Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
31/03/2025, 09:29
General
-
Target
2025-03-31_029485bc2a80896f65c286885494122b_black-basta_cova_luca-stealer.exe
-
Size
768KB
-
MD5
029485bc2a80896f65c286885494122b
-
SHA1
066cc229177c6ecd6dd2547e8aaa1b6d72f1255a
-
SHA256
93fe21dbb3bb181c61b9c3f40abd04130f83bf7ce906ba73394045896c5019fc
-
SHA512
11faa56e87f530fb481dc1df1ab53392fb3aba925df953b7c80a2db9c5982cd27321c0251ba6d42e7d3ed4c5c53cba0139114f99f4d56d25941d94a978991fca
-
SSDEEP
12288:2ToPWBv/cpGrU3yVtX+t4VlqQw7RuGY8pFV8P0wv7DfA3GdRzgs9/45aykxfIaC:2TbBv5rUyXVLMTr00y3ddRcg/Dy6fy
Score
10/10
Malware Config
Extracted
Family
xworm
C2
89.39.121.169:9000
Attributes
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Xworm Payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
DCRat payload 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Uses browser remote debugging 2 TTPs 5 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 25 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-31_029485bc2a80896f65c286885494122b_black-basta_cova_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-31_029485bc2a80896f65c286885494122b_black-basta_cova_luca-stealer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dllnet\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -window hidden -command ""3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\dllnet\1.exe"C:\Users\Admin\AppData\Local\Temp\dllnet\1.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7fff783ddcf8,0x7fff783ddd04,0x7fff783ddd104⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2000,i,16595343563706430374,3239624528945908668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1996 /prefetch:24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,16595343563706430374,3239624528945908668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2208 /prefetch:34⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2412,i,16595343563706430374,3239624528945908668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2572 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3268,i,16595343563706430374,3239624528945908668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3332 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,16595343563706430374,3239624528945908668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3352 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4372,i,16595343563706430374,3239624528945908668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4396 /prefetch:24⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4856,i,16595343563706430374,3239624528945908668,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4812 /prefetch:14⤵
- Uses browser remote debugging
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dllnet\2.exe"C:\Users\Admin\AppData\Local\Temp\dllnet\2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\dllnet\Webruntime.exe"C:\Users\Admin\AppData\Local\Temp\dllnet\Webruntime.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LmfYfCqvHX.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
-
C:\Recovery\WindowsRE\lsass.exe"C:\Recovery\WindowsRE\lsass.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
79KB
MD5eb7cdf67de9d5bda3cb58e1f21ff9ee4
SHA1bfa79096f996e96e06cc9da94eb39bf3e7ddd79f
SHA25605f043cd0fb2c846ba18fd6f8eb3606fcf9139251e35902830623fefad9941d9
SHA512d5c1242fedc18740e7fccbe66c2bc440da7e54c78641ec42112dc1ebfaedc27d72d743b1d9bc65a6290d4e00fb74d663d9b376dc7c6ad926f33eaf39cd004cf2
-
Filesize
4KB
MD5c596146fa990e98d83dc078ab5f48415
SHA1094934d9b6cee55e1b843c5ddc9a007ce390d3bb
SHA256c0eb71b7aced221e3c2aaaf7cd5a8a62eef26216a59397b34d2f01206c902294
SHA5124416663ac4e1e1467ae1822c0c7c51357fbe1ba2eae78dfd9e377ad3d63875cea8ab2d58f0b4ee68c5d1a7c6f9881ea797977f325761e79a4318851c6e79f36d
-
Filesize
56KB
MD51c832d859b03f2e59817374006fe1189
SHA1a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42
SHA256bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b
SHA512c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef
-
Filesize
20KB
MD5a156bfab7f06800d5287d4616d6f8733
SHA18f365ec4db582dc519774dcbbfcc8001dd37b512
SHA256e87b3d155c7582d4c1d889308b58f84e8fe90a1581014b21b785d6694bd156cc
SHA5126c8eeab3ae6fb0d5be7758cca521665b216f31aed1aeeeaf121c99dc9f0192b385de0da36e94f90dd4a9bbbac6be2c5a55d2f284a24ccb7dec2c5302fb9b027c
-
Filesize
207B
MD5692a5fa841a88da154552c7939e8a05d
SHA1c47902c8c1d9f304ece60b065b1a4eaf15d848ef
SHA256de3c266093bd22cd2a8ebde4f50d689628d34479073d5313b4e64c66752c7b93
SHA51251899b0e0f91dcdefedc0fe60eb7d7e5802a37c460d58f3b43ac9f91e6b611734240e9e5cafd85ccf4f1254e008ce47713ec266db10d60551dfd3d25133395a1
-
Filesize
40KB
MD5dfd4f60adc85fc874327517efed62ff7
SHA1f97489afb75bfd5ee52892f37383fbc85aa14a69
SHA256c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e
SHA512d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4
-
Filesize
228KB
MD5ee463e048e56b687d02521cd12788e2c
SHA1ee26598f8e8643df84711960e66a20ecbc6321b8
SHA2563a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8
SHA51242b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
419B
MD5188e243d1a4ac82ba871ff57f570c182
SHA163d3233fe9917e6323c1cd421b3997221987dfe8
SHA256cd96a73c3509b2ec4cc786ad54dd019aeaed3e422041df6b743c9cef951b14d1
SHA5126bf60e0f7745090a65ce47de81af219e75b6f9d32030de2cd21e7002eaad69b3a4493ef2debd2bf6ec045dc8452f45c505f9e99cdc2d6963271d9c0f382bbc13
-
Filesize
250KB
MD5864ea4100266804d0078b4c382aeba6d
SHA1b436072a26036bc0f7c20144e4cf756bb53e3ed4
SHA25672ca0d36e7542cde2e905226e58c4fce65371681c4705652355b7018277633e9
SHA512bded261e622d43a5435df827b6fc0b8c079cda2a085b7ef64ec0197a778d3808548a794d8b8c398aad0d78d52d2bcd570edc5d19aa05749ee812b2f4c806edd3
-
Filesize
70KB
MD50fdb057627a6052723a0c005dadef312
SHA1ac12b696e32e2e0dc255365e6e95b84547a02543
SHA25697f1cb0734924ebabe41fdee4a2e968aee2e1f2615bc79d17ad4a03bc99dc29b
SHA512ff427abca3d29e38668e65cbd7c92b75f5f89404937990b7ec2e21392b268421c992be5e6ff982b8fe7209c9d01458e363b9df26645a49e03cc54e7a4790465e
-
Filesize
841KB
MD544ff58bdc844455af96c3da4fd08f881
SHA1a57dc085b8b1541fb03d5aa6a28305296a900c09
SHA25611373555a7350425df5b91064654d4b7975dd048559ffaa8d5e15eb3a8db76e8
SHA5127916cc862fb02f7e21c80262a8cd497b1a9604787a828c9fc0166d4c09a8d0c4b6f284391bb9e4b09531371db237d168f15a9fc78e8f4026b446402b86b932f0
-
Filesize
130KB
MD551f77cac4c007f3c248a071f5ab13d61
SHA138c807b0dd58a87fc19dff34978fea65723753c4
SHA2569b102d2e44b7388e3a4793d4f960de996f8fcf7c73269a801cd0e40635306ebb
SHA512506f9e060f139d9ae1fa0f768330d4ffb9cfec2adf7b96219907099fd5930e5188e536874b717a0800c04f2326d488a261579094bd143c70f31f4abac3bb9704
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
96KB
-
Filesize
8KB
-
Filesize
5.6MB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
272KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
864KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
1.1MB