Overview
overview
10Static
static
10Armageddon...ty.exe
windows7-x64
8Armageddon...ty.exe
windows10-2004-x64
8Armageddon...ht.dll
windows7-x64
1Armageddon...ht.dll
windows10-2004-x64
1Armageddon...ax.dll
windows10-2004-x64
7Armageddon...ub.exe
windows7-x64
1Armageddon...ub.exe
windows10-2004-x64
1Armageddon...ip.dll
windows7-x64
1Armageddon...ip.dll
windows10-2004-x64
1Armageddon...er.exe
windows7-x64
8Armageddon...er.exe
windows10-2004-x64
8Armageddon...k1.exe
windows7-x64
1Armageddon...k1.exe
windows10-2004-x64
1Armageddon...ub.exe
windows7-x64
1Armageddon...ub.exe
windows10-2004-x64
1AttWorm/AT...ed.exe
windows7-x64
8AttWorm/AT...ed.exe
windows10-2004-x64
8AttWorm/Jint.dll
windows7-x64
1AttWorm/Jint.dll
windows10-2004-x64
1AttWorm/js.exe
windows7-x64
1AttWorm/js.exe
windows10-2004-x64
3AttWorm/sk...et.dll
windows7-x64
1AttWorm/sk...et.dll
windows10-2004-x64
1AttWorm/sk...ip.dll
windows7-x64
1AttWorm/sk...ip.dll
windows10-2004-x64
1AttWorm/sk...er.exe
windows7-x64
8AttWorm/sk...er.exe
windows10-2004-x64
8AttWorm/skci/att.exe
windows7-x64
3AttWorm/skci/att.exe
windows10-2004-x64
3Aurora Wor...1N.exe
windows7-x64
8Aurora Wor...1N.exe
windows10-2004-x64
8Aurora Wor...ip.dll
windows7-x64
1Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-01-2025 16:58
Behavioral task
behavioral1
Sample
Armageddon Stealer 1.0 by Krusty/Armageddon Stealer 1.0 by Krusty.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Armageddon Stealer 1.0 by Krusty/Armageddon Stealer 1.0 by Krusty.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Armageddon Stealer 1.0 by Krusty/mfc100cht.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
Armageddon Stealer 1.0 by Krusty/mfc100cht.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Armageddon Stealer 1.0 by Krusty/mstscax.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Armageddon Stealer 1.0 by Krusty/stub.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral7
Sample
Armageddon Stealer 1.0 by Krusty/stub.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/Ionic.Zip.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral9
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/Ionic.Zip.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/Launcher.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral11
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/Launcher.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/ak1.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral13
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/ak1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/stub.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral15
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/stub.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
AttWorm/ATTWorm Cracked.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral17
Sample
AttWorm/ATTWorm Cracked.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
AttWorm/Jint.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral19
Sample
AttWorm/Jint.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
AttWorm/js.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral21
Sample
AttWorm/js.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
AttWorm/skci/Extreme.Net.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral23
Sample
AttWorm/skci/Extreme.Net.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
AttWorm/skci/Ionic.Zip.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
AttWorm/skci/Ionic.Zip.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
AttWorm/skci/Launcher.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral27
Sample
AttWorm/skci/Launcher.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
AttWorm/skci/att.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral29
Sample
AttWorm/skci/att.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
Aurora Worm v1/Aurora Worm v1-Cracked by RoN1N.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral31
Sample
Aurora Worm v1/Aurora Worm v1-Cracked by RoN1N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
Aurora Worm v1/settings/Ionic.Zip.dll
Resource
win7-20241010-en
windows7-x64
General
-
Target
Armageddon Stealer 1.0 by Krusty/Armageddon Stealer 1.0 by Krusty.exe
-
Size
436KB
-
MD5
30b064d68ff6227419e29ddf0f5a81f3
-
SHA1
f8e9b737b0350e93bf8b2d41479c0c9d00249cca
-
SHA256
2c76e53d24f76b91c33a3cafefaa7100e590f433305f954f3233c56a8edaf9bd
-
SHA512
579a9b5a8be8fb65fa3c34d2ac7c6e7e4943a2053897cf223419ea4936f0bc7a6469e2c57998a7b1ddd61f8b63dff0ed078ba993b6822b5c3d34c1c96e9d9bcc
-
SSDEEP
3072:04lCFLQ666C66G666i666o666y666B66c666G66f666+666u6669p666366o6663:06CFgXtwJ3xjpfVKWMy
