Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
21-11-2024 21:25
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
6aed281d1464e3a53839bbd9e7190535
-
SHA1
8ea6e9ec2eb3970e0c361538fb6dbd074e5fa6c2
-
SHA256
a20abe49e71912d860044fdf813c7fb90f32fde51097db4b689cac9c8f7a9ac9
-
SHA512
3d3312dbc5d3537143f8ee75097e9dfa5a88c59b3d0079461a6878ba1aafa232a131e8078dbf08d5e62bdd84f5833e900d4b8e0f37e80b3bbcab996b725e5366
-
SSDEEP
49152:FWpKS5ThF8/65kDlsW+eN3hyN0T3VsPhGlhFr5:FWcSKUkDlsJ0q0lfr
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
xworm
87.120.112.33:8398
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detect Xworm Payload 2 IoCs
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 12 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 25 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-VKU7R.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-VKU7R.tmp\FunnyJellyfish.tmp" /SL5="$601CA,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 36⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-K9ED3.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-K9ED3.tmp\FunnyJellyfish.tmp" /SL5="$201FA,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"9⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008024001\a8487b03c7.exe"C:\Users\Admin\AppData\Local\Temp\1008024001\a8487b03c7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef55a9758,0x7fef55a9768,0x7fef55a97785⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1208,i,9298308196872979219,16865077043472708026,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1208,i,9298308196872979219,16865077043472708026,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1208,i,9298308196872979219,16865077043472708026,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1208,i,9298308196872979219,16865077043472708026,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1208,i,9298308196872979219,16865077043472708026,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1208,i,9298308196872979219,16865077043472708026,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1400 --field-trial-handle=1208,i,9298308196872979219,16865077043472708026,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 9564⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008025001\a1cfa8b7ed.exe"C:\Users\Admin\AppData\Local\Temp\1008025001\a1cfa8b7ed.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008026001\64027aeec4.exe"C:\Users\Admin\AppData\Local\Temp\1008026001\64027aeec4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008027001\90916c0f4d.exe"C:\Users\Admin\AppData\Local\Temp\1008027001\90916c0f4d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.0.281316900\782213611" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8da41cc-d5b7-43af-8d06-a79e21430c0d} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 1284 44f8358 gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.1.1246268997\1552085912" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74313881-513b-4109-8658-fbe4146837e3} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 1500 e73f58 socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.2.1716758555\741301941" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5428cf9d-f67f-4930-b3e3-8f9466c1a7bd} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 2108 19cbcf58 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.3.1832976397\551949966" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9364b45-7ad5-4729-8371-2bb807907156} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 2912 e69e58 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.4.1934536169\704048008" -childID 3 -isForBrowser -prefsHandle 3716 -prefMapHandle 3652 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2eb10c5-3c74-4878-ac37-6079f1d485e3} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 3728 