Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Xeno.exe

windows7-x64

10

Xeno.exe

windows10-2004-x64

10

Xeno.exe

windows10-ltsc 2021-x64

10

Xeno.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/12/2024, 07:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xeno.exe

  • Size

    649.1MB

  • MD5

    3b9c084d35bedcfe4cf7b306ecbf78ac

  • SHA1

    24ae90b623cddc6666d8fca32d279f75a8c293e3

  • SHA256

    d794c2ac1b5a6783f1754e61f9efa20e627e1798319210db326761d7516df88b

  • SHA512

    18b610cea4e05502b86b70008c4bd1f8f414e1d6793a1c3136181f5dfffdb2391c0d31f36dc899b393cb4d3a37ef6b9734c7c8020f13440d10b35d19fabb79b6

  • SSDEEP

    49152:c57nFOOBDBLH/oDfHqvBeROOUKGoAocLFRNAYnsL1C:c57QOBDBbcfHuSOTKGFLbNn+

Score
10/10
meduzacollectiondiscoveryevasionexecutionpersistencespywarestealer

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Oxoxox

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    3.145728e+06

  • port

    15666

  • self_destruct

    true

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 43 IoCs
  • Meduza family
    meduza
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies data under HKEY_USERS 46 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
    "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\executor.exe
      "C:\Users\Admin\AppData\Local\Temp\executor.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2688
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\executor.exe"
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\system32\PING.EXE
          ping 1.1.1.1 -n 1 -w 3000
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1836
    • C:\Users\Admin\AppData\Local\Temp\libs.exe
      "C:\Users\Admin\AppData\Local\Temp\libs.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2928
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3400
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2404
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
            PID:4364
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:3468
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:4180
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          3⤵
          • Launches sc.exe
          PID:2512
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          3⤵
          • Launches sc.exe
          PID:2028
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          3⤵
          • Launches sc.exe
          PID:2344
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4964
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3548
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3764
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1644
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "LBFXRZGB"
          3⤵
          • Launches sc.exe
          PID:3564
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto"
          3⤵
          • Launches sc.exe
          PID:2780
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop eventlog
          3⤵
          • Launches sc.exe
          PID:4724
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start "LBFXRZGB"
          3⤵
          • Launches sc.exe
          PID:1916
    • C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
      C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1840
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
            PID:4636
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          2⤵
          • Launches sc.exe
          PID:4296
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          2⤵
          • Launches sc.exe
          PID:2908
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          2⤵
          • Launches sc.exe
          PID:4848
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          2⤵
          • Launches sc.exe
          PID:4928
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          2⤵
          • Launches sc.exe
          PID:3276
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4904
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4592
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4164
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1080
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
            PID:3020
          • C:\Windows\system32\svchost.exe
            svchost.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:340

