Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
31/03/2025, 09:35
General
-
Target
2025-03-31_029485bc2a80896f65c286885494122b_black-basta_cova_luca-stealer.exe
-
Size
768KB
-
MD5
029485bc2a80896f65c286885494122b
-
SHA1
066cc229177c6ecd6dd2547e8aaa1b6d72f1255a
-
SHA256
93fe21dbb3bb181c61b9c3f40abd04130f83bf7ce906ba73394045896c5019fc
-
SHA512
11faa56e87f530fb481dc1df1ab53392fb3aba925df953b7c80a2db9c5982cd27321c0251ba6d42e7d3ed4c5c53cba0139114f99f4d56d25941d94a978991fca
-
SSDEEP
12288:2ToPWBv/cpGrU3yVtX+t4VlqQw7RuGY8pFV8P0wv7DfA3GdRzgs9/45aykxfIaC:2TbBv5rUyXVLMTr00y3ddRcg/Dy6fy
Score
10/10
Malware Config
Extracted
Family
xworm
C2
89.39.121.169:9000
Attributes
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Xworm Payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
DCRat payload 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Uses browser remote debugging 2 TTPs 5 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 25 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-31_029485bc2a80896f65c286885494122b_black-basta_cova_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-31_029485bc2a80896f65c286885494122b_black-basta_cova_luca-stealer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dllnet\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -window hidden -command ""3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM operaGX.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM safari.exe3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM iexplore.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vivaldi.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM yandex.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\dllnet\1.exe"C:\Users\Admin\AppData\Local\Temp\dllnet\1.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff86317dcf8,0x7ff86317dd04,0x7ff86317dd104⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1972,i,8284376420749285316,5882261081670013743,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2116 /prefetch:34⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2088,i,8284376420749285316,5882261081670013743,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2084 /prefetch:24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2440,i,8284376420749285316,5882261081670013743,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2500 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3268,i,8284376420749285316,5882261081670013743,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3296 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1772,i,8284376420749285316,5882261081670013743,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3352 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,8284376420749285316,5882261081670013743,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4560 /prefetch:24⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4792,i,8284376420749285316,5882261081670013743,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3252 /prefetch:14⤵
- Uses browser remote debugging
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dllnet\2.exe"C:\Users\Admin\AppData\Local\Temp\dllnet\2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\dllnet\Webruntime.exe"C:\Users\Admin\AppData\Local\Temp\dllnet\Webruntime.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gAttbPxEzP.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
80KB
MD5dc48ad3a041bfd36fb87cb32d9e01f2d
SHA16d3783de7d298a0319c210c2bb3bdc6040b95c93
SHA25655a00eabcb34331390beddb9d686bcd368e2ebb509651e433e8aaf42a2f25d30