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1352 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk Launcher.exe -
Executes dropped EXE 28 IoCs
pid Process 2928 Windows Services.exe 1260 Secure System Shell.exe 2852 Runtime Explorer.exe 2012 Runtime Explorer.exe 2868 Runtime Explorer.exe 2592 Runtime Explorer.exe 1660 Runtime Explorer.exe 1936 Runtime Explorer.exe 1100 Runtime Explorer.exe 1736 Runtime Explorer.exe 3016 Runtime Explorer.exe 564 Runtime Explorer.exe 1556 Runtime Explorer.exe 604 Runtime Explorer.exe 2204 Runtime Explorer.exe 1504 Runtime Explorer.exe 1592 Runtime Explorer.exe 2972 Runtime Explorer.exe 2676 Runtime Explorer.exe 2608 Runtime Explorer.exe 2576 Runtime Explorer.exe 2956 Runtime Explorer.exe 2664 Runtime Explorer.exe 1680 Runtime Explorer.exe 2424 Runtime Explorer.exe 2852 Runtime Explorer.exe 2768 Runtime Explorer.exe 776 Runtime Explorer.exe -
Loads dropped DLL 55 IoCs
pid Process 2684 Launcher.exe 2684 Launcher.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" Launcher.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\IMF\LICENCE.zip Launcher.exe File opened for modification C:\Windows\IMF\LICENCE.zip Launcher.exe File opened for modification C:\Windows\IMF\Runtime Explorer.exe Launcher.exe File opened for modification C:\Windows\IMF\Windows Services.exe Launcher.exe File created C:\Windows\IMF\LICENCE.dat Launcher.exe File created C:\Windows\IMF\Runtime Explorer.exe.tmp Launcher.exe File created C:\Windows\IMF\Windows Services.exe.tmp Launcher.exe File created C:\Windows\IMF\Secure System Shell.exe.tmp Launcher.exe File opened for modification C:\Windows\IMF\Secure System Shell.exe Launcher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Secure System Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Armageddon Stealer 1.0 by Krusty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Explorer.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
pid Process 2684 Launcher.exe 1352 powershell.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 1260 Secure System Shell.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe 2928 Windows Services.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2684 Launcher.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 2928 Windows Services.exe Token: SeDebugPrivilege 1260 Secure System Shell.exe -
Suspicious use of SetWindowsHookEx 26 IoCs
pid Process 2852 Runtime Explorer.exe 2012 Runtime Explorer.exe 2868 Runtime Explorer.exe 2592 Runtime Explorer.exe 1660 Runtime Explorer.exe 1936 Runtime Explorer.exe 1100 Runtime Explorer.exe 1736 Runtime Explorer.exe 3016 Runtime Explorer.exe 564 Runtime Explorer.exe 1556 Runtime Explorer.exe 604 Runtime Explorer.exe 2204 Runtime Explorer.exe 1504 Runtime Explorer.exe 1592 Runtime Explorer.exe 2972 Runtime Explorer.exe 2676 Runtime Explorer.exe 2608 Runtime Explorer.exe 2576 Runtime Explorer.exe 2956 Runtime Explorer.exe 2664 Runtime Explorer.exe 1680 Runtime Explorer.exe 2424 Runtime Explorer.exe 2852 Runtime Explorer.exe 2768 Runtime Explorer.exe 776 Runtime Explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2684 2676 Armageddon Stealer 1.0 by Krusty.exe 30 PID 2676 wrote to memory of 2684 2676 Armageddon Stealer 1.0 by Krusty.exe 30 PID 2676 wrote to memory of 2684 2676 Armageddon Stealer 1.0 by Krusty.exe 30 PID 2676 wrote to memory of 2684 2676 Armageddon Stealer 1.0 by Krusty.exe 30 PID 2676 wrote to memory of 2684 2676 Armageddon Stealer 1.0 by Krusty.exe 30 PID 2676 wrote to memory of 2684 2676 Armageddon Stealer 1.0 by Krusty.exe 30 PID 2676 wrote to memory of 2684 2676 Armageddon Stealer 1.0 by Krusty.exe 30 PID 2684 wrote to memory of 1352 2684 Launcher.exe 31 PID 2684 wrote to memory of 1352 2684 Launcher.exe 31 PID 2684 wrote to memory of 1352 2684 Launcher.exe 31 PID 2684 wrote to memory of 1352 2684 Launcher.exe 31 PID 2684 wrote to memory of 1352 2684 Launcher.exe 31 PID 2684 wrote to memory of 1352 2684 Launcher.exe 31 PID 2684 wrote to memory of 1352 2684 Launcher.exe 31 PID 2676 wrote to memory of 2728 2676 Armageddon Stealer 1.0 by Krusty.exe 33 PID 2676 wrote to memory of 2728 2676 Armageddon Stealer 1.0 by Krusty.exe 33 PID 2676 wrote to memory of 2728 2676 Armageddon Stealer 1.0 by Krusty.exe 33 PID 2676 wrote to memory of 2728 2676 Armageddon Stealer 1.0 by Krusty.exe 33 PID 2684 wrote to memory of 2928 2684 Launcher.exe 34 PID 2684 wrote to memory of 2928 2684 Launcher.exe 34 PID 2684 wrote to memory of 2928 2684 Launcher.exe 34 PID 2684 wrote to memory of 2928 2684 Launcher.exe 34 PID 2684 wrote to memory of 2928 2684 Launcher.exe 34 PID 2684 wrote to memory of 2928 2684 Launcher.exe 34 PID 2684 wrote to memory of 2928 2684 Launcher.exe 34 