raccoon | c3193806a082fa6c5c4b755e343c01dcf9169487acbf9150ab169d3972a8c6e8

Target

Microsoft_Toolkit.exe
Size

4.9MB
MD5

ee287c2e51854fee07881638379c6f38
SHA1

1dccecc235b6d702a8fea3350c72b9c52c05c7be
SHA256

c3193806a082fa6c5c4b755e343c01dcf9169487acbf9150ab169d3972a8c6e8
SHA512

02a1e9874f994e958489be409e3a6efcce642c57b9f5e50de0a2072ad15769cdb717744ed37436b0f9d94104572a79d39e6114938ba3e5a6670d6c05e780aafa

Score

10^/10

raccoon smokeloader backdoor bootkit discovery evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://oversun.monster/upload/

http://oversun.net/upload/

http://dingobossin.com/upload/

http://duda1.monster/upload/

http�//vinder55.monster/upload/

http://jamb2.monster/upload/

rc4.i32

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 16 IoCs

Processes:

KRSetp.exejg7_7wjg.exeproz.exeubisoftant.exeaskinstall4.exepiyyy.exeupdate_5e6d00.exesetup.exePas.exejfiag3g_gg.exe3902233.42jfiag3g_gg.exe301756.3Windows Host.exeCBD.exe1BFA.exe

pid	process
2028	KRSetp.exe
1160	jg7_7wjg.exe
1732	proz.exe
1688	ubisoftant.exe
1256	askinstall4.exe
1488	piyyy.exe
1512	update_5e6d00.exe
1624	setup.exe
544	Pas.exe
1704	jfiag3g_gg.exe
2008	3902233.42
1596	jfiag3g_gg.exe
1688	301756.3
2596	Windows Host.exe
1324	CBD.exe
880	1BFA.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe	upx
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe	upx
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe	upx
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe	upx
C:\Users\Admin\AppData\Local\Temp\update_5e6d00.exe	upx
C:\Users\Admin\AppData\Local\Temp\update_5e6d00.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe	upx
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe	upx
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe	upx
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe	upx
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Loads dropped DLL 45 IoCs

Processes:

Microsoft_Toolkit.exeproz.exeupdate_5e6d00.exepiyyy.exePas.exe301756.3

pid	process
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
296	Microsoft_Toolkit.exe
1732	proz.exe
1732	proz.exe
1732	proz.exe
1732	proz.exe
1732	proz.exe
1512	update_5e6d00.exe
1512	update_5e6d00.exe
1512	update_5e6d00.exe
1512	update_5e6d00.exe
1488	piyyy.exe
1488	piyyy.exe
1488	piyyy.exe
1488	piyyy.exe
544	Pas.exe
1688	301756.3

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

piyyy.exe301756.3

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	piyyy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	301756.3

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Microsoft_Toolkit.exeproz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Microsoft_Toolkit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	proz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

CBD.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 CBD.exe

flow	ioc
13	ip-api.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	CBD.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

update_5e6d00.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	update_5e6d00.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	update_5e6d00.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	update_5e6d00.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2144 taskkill.exe

pid	process
2144	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000bc2d2a9e607b2c5de7864e6b646c612a51873000f931fab6802edc9fc38d27d8000000000e800000000200002000000039b484a16251696a8ab2fc045f8da0b8fa623044cfaf56896c481735da5ff89020000000af79ce7611b666b1e20ff9a90a169ab13c75d58b0993deaa45a762a8b8ced5104000000023e11c25e2d6566cbdae5c6b4eaa0ce1042360d51ee1ab6ffcb25751971604a9858504297974694f2a2e35adde8d5f37b35b4c42acc7a3585f5c5e7118c4f4dd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2F52F41-58E9-11EB-B2E7-DA78EDA9FF87} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a077667ff6ecd601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000032dccb6347ca26b788213294bb6e7fb2804d6466172c3d207f19264fe8c41e08000000000e80000000020000200000008e6f04b2d095072f0a29005e3cec833b8a354a36d5b12e78b677b4209ab76d4e90000000bbfc0412108184365bbfbaf9292872b5085ffad0d53e803f5a296ceffcbc938d5c8313be847395fed73c06a3af044c2f0f4f28c7b44186848bc06ef70b378132b1a264d722de7ba9306e2e11ee1d003c08ddfe74e742bcdd828094a166c28a2834edaa69eb7b7288bdc27c8e0e9981273c2b63a2b44107959f60231e1a04687f912e4ae49a1b124ec9fc8ec7c058738e4000000012427675027c7fabbdf4dd9dfd5d881f987e18e449039cfbaadf8b14b528e816774a5064f2e940dc3fe63143a89b06139c8161ebfc7c031fc0a468eff83960fa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