SHA512f76e11a650df1910b1cfb30bcfee74ea72f4ff4cc99d6df1d3c8610958e6f7f7589a88f3e3dd4e73dae57ed8992149ddd75fa66fadec053d8ddbaf15648ad3d1
-
Filesize
81B
MD5ea511fc534efd031f852fcf490b76104
SHA1573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae
-
Filesize
4KB
MD59de108c5c689a39942e989e00843abfe
SHA1b1d87f3750dbc967e90c3c5eb747dfadc63545b7
SHA25604f5d174a56ce68f9594b934b4a4135f88f8f23f1f14ca2c09453a0fb41caa2d
SHA51278f7a28c14c8762346d92dd38fa7b768b2c31a487b01e9a7cc53493c081e1b2ed71dd49788876d2ce275123c7bea75e4adcb8e864007abe71ba3ec4471c634a7
-
Filesize
56KB
MD51c832d859b03f2e59817374006fe1189
SHA1a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42
SHA256bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b
SHA512c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef
-
Filesize
20KB
MD5a156bfab7f06800d5287d4616d6f8733
SHA18f365ec4db582dc519774dcbbfcc8001dd37b512
SHA256e87b3d155c7582d4c1d889308b58f84e8fe90a1581014b21b785d6694bd156cc
SHA5126c8eeab3ae6fb0d5be7758cca521665b216f31aed1aeeeaf121c99dc9f0192b385de0da36e94f90dd4a9bbbac6be2c5a55d2f284a24ccb7dec2c5302fb9b027c
-
Filesize
130KB
MD5c5cd68e5adc55f633cf0d6f1bf0f4297
SHA1a658334a864c38b172e10e8f984caa88b761ee6b
SHA25667fefca89e12ca34a3220e4ec3483123d5541f3c92b1c9f18c70c50a9ad92919
SHA5128f5b447bee715252fb8dabb375675e5a9be89c5dd08a01838db7b82d1cae935761309b1d24977c1947d9f3ead04564bdab3bfcfeb71216329c3bc05105b298a3
-
Filesize
228KB
MD5ee463e048e56b687d02521cd12788e2c
SHA1ee26598f8e8643df84711960e66a20ecbc6321b8
SHA2563a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8
SHA51242b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
419B
MD5188e243d1a4ac82ba871ff57f570c182
SHA163d3233fe9917e6323c1cd421b3997221987dfe8
SHA256cd96a73c3509b2ec4cc786ad54dd019aeaed3e422041df6b743c9cef951b14d1
SHA5126bf60e0f7745090a65ce47de81af219e75b6f9d32030de2cd21e7002eaad69b3a4493ef2debd2bf6ec045dc8452f45c505f9e99cdc2d6963271d9c0f382bbc13
-
Filesize
250KB
MD5864ea4100266804d0078b4c382aeba6d
SHA1b436072a26036bc0f7c20144e4cf756bb53e3ed4
SHA25672ca0d36e7542cde2e905226e58c4fce65371681c4705652355b7018277633e9
SHA512bded261e622d43a5435df827b6fc0b8c079cda2a085b7ef64ec0197a778d3808548a794d8b8c398aad0d78d52d2bcd570edc5d19aa05749ee812b2f4c806edd3
-
Filesize
70KB
MD50fdb057627a6052723a0c005dadef312
SHA1ac12b696e32e2e0dc255365e6e95b84547a02543
SHA25697f1cb0734924ebabe41fdee4a2e968aee2e1f2615bc79d17ad4a03bc99dc29b
SHA512ff427abca3d29e38668e65cbd7c92b75f5f89404937990b7ec2e21392b268421c992be5e6ff982b8fe7209c9d01458e363b9df26645a49e03cc54e7a4790465e
-
Filesize
841KB
MD544ff58bdc844455af96c3da4fd08f881
SHA1a57dc085b8b1541fb03d5aa6a28305296a900c09
SHA25611373555a7350425df5b91064654d4b7975dd048559ffaa8d5e15eb3a8db76e8
SHA5127916cc862fb02f7e21c80262a8cd497b1a9604787a828c9fc0166d4c09a8d0c4b6f284391bb9e4b09531371db237d168f15a9fc78e8f4026b446402b86b932f0
-
Filesize
208B
MD58663dce0bc2c3e56b6521fdde639258e
SHA1eeca3c286c980862d0f48ff18b3042ab72fc4c5f
SHA2561565a4dac9da15cd2e1cdab1128c3d4b39189e3dca2f59baa29f85e714a4d4b6
SHA5127f98b2aa4caa1cd95b24119bfee3641c86d05559a9bdcfdcb1b69c6940bdf2de3f2843dbbedd44e10a270e4c10bab1315ea029937833498cc2f48946fa67310b
-
Filesize
40KB
MD5dfd4f60adc85fc874327517efed62ff7
SHA1f97489afb75bfd5ee52892f37383fbc85aa14a69
SHA256c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e
SHA512d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4
-
Filesize
272KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
8KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
864KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
120KB