesize
8KB
MD5283c7e0a2d03ff8afe11a62e1869f2e5
SHA1235da34690349f1c33cba69e77ead2b19e08dbc9
SHA25638582d3231748a788012e4c27a5ac0f54f9cb0467d60ecc247a31ea165edeef9
SHA512b9ba42910d150ce9e07542a501c4134fb668f9b4af70db1ed8fa402066c8fb5025cf4bb29abd91c877571361e71c582e1e7c5350b28c7bda18d6bf184e85273e
-
Filesize
58KB
MD56337b4a0ef79ecfc7a0e70beea5d5b5b
SHA1904aaf86b183865a6337be71971148e4ef55d548
SHA256024ad40c289bfdbea25aa7c319381595c700e6e9e92a951bc2e5df8a21382630
SHA5129b88533915190062002702b2b632e648a94f086b987040d3f22f1bc718a2e58fbcb6d85a9ad17c8ee34018364cd9486d52bef91d645cfc3608aa3b592fca6b48
-
Filesize
1KB
MD551c0f6eff2d7e54810b653329e530404
SHA152aef28dab5ba3202341fe2a34f64744f268b991
SHA256a8f5d7c5caed37fa9f6dc432c1f854f32564d6cf0fec70f4bede96ba4df4dcdd
SHA512ae804726dabe115186e5ccaf7827912b48517a8a4dea8bafa2d35286bc60cb1203cbe71b6936cc269bfa82c7037bacd79d9dbb586e49909fcb1d84e99e6f3fe7
-
Filesize
1.8MB
MD5333366f899b1211c3259144abeb6e7d0
SHA1b0cd88a3cfb3153a6f40682143b7872ed7abb0a5
SHA256f6b3275a6874dfae98dd683ff84c5d9894a17d86eb45c1cf0b621ad54a680580
SHA5129697d94ef6f11fcee853bc3615fd3441bc39a529a9eb5a18f8ba81d719485ac3119f260e93b62f90f4f0521e23851c508e12ae258ba29cf914dd1b3f8d3cd1f5
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD51ea1638cd81beae7b4c69f905c82ae4a
SHA14639d92e8d222f1a576fc5ed176724d9d6cee1eb
SHA256260edb5c69ddcce2bd7f3227a792911cbac9ab18b0cb466448e8ba132ea3f671
SHA5121d58692375272ad1b3c40c01a944a112f2ac49379cebf99d842296b5a23f38aeec51b71d697026a10d47633fae94c52b0c41c80771fa5e43de819a564aec9a99
-
Filesize
8KB
MD5e0d1d7899c821a89aaeb343afbab9b97
SHA113808ba02e5804fd94d40b669ec78537e0f6b5cc
SHA2562aad5293cf5c4487197f270dd5813f807707137c4693319b832be93dd5c59945
SHA512eae5500b072dfee4082351bfc07fbf72b919669b05fa2d2633071fb8026d1b0729c714e3a10d9fe3b18547b32f3d4cab9c82770691148a715fd07332a713793f
-
Filesize
5KB
MD5cdaa5454f6f8d162ea5094c4e48151b1
SHA1a44b711d4f63dce64d871f4419f12cdd2426a766
SHA2565d11e83db950b2ff65cce7cd32aa4b1893e33048a464665946ea0869f8c4a941
SHA5124284e07a228bcc1dc631836d4cc7277c5c7d9aa45ea699e480e7fa4d6071788c5f93bd5d2c0552d7d129e836c91115ae54c2b7d9d1cd5c8b42aed289d01be3ac
-
Filesize
6KB
MD5440c398b3ea42bf7b87017572f95c304
SHA1917cf0bfae4f76e7324ee14ea32168fc0050c3a9
SHA256df0f6e695253fbe7bdf8337156d8f088ebc8ed1c3db70f2c679430f7b6ac08bb
SHA512cb8c5f0a92a13d13b10c9c7a131bc85ee5d3ce97c32be28cd575b72314a1de5b10c0ae61f2a6f6fdcae85ad4474f9339104ec6b66fba3e96a917d90e80863a0e
-
Filesize
15KB
MD5513e84695f328c0068d6be03e15b74e7
SHA17dc1364153da8e9c999f777f56e60ec3f3249da6
SHA256dd0fd3faf44886cc4b604feac49468b1e2fda88170809f320d25a2150b016183
SHA512951a7e9cf5a898ef0c10f46f5e220e187fc530f2086b0c31f7dbc2882d4604867060966a37d1235884f97985fbafebca34fb03b067214c6617539c6b0acc80b0
-
Filesize
15KB
MD5b3e49126cc965e80c600cb7a7a44fe6d