PID 2928 wrote to memory of 1260 2928 Windows Services.exe 35 PID 2928 wrote to memory of 1260 2928 Windows Services.exe 35 PID 2928 wrote to memory of 1260 2928 Windows Services.exe 35 PID 2928 wrote to memory of 1260 2928 Windows Services.exe 35 PID 2928 wrote to memory of 1260 2928 Windows Services.exe 35 PID 2928 wrote to memory of 1260 2928 Windows Services.exe 35 PID 2928 wrote to memory of 1260 2928 Windows Services.exe 35 PID 2928 wrote to memory of 2852 2928 Windows Services.exe 36 PID 2928 wrote to memory of 2852 2928 Windows Services.exe 36 PID 2928 wrote to memory of 2852 2928 Windows Services.exe 36 PID 2928 wrote to memory of 2852 2928 Windows Services.exe 36 PID 2928 wrote to memory of 2852 2928 Windows Services.exe 36 PID 2928 wrote to memory of 2852 2928 Windows Services.exe 36 PID 2928 wrote to memory of 2852 2928 Windows Services.exe 36 PID 2928 wrote to memory of 2012 2928 Windows Services.exe 37 PID 2928 wrote to memory of 2012 2928 Windows Services.exe 37 PID 2928 wrote to memory of 2012 2928 Windows Services.exe 37 PID 2928 wrote to memory of 2012 2928 Windows Services.exe 37 PID 2928 wrote to memory of 2012 2928 Windows Services.exe 37 PID 2928 wrote to memory of 2012 2928 Windows Services.exe 37 PID 2928 wrote to memory of 2012 2928 Windows Services.exe 37 PID 2928 wrote to memory of 2868 2928 Windows Services.exe 38 PID 2928 wrote to memory of 2868 2928 Windows Services.exe 38 PID 2928 wrote to memory of 2868 2928 Windows Services.exe 38 PID 2928 wrote to memory of 2868 2928 Windows Services.exe 38 PID 2928 wrote to memory of 2868 2928 Windows Services.exe 38 PID 2928 wrote to memory of 2868 2928 Windows Services.exe 38 PID 2928 wrote to memory of 2868 2928 Windows Services.exe 38 PID 2928 wrote to memory of 2592 2928 Windows Services.exe 39 PID 2928 wrote to memory of 2592 2928 Windows Services.exe 39 PID 2928 wrote to memory of 2592 2928 Windows Services.exe 39 PID 2928 wrote to memory of 2592 2928 Windows Services.exe 39 PID 2928 wrote to memory of 2592 2928 Windows Services.exe 39 PID 2928 wrote to memory of 2592 2928 Windows Services.exe 39 PID 2928 wrote to memory of 2592 2928 Windows Services.exe 39 PID 2928 wrote to memory of 1660 2928 Windows Services.exe 40 PID 2928 wrote to memory of 1660 2928 Windows Services.exe 40 PID 2928 wrote to memory of 1660 2928 Windows Services.exe 40 PID 2928 wrote to memory of 1660 2928 Windows Services.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\Armageddon Stealer 1.0 by Krusty.exe"C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\Armageddon Stealer 1.0 by Krusty.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\viewsource\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\viewsource\Launcher.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\IMF\Windows Services.exe"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\IMF\Secure System Shell.exe"C:\Windows\IMF\Secure System Shell.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2868
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2592
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1660
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1936
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1736
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:564
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:604
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1680
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:776
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\viewsource\ak1.exe"C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\viewsource\ak1.exe"2⤵PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101B
MD5d0fb983b03f4ffa027c51dab7544c259
SHA1dcfe29534ab26129188506e4e80aceb9f9c9e166
SHA256c10db787797dc1a2c6b092b10174695990d471c593f56599f2db076a56a507f3
SHA5125025a8c2a797b4c14ff0b9ed22c66873094d02203b62dd50f59c68e54f780765858d1ffec74575b717055727292d105792a63bf87c91a43817ea2e0974312fc5
-
Filesize
88B
MD52cf0925c2ad295d8c07760fa26108596
SHA1ca25244b44bf670c9acc84903e857be0ac8dedf7
SHA256e6b83e1f946a57dc10a3ef452d65c9c4d38beec6ccbf4e069836c38448a894c3
SHA512fbb94c85f5fbb42b69362189dc29caa6ca46d05dde5a6407f73424a2cbb054b92edb368a171998fd440ed9d5c28692013874aa3d9b1aa1336bb0dd8ef3ef0832
-
Filesize
152KB
MD503f5e0141f4519f0c5ac26ce0b036a0f
SHA14f7a2a230e7a194a898cc9f2d563ac8777fe99c0
SHA25678a408c628e33e3332645f480ee7ce01b5dc24fc96cf16ffa0868d43f3d421ef
SHA51286a68f040654006e06b51c5714e0d7168d0d1bef7f3c39843632068104f773f771d21be4bc251d712f3e915cd1058f89ad31d9e3f3d9e7cf6da6785cbf22d8d7
-
Filesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
Filesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53