        Network

        • flag-us
          DNS
          moondarklight.me
          Xeno.exe
          Remote address:
          8.8.8.8:53
          Request
          moondarklight.me
          IN A
          Response
          moondarklight.me
          IN A
          104.21.40.53
          moondarklight.me
          IN A
          172.67.176.118
        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Xeno.exe
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          liveisdestiny.me
          Xeno.exe
          Remote address:
          8.8.8.8:53
          Request
          liveisdestiny.me
          IN A
          Response
          liveisdestiny.me
          IN A
          172.67.167.138
          liveisdestiny.me
          IN A
          104.21.73.253
        • flag-us
          DNS
          api.ipify.org
          Xeno.exe
          Remote address:
          8.8.8.8:53
          Request
          api.ipify.org
          IN A
          Response
          api.ipify.org
          IN A
          104.26.13.205
          api.ipify.org
          IN A
          104.26.12.205
          api.ipify.org
          IN A
          172.67.74.152
        • flag-us
          DNS
          c.pki.goog
          Xeno.exe
          Remote address:
          8.8.8.8:53
          Request
          c.pki.goog
          IN A
          Response
          c.pki.goog
          IN CNAME
          pki-goog.l.google.com
          pki-goog.l.google.com
          IN A
          142.250.178.3
        • flag-us
          DNS
          205.13.26.104.in-addr.arpa
          Xeno.exe
          Remote address:
          8.8.8.8:53
          Request
          205.13.26.104.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          203.241.179.95.in-addr.arpa
          Xeno.exe
          Remote address:
          8.8.8.8:53
          Request
          203.241.179.95.in-addr.arpa
          IN PTR
          Response
          203.241.179.95.in-addr.arpa
          IN PTR
          95179241203vultrusercontentcom
        • flag-us
          DNS
          53.40.21.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          53.40.21.104.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          138.167.67.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          138.167.67.172.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          ctldl.windowsupdate.com
          Remote address:
          8.8.8.8:53
          Request
          ctldl.windowsupdate.com
          IN A
          Response
          ctldl.windowsupdate.com
          IN CNAME
          ctldl.windowsupdate.com.delivery.microsoft.com
          ctldl.windowsupdate.com.delivery.microsoft.com
          IN CNAME
          wu-b-net.trafficmanager.net
          wu-b-net.trafficmanager.net
          IN CNAME
          edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN CNAME
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.81.130.134
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.81.130.133
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.81.129.181
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.80.49.22
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.80.49.21
        • flag-us
          DNS
          152.145.130.45.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          152.145.130.45.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          nexusrules.officeapps.live.com
          Remote address:
          8.8.8.8:53
          Request
          nexusrules.officeapps.live.com
          IN A
          Response
          nexusrules.officeapps.live.com
          IN CNAME
          prod.nexusrules.live.com.akadns.net
          prod.nexusrules.live.com.akadns.net
          IN A
          52.111.236.21
        • flag-gb
          GET
          http://c.pki.goog/r/gsr1.crl
          executor.exe
          Remote address:
          142.250.178.3:80
          Request
          GET /r/gsr1.crl HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Microsoft-CryptoAPI/10.0
          Host: c.pki.goog
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 1739
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Mon, 09 Dec 2024 07:09:53 GMT
          Expires: Mon, 09 Dec 2024 07:59:53 GMT
          Cache-Control: public, max-age=3000
          Age: 2005
          Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
          Content-Type: application/pkix-crl
          Vary: Accept-Encoding
        • flag-gb
          GET
          http://c.pki.goog/r/r4.crl
          executor.exe
          Remote address:
          142.250.178.3:80
          Request
          GET /r/r4.crl HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Microsoft-CryptoAPI/10.0
          Host: c.pki.goog
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 436
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Mon, 09 Dec 2024 07:05:55 GMT
          Expires: Mon, 09 Dec 2024 07:55:55 GMT
          Cache-Control: public, max-age=3000
          Age: 2244
          Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
          Content-Type: application/pkix-crl
          Vary: Accept-Encoding
        • flag-us
          DNS
          134.130.81.91.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          134.130.81.91.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          pool.hashvault.pro
          Remote address:
          8.8.8.8:53
          Request
          pool.hashvault.pro
          IN A
          Response
          pool.hashvault.pro
          IN A
          95.179.241.203
        • flag-us
          DNS
          21.236.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          21.236.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          3.178.250.142.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          3.178.250.142.in-addr.arpa
          IN PTR
          Response
          3.178.250.142.in-addr.arpa
          IN PTR
          lhr48s27-in-f31e100net
        • flag-us
          DNS
          ctldl.windowsupdate.com
          Remote address:
          8.8.8.8:53
          Request
          ctldl.windowsupdate.com
          IN A
          Response
          ctldl.windowsupdate.com
          IN CNAME
          ctldl.windowsupdate.com.delivery.microsoft.com
          ctldl.windowsupdate.com.delivery.microsoft.com
          IN CNAME
          wu-b-net.trafficmanager.net
          wu-b-net.trafficmanager.net
          IN CNAME
          edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN CNAME
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.81.130.134
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.80.49.20
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.80.49.22
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.81.129.181
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          IN A
          91.80.49.85
        • 104.21.40.53:443
          moondarklight.me
          tls
          Xeno.exe
          107.8kB
           3.5MB
           1799
          2495
        • 172.67.167.138:443
          liveisdestiny.me
          tls
          Xeno.exe
          189.9kB
           5.4MB
           3090
          3909
        • 45.130.145.152:15666
          executor.exe
          26.5MB
           319.6kB
           18989
          7806
        • 104.26.13.205:443
          api.ipify.org
          tls
          executor.exe
          919 B
           4.4kB
           10
          8
        • 142.250.178.3:80
          http://c.pki.goog/r/r4.crl
          http
          executor.exe
          556 B
           3.8kB
           7
          5

          HTTP Request

          GET http://c.pki.goog/r/gsr1.crl

          HTTP Response

          200

          HTTP Request

          GET http://c.pki.goog/r/r4.crl

          HTTP Response

          200
        • 95.179.241.203:443
          pool.hashvault.pro
          tls
          svchost.exe
          2.3kB
           6.6kB
           16
          17
        • 8.8.8.8:53
          moondarklight.me
          dns
          Xeno.exe
          450 B
           748 B
           7
          7

          DNS Request

          moondarklight.me

          DNS Response

          104.21.40.53
          172.67.176.118

          DNS Request

          8.8.8.8.in-addr.arpa

          DNS Request

          liveisdestiny.me

          DNS Response

          172.67.167.138
          104.21.73.253

          DNS Request

          api.ipify.org

          DNS Response

          104.26.13.205
          104.26.12.205
          172.67.74.152

          DNS Request

          c.pki.goog

          DNS Response

          142.250.178.3

          DNS Request

          205.13.26.104.in-addr.arpa

          DNS Request

          203.241.179.95.in-addr.arpa

        • 8.8.8.8:53
          53.40.21.104.in-addr.arpa
          dns
          362 B
           880 B
           5
          5