SHA19eceb605b6e8373af7afb98f194f7e2216ce1dc9
SHA25643f4f6037f9e43a10e5eadef51b76aae5c3baf13bc8ed98565db7774a061b416
SHA5127e4bdfd748afcf5cbe158182efee3da96faaa1c5d0bab774143711de634db77a793c04146a4c44c739ecbd4d93167369b904264b4ecc0d2c3816d59d671d7690
-
Filesize
671B
MD546a2f0d7ea2f4461a2142055ead543f0
SHA19b3a64d6b5f1bace45f32125f439006b2142b883
SHA256e9bc87a86299001a0c4632cec4c0a63e107f5cb45d7d35d8d6f93563b560ba26
SHA512d5a7adb19c1d32e42b4a5662aac525bf67d5a8d975098d952350b0ee1a40db47bf98cb60736380b3e4d70df0ff510b487fc0f298492e61f3660462b4671a6424
-
Filesize
982B
MD507a321e8eb34633eef997416d5222aa2
SHA10d0d56820ded2c04c90a60eb3fba1e14e35d6928
SHA25606a42b25036c318dc8193cdee1d3cb208cfeb7c92e00026f9040d7b320eae580
SHA512ec9dc647ba0f4ba1a9a4336c3f4f9405a6c91aae4b34593f1133ce8565213344468d3ea87418d817e5e1b6087284294b64b42dcea64dacec1650561184843723
-
Filesize
26KB
MD55b29f804fd366d69184548c0afae4655
SHA1e8459b13df2f5492dc79769100fbc76792a50e41
SHA2567238f4080ef530cc273ef3cc392b3abff57218d9ca13e8f2c6ce812e482dd24d
SHA5121bc9b7bdf9ec42fcb9fe4b79f58cb13e22048710c6f3ec16faed82b5256ad891711610a3043385c4c4cb8e9678873bbf43500bfb6fb8f64d12787f7aef2ff0eb
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD528a63468c9caf046bcfbe3f0e61f7b48
SHA10663139dd27f57bc81b861a5bf8d7520f7e8e243
SHA2563ee2fdf2f2e1ee94531ccc3ce547cb2f70bd03fc017276ff687dedf50d19d285
SHA512ee67f27c2e50e67f8eb674c3c0d4241ed04caac9ce4fe8bdfe28df6009b8c1ccc323e5784ee2ba9a108984337d65628cceb784bd516523d1d218cc368b52a7b0
-
Filesize
11KB
MD5ea1bc8adcfa45ca151d29f57adb2c800
SHA17129757cbc05a34b8783deeb163758245dfb4759
SHA256b3e1a7b8818929026d191ef4667e962ed49d45177d1e473d7f934df86f18a3a1
SHA512f2d58933ee91bae81e8a994a28dfb3a8867398bc988c52cf0099c7b0b916d2f34a39c03fac4889748834d5c30d82b5197a5675a107d824bd0d9ab5f00abed106
-
Filesize
10KB
MD5a09d7d93a66be78eb30ef61948567fd0
SHA1e4d00d2a78e9bd57dfc4d099629dba81c524ee8a
SHA256f89e8493d29030c4623126f4e875bab23808c6077df12f606ce9291268aa0a0c
SHA512389a37e48da7ee59e7a5e301d641ba8ce869afcb4815753afa4dbc3a6bab46454194c7daff7a31710d39a33f5531684a9a7a6ee44ab279a303f87f5f6210a789
-
Filesize
15KB
MD5151de2ac87db906c5e335b63161f440f
SHA16d65e2abb28cfad001ecbc47a9d380726d956e37
SHA256cbcee44c12563e847916c0dc99006be4846f2613f4c7e43608f7a84274bbb0f8
SHA512e057f7bb719fb924dc8d5ab9c81e9a8c4672ab2cf4aa8e135217a93ac861e91e7a8dad50fa12b2abbdeb770f047ed7bcc6ae665bd19cf7fe9cceb96fdad49c4e
-
Filesize
1.7MB
MD5c9bf38a8c81ef5f312a1835dadcbc11d
SHA1ee5c00d0da4066652adf98a16287d06a17358a34
SHA256edb0b626b14540dfbd9e81a952f44ad9752af1c53e04c3e2501aaa46ac526163
SHA5126697a5780d2308f8c5b79ae715b8f63f2dadad08aaeac88134bf07eae75de3a978c2b33368c9a828017c322c7f342e2dc67caf933ab63bc36dd04772d02bf53f
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
72KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
4.6MB
-
Filesize
4.6MB