KRSetp.exePas.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	KRSetp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Pas.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Pas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	KRSetp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	KRSetp.exe

NTFS ADS 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pro.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\www6C10.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pro.url\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\Shaksd.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\www43FF.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\Shaksd.url\:favicon:$DATA	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1052 PING.EXE

pid	process
1052	PING.EXE

Suspicious behavior: EnumeratesProcesses 742 IoCs

Processes:

update_5e6d00.exejfiag3g_gg.exe

pid	process
1512	update_5e6d00.exe
1512	update_5e6d00.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1596	jfiag3g_gg.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exe

pid process

1244
2948 taskmgr.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

update_5e6d00.exe

pid process

1512 update_5e6d00.exe

pid	process
1244
2948	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

ubisoftant.exeKRSetp.exetaskkill.exe3902233.42taskmgr.exeCBD.exe

description	pid	process
Token: SeManageVolumePrivilege	1688	ubisoftant.exe
Token: SeManageVolumePrivilege	1688	ubisoftant.exe
Token: SeManageVolumePrivilege	1688	ubisoftant.exe
Token: SeDebugPrivilege	2028	KRSetp.exe
Token: SeManageVolumePrivilege	1688	ubisoftant.exe
Token: SeShutdownPrivilege	1244
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	2008	3902233.42
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeDebugPrivilege	2948	taskmgr.exe
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: 8467070111832401780	1324	CBD.exe

Suspicious use of FindShellTrayWindow 65 IoCs

Processes:

iexplore.exetaskmgr.exe

pid	process
1728	iexplore.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
1244
1244
1244
1244
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe

Suspicious use of SendNotifyMessage 66 IoCs

Processes:

taskmgr.exe

pid	process
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
1244
1244
1244
1244
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
1244
1244
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

ubisoftant.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1688	ubisoftant.exe
1688	ubisoftant.exe
1728	iexplore.exe
1728	iexplore.exe
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 100 IoCs

Processes:

Microsoft_Toolkit.exeproz.exesetup.execmd.exeiexplore.exepiyyy.exeaskinstall4.exe

