Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Nov. 5, 2023, 12:30 p.m. | Nov. 5, 2023, 12:48 p.m. |
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
1460-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
2292-
netsh.exe netsh wlan show profiles
2432
-
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,
2228 -
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
2136-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
2332
-
-
explorer.exe C:\Windows\Explorer.EXE
1236
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
185.196.8.176 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
pdb_path | D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb |
file | C:\Program Files\Mozilla Firefox\firefox.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path |
section | _RDATA |
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://185.196.8.176/u8v5zeQ/index.php |
request | POST http://185.196.8.176/u8v5zeQ/index.php |
request | POST http://185.196.8.176/u8v5zeQ/index.php |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal |
file | C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data |
cmdline | netsh wlan show profiles |
host | 185.196.8.176 |
file | C:\Users\test22\AppData\Roaming\Electrum\wallets |
file | C:\Users\test22\AppData\Roaming\Litecoin\wallets |
file | C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml |
registry | HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions |
file | C:\Windows\.purple\accounts.xml |
file | C:\Python27\.purple\accounts.xml |
file | C:\Windows\System32\.purple\accounts.xml |
file | C:\.purple\accounts.xml |
file | C:\SystemRoot\System32\.purple\accounts.xml |
file | C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml |
file | C:\Program Files (x86)\Microsoft Office\Office15\.purple\accounts.xml |
file | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\.purple\accounts.xml |
file | C:\Windows\SysWOW64\.purple\accounts.xml |
file | C:\Program Files (x86)\EditPlus\.purple\accounts.xml |
file | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\.purple\accounts.xml |
registry | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server |
registry | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Server |