pandastealer | 05ef13e1af1913553f7660a18904ce9f165cf5e1a6a0277cb8e4f6e9d1465c1e

Analysis

max time kernel
112s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 13:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
Size

6.0MB
MD5

7c6e22f14877f1a6a33d6a0c0eccb94f
SHA1

9735d159e9fb99f5367e36ebe7b3bb81c236ee67
SHA256

05ef13e1af1913553f7660a18904ce9f165cf5e1a6a0277cb8e4f6e9d1465c1e
SHA512

a8dabb001fad1ce039f4eeaab98728098c2a2933a4994e3779e26a4f583a7d837f322c50bb113c643f79ad8b912198665615405859486a21e6a18d6ab611a875
SSDEEP

24576:lKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKO:JjLuSh3i+FtvkMzT+3HfOGlk2Ph0fhev

Score

10^/10

pandastealer discovery spyware stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0001000000029e8f-16.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kaspersky.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kaspersky.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\autorun.inf	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledb32r.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_169218\java.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penusa.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipres.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\skchobj.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasc.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\skchui.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadrh15.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdatt.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF64.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tpcps.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msader15.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msdaprst.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msdfmap.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaosp.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pencht.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadomd.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasqlr.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msxactps.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penjpn.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penkor.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadds.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaer.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penchs.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msador15.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwgst.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_169218\javaw.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_169218\javaws.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl64.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
Token: SeDebugPrivilege	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 244	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	78
PID 2252 wrote to memory of 244	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	78
PID 2252 wrote to memory of 244	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	78
PID 2252 wrote to memory of 808	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	80
PID 2252 wrote to memory of 808	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	80
PID 2252 wrote to memory of 808	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	80
PID 2252 wrote to memory of 4900	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	82
PID 2252 wrote to memory of 4900	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	82
PID 2252 wrote to memory of 4900	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	82
PID 2252 wrote to memory of 3152	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	84
PID 2252 wrote to memory of 3152	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	84
PID 2252 wrote to memory of 3152	2252	2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe	84

C:\Users\Admin\AppData\Local\Temp\2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-15_7c6e22f14877f1a6a33d6a0c0eccb94f_amadey_elex_smoke-loader.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  PID:244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
  2⤵
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
  2⤵
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:4900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
  2⤵
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:3152

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Filesize
6.0MB

MD5
7c6e22f14877f1a6a33d6a0c0eccb94f

SHA1
9735d159e9fb99f5367e36ebe7b3bb81c236ee67

SHA256
05ef13e1af1913553f7660a18904ce9f165cf5e1a6a0277cb8e4f6e9d1465c1e

SHA512
a8dabb001fad1ce039f4eeaab98728098c2a2933a4994e3779e26a4f583a7d837f322c50bb113c643f79ad8b912198665615405859486a21e6a18d6ab611a875

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.inf

Filesize
65B

MD5
fbefa88e6b51c05dd63d97dfdbeb3589

SHA1
67e09918d878c6615befab5dc9194439027f268d

SHA256
3861acedffd29452d2fdb96728f7347652bde9353915d3873a7414843f49b8b1

SHA512
58f8c1a64f2eb21be7b96db335d1ade0ce0878566a8386b3689b650132ca28e14761b20fdfe50f2af9915dff2bdd3a5b07f6f3ed082e4e6998ec5f0cd052f12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.inf

Filesize
37B

MD5
3883f693b2911e7b9cabaf1d89601ebd

SHA1
a733bc5b66e5b7beb1ab54ce430ff16cdb935fcb

SHA256
747ea7ec54ee0bc9b637867de0c451df65c840f757988f5a3b6e3fe6c73ab1b6

SHA512
41fb0555004f392f2c67fd7675d2aea2a7a28a4f51d92237fdaff2d60624c559a5401335887b66f49a721dff669f8f9bd150fde0afe0845eb366309ca1088a98

Download Submit
memory/2252-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2252-2-0x0000000005E50000-0x00000000063F6000-memory.dmp

Filesize
5.6MB

Download
memory/2252-3-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/2252-4-0x00000000059B0000-0x00000000059BA000-memory.dmp

Filesize
40KB

Download
memory/2252-5-0x00000000743D0000-0x0000000074B81000-memory.dmp

Filesize
7.7MB

Download
memory/2252-2702-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2252-2873-0x00000000743D0000-0x0000000074B81000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.