description	pid	process	target process
PID 296 wrote to memory of 2028	296	Microsoft_Toolkit.exe	KRSetp.exe
PID 296 wrote to memory of 2028	296	Microsoft_Toolkit.exe	KRSetp.exe
PID 296 wrote to memory of 2028	296	Microsoft_Toolkit.exe	KRSetp.exe
PID 296 wrote to memory of 2028	296	Microsoft_Toolkit.exe	KRSetp.exe
PID 296 wrote to memory of 1160	296	Microsoft_Toolkit.exe	jg7_7wjg.exe
PID 296 wrote to memory of 1160	296	Microsoft_Toolkit.exe	jg7_7wjg.exe
PID 296 wrote to memory of 1160	296	Microsoft_Toolkit.exe	jg7_7wjg.exe
PID 296 wrote to memory of 1160	296	Microsoft_Toolkit.exe	jg7_7wjg.exe
PID 296 wrote to memory of 1732	296	Microsoft_Toolkit.exe	proz.exe
PID 296 wrote to memory of 1732	296	Microsoft_Toolkit.exe	proz.exe
PID 296 wrote to memory of 1732	296	Microsoft_Toolkit.exe	proz.exe
PID 296 wrote to memory of 1732	296	Microsoft_Toolkit.exe	proz.exe
PID 296 wrote to memory of 1688	296	Microsoft_Toolkit.exe	ubisoftant.exe
PID 296 wrote to memory of 1688	296	Microsoft_Toolkit.exe	ubisoftant.exe
PID 296 wrote to memory of 1688	296	Microsoft_Toolkit.exe	ubisoftant.exe
PID 296 wrote to memory of 1688	296	Microsoft_Toolkit.exe	ubisoftant.exe
PID 296 wrote to memory of 1256	296	Microsoft_Toolkit.exe	askinstall4.exe
PID 296 wrote to memory of 1256	296	Microsoft_Toolkit.exe	askinstall4.exe
PID 296 wrote to memory of 1256	296	Microsoft_Toolkit.exe	askinstall4.exe
PID 296 wrote to memory of 1256	296	Microsoft_Toolkit.exe	askinstall4.exe
PID 296 wrote to memory of 1256	296	Microsoft_Toolkit.exe	askinstall4.exe
PID 296 wrote to memory of 1256	296	Microsoft_Toolkit.exe	askinstall4.exe
PID 296 wrote to memory of 1256	296	Microsoft_Toolkit.exe	askinstall4.exe
PID 296 wrote to memory of 1488	296	Microsoft_Toolkit.exe	piyyy.exe
PID 296 wrote to memory of 1488	296	Microsoft_Toolkit.exe	piyyy.exe
PID 296 wrote to memory of 1488	296	Microsoft_Toolkit.exe	piyyy.exe
PID 296 wrote to memory of 1488	296	Microsoft_Toolkit.exe	piyyy.exe
PID 296 wrote to memory of 1512	296	Microsoft_Toolkit.exe	update_5e6d00.exe
PID 296 wrote to memory of 1512	296	Microsoft_Toolkit.exe	update_5e6d00.exe
PID 296 wrote to memory of 1512	296	Microsoft_Toolkit.exe	update_5e6d00.exe
PID 296 wrote to memory of 1512	296	Microsoft_Toolkit.exe	update_5e6d00.exe
PID 296 wrote to memory of 1512	296	Microsoft_Toolkit.exe	update_5e6d00.exe
PID 296 wrote to memory of 1512	296	Microsoft_Toolkit.exe	update_5e6d00.exe
PID 296 wrote to memory of 1512	296	Microsoft_Toolkit.exe	update_5e6d00.exe
PID 296 wrote to memory of 1624	296	Microsoft_Toolkit.exe	setup.exe
PID 296 wrote to memory of 1624	296	Microsoft_Toolkit.exe	setup.exe
PID 296 wrote to memory of 1624	296	Microsoft_Toolkit.exe	setup.exe
PID 296 wrote to memory of 1624	296	Microsoft_Toolkit.exe	setup.exe
PID 296 wrote to memory of 1624	296	Microsoft_Toolkit.exe	setup.exe
PID 296 wrote to memory of 1624	296	Microsoft_Toolkit.exe	setup.exe
PID 296 wrote to memory of 1624	296	Microsoft_Toolkit.exe	setup.exe
PID 1732 wrote to memory of 544	1732	proz.exe	Pas.exe
PID 1732 wrote to memory of 544	1732	proz.exe	Pas.exe
PID 1732 wrote to memory of 544	1732	proz.exe	Pas.exe
PID 1732 wrote to memory of 544	1732	proz.exe	Pas.exe
PID 1624 wrote to memory of 888	1624	setup.exe	cmd.exe
PID 1624 wrote to memory of 888	1624	setup.exe	cmd.exe
PID 1624 wrote to memory of 888	1624	setup.exe	cmd.exe
PID 1624 wrote to memory of 888	1624	setup.exe	cmd.exe
PID 888 wrote to memory of 1052	888	cmd.exe	PING.EXE
PID 888 wrote to memory of 1052	888	cmd.exe	PING.EXE
PID 888 wrote to memory of 1052	888	cmd.exe	PING.EXE
PID 888 wrote to memory of 1052	888	cmd.exe	PING.EXE
PID 1728 wrote to memory of 1344	1728	iexplore.exe	IEXPLORE.EXE
PID 1728 wrote to memory of 1344	1728	iexplore.exe	IEXPLORE.EXE
PID 1728 wrote to memory of 1344	1728	iexplore.exe	IEXPLORE.EXE
PID 1728 wrote to memory of 1344	1728	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 1704	1488	piyyy.exe	jfiag3g_gg.exe
PID 1488 wrote to memory of 1704	1488	piyyy.exe	jfiag3g_gg.exe
PID 1488 wrote to memory of 1704	1488	piyyy.exe	jfiag3g_gg.exe
PID 1488 wrote to memory of 1704	1488	piyyy.exe	jfiag3g_gg.exe
PID 1256 wrote to memory of 2876	1256	askinstall4.exe	cmd.exe
PID 1256 wrote to memory of 2876	1256	askinstall4.exe	cmd.exe
PID 1256 wrote to memory of 2876	1256	askinstall4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Microsoft_Toolkit.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_Toolkit.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:296

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Users\Admin\AppData\Roaming\3902233.42
"C:\Users\Admin\AppData\Roaming\3902233.42"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Users\Admin\AppData\Roaming\301756.3
"C:\Users\Admin\AppData\Roaming\301756.3"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1688

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
4⤵
- Executes dropped EXE
PID:2596

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
2⤵
- Executes dropped EXE
PID:1160

C:\Users\Admin\AppData\Local\Temp\proz.exe
"C:\Users\Admin\AppData\Local\Temp\proz.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:544

C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
"C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Users\Admin\AppData\Local\Temp\piyyy.exe
"C:\Users\Admin\AppData\Local\Temp\piyyy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
"C:\Users\Admin\AppData\Local\Temp\update_5e6d00.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1512

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:1052

C:\Users\Admin\AppData\Local\Temp\askinstall4.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:2876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:668678 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You are about to be logged off -m Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now. -a 3
1⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\CBD.exe
C:\Users\Admin\AppData\Local\Temp\CBD.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Users\Admin\AppData\Local\Temp\1BFA.exe
C:\Users\Admin\AppData\Local\Temp\1BFA.exe
1⤵
- Executes dropped EXE
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e4237b6c80c7e380b86518121868f3ed

SHA1
465d7e8fd5414b23ca3719408b0d8f9a977f602c

SHA256
003961796645a5bf6d28ecad1382ce44a873a0d4ca519555072d06bdf854f9dc

SHA512
9328e4ff94b16f3d4fbffd5b6714791ebaf1e0221e7469e9d15863e1bd0c4e02a564c654c940589c6fe8dc84b9f0f3c27e29e064d288226fae87b61ce47e1126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5842bada2fb47066ddf67b30d9c7113d

SHA1
4548d33d64bd8234ca5fc6a22949e6a2b31086bc

SHA256
407dab721a652270307595ebe50c9a4c057d7d9188e691e99af042529e2bf74c

SHA512
4df94c3173994776a5f2b2258f782d00eea4b68dd889acd4f42fed90c5600ee1f180724e333094ce4842e574a393d504e8cd173ed2290f1758f0e755c1478e89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
1c2ec33722800d42cae4f38d8ec51e13

SHA1
71544362d28ed834caecdf19f806c24a12f1691c

SHA256
e16465d1f74df3b092257f1adeb88aeb69c0d512b8bd0b0e15ea50ffab22c26c

SHA512
d93f6d9efa7bcfe74cda3435db9afb89678e47fdb41b4aa6df05b2e99f890f80a38547469e299140bec189013ba34aff0a9e9cfb14c6d4640fbf2d182bbe740d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
e1c545c4f39e1e2d64888db4a3c086ea

SHA1
f62adb0e3eeb2f4c0f94ad09b65f083413c0cc72

SHA256
c6bd7cd7e22d46bab5b319ae1acd6d72110ac746a50fdf404c72b46faa7f47ff

SHA512
9c12399babea6ebbacacf79dd49468e1d93cc7c0167978def4c1be3dec3e741c32f2358031c071f46b43e015de5acd215aa500c58b3212ff292f37765a03955f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shaksd.url
MD5
2bd52feacf54206f58421c6591f8e6c5

SHA1
71a9b6be64c0ad8748098a5f5c7b1fcc759cc04e

SHA256
97dbe7ef7731ad0ef263b36120736bf3bf3de72cbc38186ded115e8190ba6edb

SHA512
e3d354a3fc333fc34b8da424cf5a4df51d17d07d5242035a7cf484aaf00a5254985f430e32f0ce5d9178b7baaa973172d46067a61c2e3a421600ebf6310b1576

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall4.exe
MD5
53801ac3d522650a7c9a2f3e03b5c0a1

SHA1
b533a5eed14ecdc19159961df60e8aae58aee74b

SHA256
e28ff4f4b3871ebf761118f6ee0a8c1f600c90e54931f2e25030976906ed6568

SHA512
1e19561dae72756e7859298581ad859d844e879db8fd6e6f91a719a06b5dbf4f8cb690ab8adef3619f6ed9925bca39ae94609d071fdf043f7b85e1d5e6764c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
MD5
b319aba56f3a2c3fce5e3337acdfc849

