crypted[1].bin

General
Target

crypted[1].bin

Filesize

N/A

Completed

29-11-2019 16:22

Score
10 /10
SHA256

9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

Malware Config
Signatures 40

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • Reads Secure browser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\1304crypted[1].bin.exe
  • Reads Waterfox user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\1304crypted[1].bin.exe
  • Reads Uran user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\1304crypted[1].bin.exe
  • Reads Tor Browser user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\TorBro\Profile\1304crypted[1].bin.exe
  • Reads Nichrome user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Nichrome\User Data\1304crypted[1].bin.exe
  • Reads Qip surf user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\QIP Surf\User Data\1304crypted[1].bin.exe
  • Reads 7star user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\7Star\7Star\User Data\1304crypted[1].bin.exe
  • Reads Torch user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Torch\User Data\1304crypted[1].bin.exe
  • Reads Pale Moon browser user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\1304crypted[1].bin.exe
  • Suspicious use of SetWindowsHookEx
    crypted[1].bin.exe

    Reported IOCs

    pidprocess
    1304crypted[1].bin.exe
  • crypted[1].bin.exe

    Reported IOCs

    ioc
    drive.google.com
    File opened for modificationC:\Users\Admin\AppData\Local\Temp\machineinfo.txt1304crypted[1].bin.exe
    HTTP URLhttp://34.76.145.229/gate/log.php
    HTTP URLhttp://34.76.145.229/file_handler/file.php?hash=d3a547a5fa34fecef563a4e0d65825c4539a5386&js=8eb1309d3b4163e746e3f66ce26ccf5f269dd5e5&callback=http://34.76.145.229/gate
  • Reads Sputnik user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\1304crypted[1].bin.exe
  • Reads user profile for Thunderbird email client, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\1304crypted[1].bin.exe
  • Reads Rockmelt user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\RockMelt\User Data\1304crypted[1].bin.exe
  • Reads Vivaldi user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Vivaldi\User Data\1304crypted[1].bin.exe
  • Reads Amigo user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Amigo\User Data\1304crypted[1].bin.exe
  • Reads Orbitum user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Orbitum\User Data\1304crypted[1].bin.exe
  • Reads Suhba user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Suhba\User Data\1304crypted[1].bin.exe
  • Checks for installed software on the system
    crypted[1].bin.exe

    Tags

    TTPs

    Query Registry

    Reported IOCs

    descriptioniocpidprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName1304crypted[1].bin.exe
  • Reads Chromium user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Chromium\User Data\1304crypted[1].bin.exe
  • Reads Dragon user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\1304crypted[1].bin.exe
  • Runs ping.exe
    PING.EXE

    Tags

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1232PING.EXE
  • Reads Kometa user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Kometa\User Data\1304crypted[1].bin.exe
  • Reads Superbird user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Superbird\User Data\1304crypted[1].bin.exe
  • Modifies system certificate store
    crypted[1].bin.exe

    Tags

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocpidprocess
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e1304crypted[1].bin.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d03003000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d00520032000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e1304crypted[1].bin.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0302000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e1304crypted[1].bin.exe
  • Reads Chrome user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1304crypted[1].bin.exe
  • Reads Epic privacy browser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\1304crypted[1].bin.exe
  • Reads Centbrowser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\CentBrowser\User Data\1304crypted[1].bin.exe
  • Reads Elements browser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Elements Browser\User Data\1304crypted[1].bin.exe
  • Reads Mustang user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\1304crypted[1].bin.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1800cmd.exe
  • Reads Chrome SxS user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\1304crypted[1].bin.exe
  • Reads Bromium user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Bromium\User Data\1304crypted[1].bin.exe
  • Reads Chedot user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Chedot\User Data\1304crypted[1].bin.exe
  • Reads Firefox user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1304crypted[1].bin.exe
  • Accesses Bither wallet, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    descriptioniocpidprocess
    File opened (read-only)C:\Users\Admin\AppData\Roaming\Bither\address.db1304crypted[1].bin.exe
  • Suspicious use of WriteProcessMemory
    crypted[1].bin.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1304 wrote to memory of 18001304crypted[1].bin.execmd.exe
    PID 1800 wrote to memory of 12321800cmd.exePING.EXE
  • raccoon family

    Tags

  • Loads dropped DLL
    crypted[1].bin.exe

    Reported IOCs

    pidprocess
    1304crypted[1].bin.exe
  • Reads Go! user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Go!\User Data\1304crypted[1].bin.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Reads Secure browser user data, possible credential harvesting
    Reads Waterfox user profile, possible credential harvesting
    Reads Uran user data, possible credential harvesting
    Reads Tor Browser user profile, possible credential harvesting
    Reads Nichrome user data, possible credential harvesting
    Reads Qip surf user data, possible credential harvesting
    Reads 7star user data, possible credential harvesting
    Reads Torch user data, possible credential harvesting
    Reads Pale Moon browser user profile, possible credential harvesting
    Suspicious use of SetWindowsHookEx
    Reads Sputnik user data, possible credential harvesting
    Reads user profile for Thunderbird email client, possible credential harvesting
    Reads Rockmelt user data, possible credential harvesting
    Reads Vivaldi user data, possible credential harvesting
    Reads Amigo user data, possible credential harvesting
    Reads Orbitum user data, possible credential harvesting
    Reads Suhba user data, possible credential harvesting
    Checks for installed software on the system
    Reads Chromium user data, possible credential harvesting
    Reads Dragon user data, possible credential harvesting
    Reads Kometa user data, possible credential harvesting
    Reads Superbird user data, possible credential harvesting
    Modifies system certificate store
    Reads Chrome user data, possible credential harvesting
    Reads Epic privacy browser user data, possible credential harvesting
    Reads Centbrowser user data, possible credential harvesting
    Reads Elements browser user data, possible credential harvesting
    Reads Mustang user data, possible credential harvesting
    Reads Chrome SxS user data, possible credential harvesting
    Reads Bromium user data, possible credential harvesting
    Reads Chedot user data, possible credential harvesting
    Reads Firefox user profile, possible credential harvesting
    Accesses Bither wallet, possible credential harvesting
    Suspicious use of WriteProcessMemory
    Loads dropped DLL
    Reads Go! user data, possible credential harvesting
    PID:1304
  • C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Deletes itself
    Suspicious use of WriteProcessMemory
    PID:1800
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1333835286-1054468390-1472936826-787043865-20918172221881988614-2562341841526789034"
    PID:736
  • C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    Runs ping.exe
    PID:1232
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads