Analysis
-
max time kernel
125s -
max time network
123s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
21-10-2020 04:23
Static task
static1
Behavioral task
behavioral1
Sample
Betternet-6.4.0.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
Betternet-6.4.0.exe
Resource
win10v200722
General
-
Target
Betternet-6.4.0.exe
-
Size
116KB
-
MD5
c7f352bcac67c1f062ac1cb4d591ff01
-
SHA1
3cd5a53c43083b45e4eab25ae4aadab96009021d
-
SHA256
71872f0a3478b8ae00cf691641c971c7cf8e0ad2aa92987dd01a77bbb97ef6e2
-
SHA512
a00ba7df0e94044d2037cecb61d8d8651b77e33b10fe7a7fc767327b9bb971d30741017e95830a4ab3a3ca32bf179a25f39e00237ac5a122bc8e0136542985d9
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq1010@tutanota.com
akzhq1010@cock.li
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 612 wbadmin.exe -
Loads dropped DLL 2 IoCs
Processes:
Betternet-6.4.0.exeBetternet-6.4.0.exepid process 1428 Betternet-6.4.0.exe 1632 Betternet-6.4.0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Betternet-6.4.0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Betternet-6.4.0.exe\"" Betternet-6.4.0.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Betternet-6.4.0.exeBetternet-6.4.0.exedescription pid process target process PID 1428 set thread context of 340 1428 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 1632 set thread context of 1404 1632 Betternet-6.4.0.exe Betternet-6.4.0.exe -
Drops file in Program Files directory 9760 IoCs
Processes:
Betternet-6.4.0.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar Betternet-6.4.0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MET Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD14845_.GIF Betternet-6.4.0.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt Betternet-6.4.0.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\PREVIEW.GIF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105332.WMF Betternet-6.4.0.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png Betternet-6.4.0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Casual.css Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\CONVERT\1033\ODBCR.SAM Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\GIFT98.POC Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105396.WMF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS Betternet-6.4.0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Riga Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18212_.WMF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL106.XML Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF Betternet-6.4.0.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\readme-warning.txt Betternet-6.4.0.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png Betternet-6.4.0.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt Betternet-6.4.0.exe File created C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\readme-warning.txt Betternet-6.4.0.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285780.WMF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG Betternet-6.4.0.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL022.XML Betternet-6.4.0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr Betternet-6.4.0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS Betternet-6.4.0.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH00601G.GIF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00531L.GIF Betternet-6.4.0.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png Betternet-6.4.0.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\THMBNAIL.PNG Betternet-6.4.0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince Betternet-6.4.0.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\readme-warning.txt Betternet-6.4.0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Thunder_Bay Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF Betternet-6.4.0.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png Betternet-6.4.0.exe File created C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\readme-warning.txt Betternet-6.4.0.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\readme-warning.txt Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_05.MID Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21376_.GIF Betternet-6.4.0.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml Betternet-6.4.0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02886_.WMF Betternet-6.4.0.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\Access\DataType\Start End Dates.accft Betternet-6.4.0.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png Betternet-6.4.0.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\MUSIC_01.MID Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0285444.WMF Betternet-6.4.0.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg Betternet-6.4.0.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1728 vssadmin.exe -
Processes:
Betternet-6.4.0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Betternet-6.4.0.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Betternet-6.4.0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Betternet-6.4.0.exepid process 340 Betternet-6.4.0.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Betternet-6.4.0.exeBetternet-6.4.0.exepid process 1428 Betternet-6.4.0.exe 1632 Betternet-6.4.0.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1956 vssvc.exe Token: SeRestorePrivilege 1956 vssvc.exe Token: SeAuditPrivilege 1956 vssvc.exe Token: SeBackupPrivilege 828 wbengine.exe Token: SeRestorePrivilege 828 wbengine.exe Token: SeSecurityPrivilege 828 wbengine.exe Token: SeIncreaseQuotaPrivilege 972 WMIC.exe Token: SeSecurityPrivilege 972 WMIC.exe Token: SeTakeOwnershipPrivilege 972 WMIC.exe Token: SeLoadDriverPrivilege 972 WMIC.exe Token: SeSystemProfilePrivilege 972 WMIC.exe Token: SeSystemtimePrivilege 972 WMIC.exe Token: SeProfSingleProcessPrivilege 972 WMIC.exe Token: SeIncBasePriorityPrivilege 972 WMIC.exe Token: SeCreatePagefilePrivilege 972 WMIC.exe Token: SeBackupPrivilege 972 WMIC.exe Token: SeRestorePrivilege 972 WMIC.exe Token: SeShutdownPrivilege 972 WMIC.exe Token: SeDebugPrivilege 972 WMIC.exe Token: SeSystemEnvironmentPrivilege 972 WMIC.exe Token: SeRemoteShutdownPrivilege 972 WMIC.exe Token: SeUndockPrivilege 972 WMIC.exe Token: SeManageVolumePrivilege 972 WMIC.exe Token: 33 972 WMIC.exe Token: 34 972 WMIC.exe Token: 35 972 WMIC.exe Token: SeIncreaseQuotaPrivilege 972 WMIC.exe Token: SeSecurityPrivilege 972 WMIC.exe Token: SeTakeOwnershipPrivilege 972 WMIC.exe Token: SeLoadDriverPrivilege 972 WMIC.exe Token: SeSystemProfilePrivilege 972 WMIC.exe Token: SeSystemtimePrivilege 972 WMIC.exe Token: SeProfSingleProcessPrivilege 972 WMIC.exe Token: SeIncBasePriorityPrivilege 972 WMIC.exe Token: SeCreatePagefilePrivilege 972 WMIC.exe Token: SeBackupPrivilege 972 WMIC.exe Token: SeRestorePrivilege 972 WMIC.exe Token: SeShutdownPrivilege 972 WMIC.exe Token: SeDebugPrivilege 972 WMIC.exe Token: SeSystemEnvironmentPrivilege 972 WMIC.exe Token: SeRemoteShutdownPrivilege 972 WMIC.exe Token: SeUndockPrivilege 972 WMIC.exe Token: SeManageVolumePrivilege 972 WMIC.exe Token: 33 972 WMIC.exe Token: 34 972 WMIC.exe Token: 35 972 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Betternet-6.4.0.exeBetternet-6.4.0.execmd.exeBetternet-6.4.0.exedescription pid process target process PID 1428 wrote to memory of 340 1428 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 1428 wrote to memory of 340 1428 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 1428 wrote to memory of 340 1428 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 1428 wrote to memory of 340 1428 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 1428 wrote to memory of 340 1428 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 340 wrote to memory of 1580 340 Betternet-6.4.0.exe cmd.exe PID 340 wrote to memory of 1580 340 Betternet-6.4.0.exe cmd.exe PID 340 wrote to memory of 1580 340 Betternet-6.4.0.exe cmd.exe PID 340 wrote to memory of 1580 340 Betternet-6.4.0.exe cmd.exe PID 1580 wrote to memory of 1728 1580 cmd.exe vssadmin.exe PID 1580 wrote to memory of 1728 1580 cmd.exe vssadmin.exe PID 1580 wrote to memory of 1728 1580 cmd.exe vssadmin.exe PID 1580 wrote to memory of 612 1580 cmd.exe wbadmin.exe PID 1580 wrote to memory of 612 1580 cmd.exe wbadmin.exe PID 1580 wrote to memory of 612 1580 cmd.exe wbadmin.exe PID 1580 wrote to memory of 972 1580 cmd.exe WMIC.exe PID 1580 wrote to memory of 972 1580 cmd.exe WMIC.exe PID 1580 wrote to memory of 972 1580 cmd.exe WMIC.exe PID 1632 wrote to memory of 1404 1632 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 1632 wrote to memory of 1404 1632 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 1632 wrote to memory of 1404 1632 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 1632 wrote to memory of 1404 1632 Betternet-6.4.0.exe Betternet-6.4.0.exe PID 1632 wrote to memory of 1404 1632 Betternet-6.4.0.exe Betternet-6.4.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Betternet-6.4.0.exe"C:\Users\Admin\AppData\Local\Temp\Betternet-6.4.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Betternet-6.4.0.exe"C:\Users\Admin\AppData\Local\Temp\Betternet-6.4.0.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Betternet-6.4.0.exe"C:\Users\Admin\AppData\Local\Temp\Betternet-6.4.0.exe" n3403⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Betternet-6.4.0.exe"C:\Users\Admin\AppData\Local\Temp\Betternet-6.4.0.exe" n3404⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\351666599MD5
d2c9ad282157818510d8140a701d5829
SHA1f93af61efcb327170998f0c775cad57b71580d33
SHA256b9b3da45b1c01ce08ad44bb3d6afacb5070010c927aa920ffae3b6432f85b148
SHA5123ee82889eaa286e9b90f2f2c489d1475012df980bc916f10b0177f79bbdba6256f626e8cffba03c369623c7816ab8ca8f092dc8d8647cb0e31f4528c485e357a
-
C:\Users\Admin\AppData\Roaming\351666599MD5
cc52dc461678034b97a297fdf71dc841
SHA10aacf0fe005f5ae5e75bf3f76b53b901d626e1ba
SHA256de41765d8f85cc0097a0c6933a80ca00611cbfc32152d3e40fd107847211c72d
SHA51285f3a39f37ef1eb4be032a98c001325f0cb6533cdf71ee46f680fd3a2253958214d58d9e17e7833c54adeadfc7ea81343f91331bcac08cdb5a9c2abbb636f558
-
\Users\Admin\AppData\Local\Temp\nsxE5FC.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsy4A89.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/340-3-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/340-2-0x00000000004059A0-mapping.dmp
-
memory/340-1-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/612-7-0x0000000000000000-mapping.dmp
-
memory/972-8-0x0000000000000000-mapping.dmp
-
memory/1404-11-0x00000000004059A0-mapping.dmp
-
memory/1580-4-0x0000000000000000-mapping.dmp
-
memory/1588-14-0x000007FEF8150000-0x000007FEF83CA000-memory.dmpFilesize
2.5MB
-
memory/1728-6-0x0000000000000000-mapping.dmp