SHA1
620879dbe04e71d8637104379581a95ff03c6025

SHA256
d2024a6ff6b174406d466890282e5d07f92e07ea5c64c2ef3f8d11397dcd6e70

SHA512
e1581c84bdfaf8f27d17dd9924a6c792fcb270e5d229328bdfdc258dae7f64fbb0d3ffb4ebbeaca643b1561c35dc2d507a638a0db3ddb189b78c357e89533e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
MD5
b319aba56f3a2c3fce5e3337acdfc849

SHA1
620879dbe04e71d8637104379581a95ff03c6025

SHA256
d2024a6ff6b174406d466890282e5d07f92e07ea5c64c2ef3f8d11397dcd6e70

SHA512
e1581c84bdfaf8f27d17dd9924a6c792fcb270e5d229328bdfdc258dae7f64fbb0d3ffb4ebbeaca643b1561c35dc2d507a638a0db3ddb189b78c357e89533e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\piyyy.exe
MD5
49939240c51965f0527297a3127b6c32

SHA1
78ab6d6f31a1b552a1a493b9f41690b6c47a28c3

SHA256
a7a20ca4cdcfd0e7b281e379889638207acd4b35e902caac95b894f02706129c

SHA512
abbd7a728a4dfc6b0ac04a9354172ef67e190f7b313e5cf7719e1240b4e2de12118ced45a1e7cd3494e4aad5420a28f01758b779269de8864b0f063e790b78ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\piyyy.exe
MD5
49939240c51965f0527297a3127b6c32

SHA1
78ab6d6f31a1b552a1a493b9f41690b6c47a28c3

SHA256
a7a20ca4cdcfd0e7b281e379889638207acd4b35e902caac95b894f02706129c

SHA512
abbd7a728a4dfc6b0ac04a9354172ef67e190f7b313e5cf7719e1240b4e2de12118ced45a1e7cd3494e4aad5420a28f01758b779269de8864b0f063e790b78ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\proz.exe
MD5
87930a2af638eab739a4925e5efb66be

SHA1
faa3701185a42c844020947407aec0c642fb96db

SHA256
5ea59c6498dd18d506f324a8b61f1a7c9008380f37ea6af60c308c05dfa0c371

SHA512
764928f88b53a5ccae09a1dee134fadcea6105c036dd6a53b97b57e7ef0577782ea569bcf8dfc6371fbb6ec9f1569c28fa3602de3ca669134febb0f039341ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\proz.exe
MD5
87930a2af638eab739a4925e5efb66be

SHA1
faa3701185a42c844020947407aec0c642fb96db

SHA256
5ea59c6498dd18d506f324a8b61f1a7c9008380f37ea6af60c308c05dfa0c371

SHA512
764928f88b53a5ccae09a1dee134fadcea6105c036dd6a53b97b57e7ef0577782ea569bcf8dfc6371fbb6ec9f1569c28fa3602de3ca669134febb0f039341ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
931a67fffb696d947a1cf5de4e02193a

SHA1
04d185b5641c394bf16ee0712c503622c81021bd

SHA256
36fcc164264719077c074a60132a51627f4f2fdd5ff775a549685349945c0bf9

SHA512
51c608c8b7ca11ba05b051aca54e9fbccad321f34a1ddb22619e687a5a86c9f7020299383ef90792da87941086943489a0bc2d1af10287ce69cd99f56a168f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
931a67fffb696d947a1cf5de4e02193a

SHA1
04d185b5641c394bf16ee0712c503622c81021bd

SHA256
36fcc164264719077c074a60132a51627f4f2fdd5ff775a549685349945c0bf9

SHA512
51c608c8b7ca11ba05b051aca54e9fbccad321f34a1ddb22619e687a5a86c9f7020299383ef90792da87941086943489a0bc2d1af10287ce69cd99f56a168f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
MD5
9d778c2eb91a8b335cc085ffc5728a17

SHA1
8ff274de9a05b447341d8821dad63f461913045c

SHA256
9ff78393a5e67786ed14a4f019ab112b1ca1c977d8b35b107871ccff7a0f44d0

SHA512
fb7b4c07d58e3f771e126c8d89d9735347189351f72d5470c84c99d539fdd2ea6a7b1595d8b55a9334c12d53fde8973511aecbbf76959df253e9c6a4e0223deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
MD5
9d778c2eb91a8b335cc085ffc5728a17