1a878c58 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.5.407832194\1648692053" -childID 4 -isForBrowser -prefsHandle 3836 -prefMapHandle 3840 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05cd89f8-c288-451e-9283-a3319bbf79d5} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 3824 1d6e6458 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.6.471698229\649771482" -childID 5 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4005de88-dfee-4038-a797-4ed806a84136} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 3912 1d6e7f58 tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008028001\d0fa921353.exe"C:\Users\Admin\AppData\Local\Temp\1008028001\d0fa921353.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'document.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-159669654-819735688444210453-895149571-4552532851261067458337089498-1362320868"1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
23KB
MD535cdb6273f0058000d1042727b85ef33
SHA1325714f17fd8f358dacb1d2ae80e956cfd57032b
SHA256d079ea778ee9e7ee03fe453f98682b62d29e49238b2e137840e94521745f294c
SHA5120eeb107ed343a1d2efdea3164ea306e218d1f604dc2be4fa69af1982211049113df15332a1f9a67caab0bb0957bed052d8b4fda8a7fcb9c39a1e1c3491cfabd2
-
Filesize
13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
1.4MB
MD5e1cf72329542de8b3004517ee07d8371
SHA1c22ac1f279cc11dffd30a41863181da598231d4b
SHA256301e56052cf570110e66a429c0acc2454569ff5f966af0e809bef33eb2e02baa
SHA5127267aa2244edd22b4ceda89e8e188180bcc409320f77b0d9fc9fbb63c0906ab23dc9dff4bd5e02018aa08194cb8bb8dcd0b28ae1c44b2497a13bb21411ec6edc
-
Filesize
4.2MB
MD5e44fb60a2cfd998fee51e42e436fc4b5
SHA124edb01b49d8a6cc4533a8ada342be18c0ad13f9
SHA25684363c685284008ab2c536946d3dd1b69bcbc1636754d6181b16611003760cb9
SHA5124c1169f81b3e272e8db65264226f977bd24216cc558aac28036d827e3e64b484c7b8251ff80ce8094df4137ca1c3fc2a6c4b1813191e6cd91d2d15cc0f2e2293
-
Filesize
1.8MB
MD54dea8ed33b8d2b1af46e7c631f77d134
SHA1bf2c4731465891c0ac513407626c6efba63e2e4f
SHA2569bd63639c9827a4bba0727e1cae451bddb6c66805fabe78e48bc71e1d30fae7c
SHA51213c21142dca905ae136e7309f8983893fd2c24b746cc6f7048529bba6469a0e437bc99f7c4be17159c4915511e6e94babe261fcff8ad686e1a56678443030e8d
-
Filesize
1.7MB
MD5685f2f3ccfb3958f91e4b8e865cd28d5
SHA14f9a41e63353f568e1aa31dc9ed97e13c5804d22
SHA256945f5a2a5fe604802e4aadaa8ef136a11c9a0b89d1c8eff471cf2ddf355aefd4
SHA512558832974a3b971ba2fedd7b8ef4c0e579fe49ea54dba5109335cc53752d8d7a3eea51c9af133f0f19482a3ec8eac8b1f621532280212fbeabae0e9713148d7b
-
Filesize
900KB
MD509416b7844c5f2f11afca615b7078818
SHA1b3ae02ef796ef13ebeea646ad04b58e6a62ddb05
SHA2560da9e52ce17ed2b25bca73fba11017cb3f65674a3bf6e400f0555f704194ac7d
SHA512c9005d81105b82b6c4ba72435efa31bed75d7322ace87a3c8a59bb3030656d1f88b716ef6b9c551beef438e318ee9f5c53f5af248c497a045af983cd6e7e5054
-
Filesize
2.7MB
MD527197ee37e70818fe49a4599d486f8fb
SHA1e603da43feb6533e9c7155e1dc7887e1867a7985
SHA2563405b90146d2374c28a053bca432edf976598a978c8d005f445a034cde1baf73
SHA51263148a28f6eb6eb4ea43f667b1d04e5e89d7b3ae90954b5baae50447ab72e28017fff97ccf5d8e47772f4967f538067dc076100d9e1e3ef5bf7a03c0d84f571b
-
Filesize
72KB
MD58d52069bd117da94e0b0b70e73e33fb0
SHA1e8090adddff167e1bda4194af968ba4bc22a2d60
SHA256b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38
SHA5127a91eeb0cf3edb53d0ac3d51abe85c97bb09da5b334b387fda90144a2f3729693367c451fee9e04cb953dcf8d9d1b91ee12961bfe9f1e53c0ab06aababd696ed
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.8MB
MD56aed281d1464e3a53839bbd9e7190535
SHA18ea6e9ec2eb3970e0c361538fb6dbd074e5fa6c2
SHA256a20abe49e71912d860044fdf813c7fb90f32fde51097db4b689cac9c8f7a9ac9
SHA5123d3312dbc5d3537143f8ee75097e9dfa5a88c59b3d0079461a6878ba1aafa232a131e8078dbf08d5e62bdd84f5833e900d4b8e0f37e80b3bbcab996b725e5366
-
Filesize
1.1MB
MD514c6fa8e50b4147075eb922bd0c8b28d
SHA10faad18b0e26ce3b5c364621a4f0aee9db56a9a7
SHA25690c4a61af494b63ecfe1226714175675a4e49e57d50718491b3bc8fe29dd8fc7
SHA512e6c35bbcaa9a8bb306e58bb91aadf5feed6b1ad1df6ee0e68bf3bae9b76d84c862b4ee9dd87a1d288fe1b7aaaac13467964436a09ec529f67af50905cd0ef876
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
2.6MB
MD5985fef2b6872a1a94726dc3b7f1439de
SHA1e221a5c4f2f222b665c932ab9b1f66189cee3315
SHA25678ef7eacffaba55e653195fe37846375aeb51b164d80ad312afda54163da0622
SHA51241678a3e117cb83e7b99a65a6d0dda86db57ac0441d84ca817d6e04fa3751d4035215e8cd50bcd86b7232d1c28620103264f3a677ac14513d1fa0d977ba94f39
-
Filesize
7KB
MD5c12d3965a4e8ff08bf0f3f1add93450d
SHA1028e668cf86401f76239d690559bcfb80dd6fddc
SHA2566b2f7c506729091f505887c7025853c2e30f0f7561211043a115d93ed84d9519
SHA512b4b71ae1c6b17fc38724800b2dd51c5c15ad931def4459d086d9cf338a7916c98bf3c20bb629d610bc1e40b3b4a3743fe9087789dbb0964f7e4b546d8eed6b1f
-
Filesize
2KB
MD52eb1446158f5772127357f1e9f76ff7b
SHA118500aa716ca632bd2010c44d55b1ac2fde9a9e1
SHA256efe99939b4bf2418a516ce45e32b60667e6b83dfc7b4a828a4f51958ce4849c6
SHA512325b200927302f31502cf0e25694f5a4e13bf6605325ce1d65468742205b2421d37e018e65a28c093ef84bb71901f025ba2f077d44af5ed55f9510964c6857c6
-
Filesize
11KB
MD537c082aecaf4ce673aa95bfe1271e8f7
SHA138459f4a742205421aa550d02745699311781588
SHA2569ad659dbb1b130222cf90be1603166dbb49ec9935b3ce13c7c8caeb8bbb01878
SHA5124392bb7c40fa0d272442ee03bfe7417167a61c8d8c74092d3e07e2424f3af6ed30f87008d4507f0a08a387670cf8a1bac8518d8d4c9138d001d5ce0e7edda0c4
-
Filesize
745B
MD5586ca5942e8ec501b96553fc095f4e3a
SHA17dd122193ed013512e224654b7e9f99ba2e84c43
SHA25680e5d34bf54286238f426e61c3b88d9bdf7fcc953ce635aa54c0aef73edbdea9
SHA512a95706002873974e725f4c3a351a9d144c37551ba7c4c729588b1ae9bef1968a1efa3e4422956226cef7129c5878e5a5a4846840c25e02d128b5a44046bb5443
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD53642eed3b23b8a13cfe8217d67cbc6c1
SHA16647055051729623d22c33e10e8f0b52d5e4e116
SHA25622f13b5bc7858bdecf279f009ec74561768487dc09cd448f3eb4333d461e4716
SHA5120e467bf412ffab7818c9ea96f74bb665555191a280d76af4ebeeed2982c030d1d46b284ebfb271a45a21f265dae0a7aba68524fd100468683f8b2e2460a5dca3
-
Filesize
7KB
MD53be04082ecc1af99862e2272a5c90f63
SHA1607907ae6c167f4604d88d1957df862140a7e533
SHA2568571cf640be09c1c838447caa9378f87b8b95ad3939122923726f332f24929f7
SHA51269a9fbd3dbfbe1fc1d6592efc671b1a239ec0cd7aa33c53fcc44f39bcdbea935e260edc8c7e522f9fae4d911b24c53c850c2188c3244ec673f6d79e6aa3f6b35
-
Filesize
6KB
MD52df0c9bea739b89ea79c6019a884b607
SHA10a990be207e69a17198c72e06b1580f61dc21d27
SHA2568119fa71e70e837deec3ea03569ed4c74df06ef86441b2fab3cb3661d73848c6
SHA512bc681fa3c00b05994cb2420e98a53a984b0e43d61e4e0e256619371ae07e340039cdde3e96cd780fd3f37e81e5cebde43813529e79bdb4c171619440d4a0c596
-
Filesize
6KB
MD5c3a5a97add7495f85e7bc0df4d07c682
SHA1d4c100530c3412b4de16c798d53f1b86a548ebcc
SHA256a611a97668df153f3c91745451f7d75b656cd663dc90160da9493104b9e0e68d
SHA512edbb30982273dd1ff8d1c7011040de0d67c74f1fb4d92b79af8eb97f808ac906dd219ed4802dad8bcc8fc364043a353b943dc171a29b137473eafccb01e37598
-
Filesize
4KB
MD5163e54d41a560044dd704bb9cad81e8a
SHA1064ceea04e6d2f6cb8aa1be127c3ce929dcb66e7
SHA2567449fc7f56ebacce70b4455a01d0cf8b4fd8961fa6e30e101d169874c19fc129
SHA5121fc83793a2832139452e5b6bcaf2b78ce3ce1088597c308af69dc82f0ebae8731d53a2c7af62c7601a14e6092e02aadfe158969941039d6ad6e15c9a73367534
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
10.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
1.2MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.6MB
-
Filesize
12.4MB
-
Filesize
6.7MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
6.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.7MB
-
Filesize
12.4MB
-
Filesize
6.7MB
-
Filesize
4.6MB
-
Filesize
4.8MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
1.2MB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
96KB