          DNS Request

          53.40.21.104.in-addr.arpa

          DNS Request

          138.167.67.172.in-addr.arpa

          DNS Request

          ctldl.windowsupdate.com

          DNS Response

          91.81.130.134
          91.81.130.133
          91.81.129.181
          91.80.49.22
          91.80.49.21

          DNS Request

          152.145.130.45.in-addr.arpa

          DNS Request

          nexusrules.officeapps.live.com

          DNS Response

          52.111.236.21

        • 8.8.8.8:53
          134.130.81.91.in-addr.arpa
          dns
          208 B
           385 B
           3
          3

          DNS Request

          134.130.81.91.in-addr.arpa

          DNS Request

          pool.hashvault.pro

          DNS Response

          95.179.241.203

          DNS Request

          21.236.111.52.in-addr.arpa

        • 8.8.8.8:53
          3.178.250.142.in-addr.arpa
          dns
          141 B
           454 B
           2
          2

          DNS Request

          3.178.250.142.in-addr.arpa

          DNS Request

          ctldl.windowsupdate.com

          DNS Response

          91.81.130.134
          91.80.49.20
          91.80.49.22
          91.81.129.181
          91.80.49.85

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        System Services

        2
        T1569

        Service Execution

        2
        T1569.002

        Persistence

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Power Settings

        1
        T1653

        Privilege Escalation

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Defense Evasion

        Impair Defenses

        1
        T1562

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        1
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        1
        T1082

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Email Collection

        1
        T1114

        Command and Control

        Exfiltration

        Impact

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xza3a44d.jds.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\executor.exe
          Filesize

          3.2MB

          MD5

          73912751e057519963f46c41303b80be

          SHA1

          c427938e79a4b1079599445790628bf3f5da923b

          SHA256

          9d28797efffc22cdbc2f58ef13897a99d3b287c5a493e5880d9c80b91f334105

          SHA512

          792c98d634a81b651d2e5089d069cab46fecbe8f5d23a8e528fb702644e85737941b7c1eef861468236dd064876577782bdfbd07836db2deb40965c2e1127e35

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\libs.exe
          Filesize

          5.0MB

          MD5

          769ea3d0e0cf22eaa7526a89c0f438cf

          SHA1

          5221042ad60744e2bdcf8319ff00bdbfc253eb59

          SHA256

          b369c94a835882a2267ff0a7a4ebb9a91621c3f134f63010d491121a7827b448

          SHA512

          d50130430911f16f4d2f7e4d3552f51ceb74601eda13cfbc374c9327e11d7865bdfc49803b54cf7b595b89996db28d3173d7a22993e968fd9a1a080c6b434c9a

          Download Submit

        • memory/1608-0-0x00007FFE1C583000-0x00007FFE1C585000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1608-1-0x0000028FCDE30000-0x0000028FCEE30000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1608-2-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1608-3-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1608-4-0x00007FFE1C583000-0x00007FFE1C585000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1608-5-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1608-14-0x0000028FF6B60000-0x0000028FF6B82000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1608-15-0x0000028FF6970000-0x0000028FF697A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1608-16-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1608-115-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1840-151-0x0000012F6B860000-0x0000012F6B87C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1840-159-0x0000012F6BA90000-0x0000012F6BA9A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1840-158-0x0000012F6BA80000-0x0000012F6BA86000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1840-157-0x0000012F6B950000-0x0000012F6B958000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1840-156-0x0000012F6BAA0000-0x0000012F6BABA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1840-155-0x0000012F6B940000-0x0000012F6B94A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1840-154-0x0000012F6BA60000-0x0000012F6BA7C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1840-153-0x0000012F6B850000-0x0000012F6B85A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1840-152-0x0000012F6B880000-0x0000012F6B933000-memory.dmp

          Filesize

          716KB

          Download

        • memory/2688-71-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-101-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-35-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-38-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-41-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-61-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-60-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-65-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-64-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-67-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-37-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-70-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-66-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-82-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-94-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-113-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-112-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-107-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-121-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-120-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-117-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-116-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-103-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-43-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-100-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-89-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-88-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-85-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-83-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-79-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-77-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-73-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-106-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-95-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-76-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-26-0x000002486E510000-0x000002486E511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2688-28-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-29-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-30-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-31-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-36-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-34-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-25-0x00007FFE2C0E0000-0x00007FFE2C2E9000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-72-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2688-185-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

          Filesize

          2.0MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.