SHA1
8ff274de9a05b447341d8821dad63f461913045c

SHA256
9ff78393a5e67786ed14a4f019ab112b1ca1c977d8b35b107871ccff7a0f44d0

SHA512
fb7b4c07d58e3f771e126c8d89d9735347189351f72d5470c84c99d539fdd2ea6a7b1595d8b55a9334c12d53fde8973511aecbbf76959df253e9c6a4e0223deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
MD5
9b556d99e3f32187b336a7d091e298f3

SHA1
fd132cf3106584a106909f3d96f476a1aede6043

SHA256
22167c9d39466648b4544fc60d48e631b743b73e1cab0fe179223e4785e3a6e3

SHA512
aa50f8d8f72869fcfc02ed0ef306aaa2a2076f0eea3a27b0d0e0a8a0a1f86502d5ef1e0e4a1f29ad985623b0d99dd4cf90f834fb4bdd5bce06ebc5fc3ef30c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
MD5
9b556d99e3f32187b336a7d091e298f3

SHA1
fd132cf3106584a106909f3d96f476a1aede6043

SHA256
22167c9d39466648b4544fc60d48e631b743b73e1cab0fe179223e4785e3a6e3

SHA512
aa50f8d8f72869fcfc02ed0ef306aaa2a2076f0eea3a27b0d0e0a8a0a1f86502d5ef1e0e4a1f29ad985623b0d99dd4cf90f834fb4bdd5bce06ebc5fc3ef30c6f

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
\Users\Admin\AppData\Local\Temp\askinstall4.exe
MD5
53801ac3d522650a7c9a2f3e03b5c0a1

SHA1
b533a5eed14ecdc19159961df60e8aae58aee74b

SHA256
e28ff4f4b3871ebf761118f6ee0a8c1f600c90e54931f2e25030976906ed6568

SHA512
1e19561dae72756e7859298581ad859d844e879db8fd6e6f91a719a06b5dbf4f8cb690ab8adef3619f6ed9925bca39ae94609d071fdf043f7b85e1d5e6764c1c

Download Submit
\Users\Admin\AppData\Local\Temp\askinstall4.exe
MD5
53801ac3d522650a7c9a2f3e03b5c0a1

SHA1
b533a5eed14ecdc19159961df60e8aae58aee74b

SHA256
e28ff4f4b3871ebf761118f6ee0a8c1f600c90e54931f2e25030976906ed6568

SHA512
1e19561dae72756e7859298581ad859d844e879db8fd6e6f91a719a06b5dbf4f8cb690ab8adef3619f6ed9925bca39ae94609d071fdf043f7b85e1d5e6764c1c

Download Submit
\Users\Admin\AppData\Local\Temp\askinstall4.exe
MD5
53801ac3d522650a7c9a2f3e03b5c0a1

SHA1
b533a5eed14ecdc19159961df60e8aae58aee74b

SHA256
e28ff4f4b3871ebf761118f6ee0a8c1f600c90e54931f2e25030976906ed6568

SHA512
1e19561dae72756e7859298581ad859d844e879db8fd6e6f91a719a06b5dbf4f8cb690ab8adef3619f6ed9925bca39ae94609d071fdf043f7b85e1d5e6764c1c

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
MD5
b319aba56f3a2c3fce5e3337acdfc849

SHA1
620879dbe04e71d8637104379581a95ff03c6025

SHA256
d2024a6ff6b174406d466890282e5d07f92e07ea5c64c2ef3f8d11397dcd6e70

SHA512
e1581c84bdfaf8f27d17dd9924a6c792fcb270e5d229328bdfdc258dae7f64fbb0d3ffb4ebbeaca643b1561c35dc2d507a638a0db3ddb189b78c357e89533e46

Download Submit
\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
MD5
b319aba56f3a2c3fce5e3337acdfc849

SHA1
620879dbe04e71d8637104379581a95ff03c6025

SHA256
d2024a6ff6b174406d466890282e5d07f92e07ea5c64c2ef3f8d11397dcd6e70

SHA512
e1581c84bdfaf8f27d17dd9924a6c792fcb270e5d229328bdfdc258dae7f64fbb0d3ffb4ebbeaca643b1561c35dc2d507a638a0db3ddb189b78c357e89533e46

Download Submit
\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
MD5
b319aba56f3a2c3fce5e3337acdfc849

SHA1
620879dbe04e71d8637104379581a95ff03c6025

SHA256
d2024a6ff6b174406d466890282e5d07f92e07ea5c64c2ef3f8d11397dcd6e70

SHA512
e1581c84bdfaf8f27d17dd9924a6c792fcb270e5d229328bdfdc258dae7f64fbb0d3ffb4ebbeaca643b1561c35dc2d507a638a0db3ddb189b78c357e89533e46

Download Submit
\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
MD5
b319aba56f3a2c3fce5e3337acdfc849

SHA1
620879dbe04e71d8637104379581a95ff03c6025

SHA256
d2024a6ff6b174406d466890282e5d07f92e07ea5c64c2ef3f8d11397dcd6e70

SHA512
e1581c84bdfaf8f27d17dd9924a6c792fcb270e5d229328bdfdc258dae7f64fbb0d3ffb4ebbeaca643b1561c35dc2d507a638a0db3ddb189b78c357e89533e46

Download Submit
\Users\Admin\AppData\Local\Temp\piyyy.exe
MD5
49939240c51965f0527297a3127b6c32

SHA1
78ab6d6f31a1b552a1a493b9f41690b6c47a28c3

SHA256
a7a20ca4cdcfd0e7b281e379889638207acd4b35e902caac95b894f02706129c

SHA512
abbd7a728a4dfc6b0ac04a9354172ef67e190f7b313e5cf7719e1240b4e2de12118ced45a1e7cd3494e4aad5420a28f01758b779269de8864b0f063e790b78ac

Download Submit
\Users\Admin\AppData\Local\Temp\piyyy.exe
MD5
49939240c51965f0527297a3127b6c32

SHA1
78ab6d6f31a1b552a1a493b9f41690b6c47a28c3

SHA256
a7a20ca4cdcfd0e7b281e379889638207acd4b35e902caac95b894f02706129c

SHA512
abbd7a728a4dfc6b0ac04a9354172ef67e190f7b313e5cf7719e1240b4e2de12118ced45a1e7cd3494e4aad5420a28f01758b779269de8864b0f063e790b78ac

Download Submit
\Users\Admin\AppData\Local\Temp\piyyy.exe
MD5
49939240c51965f0527297a3127b6c32

SHA1
78ab6d6f31a1b552a1a493b9f41690b6c47a28c3

SHA256
a7a20ca4cdcfd0e7b281e379889638207acd4b35e902caac95b894f02706129c

SHA512
abbd7a728a4dfc6b0ac04a9354172ef67e190f7b313e5cf7719e1240b4e2de12118ced45a1e7cd3494e4aad5420a28f01758b779269de8864b0f063e790b78ac

Download Submit
\Users\Admin\AppData\Local\Temp\proz.exe
MD5
87930a2af638eab739a4925e5efb66be

SHA1
faa3701185a42c844020947407aec0c642fb96db

SHA256
5ea59c6498dd18d506f324a8b61f1a7c9008380f37ea6af60c308c05dfa0c371

SHA512
764928f88b53a5ccae09a1dee134fadcea6105c036dd6a53b97b57e7ef0577782ea569bcf8dfc6371fbb6ec9f1569c28fa3602de3ca669134febb0f039341ea5

Download Submit
\Users\Admin\AppData\Local\Temp\proz.exe
MD5
87930a2af638eab739a4925e5efb66be

SHA1
faa3701185a42c844020947407aec0c642fb96db

SHA256
5ea59c6498dd18d506f324a8b61f1a7c9008380f37ea6af60c308c05dfa0c371

SHA512
764928f88b53a5ccae09a1dee134fadcea6105c036dd6a53b97b57e7ef0577782ea569bcf8dfc6371fbb6ec9f1569c28fa3602de3ca669134febb0f039341ea5

Download Submit
\Users\Admin\AppData\Local\Temp\proz.exe
MD5
87930a2af638eab739a4925e5efb66be

SHA1
faa3701185a42c844020947407aec0c642fb96db

SHA256
5ea59c6498dd18d506f324a8b61f1a7c9008380f37ea6af60c308c05dfa0c371

SHA512
764928f88b53a5ccae09a1dee134fadcea6105c036dd6a53b97b57e7ef0577782ea569bcf8dfc6371fbb6ec9f1569c28fa3602de3ca669134febb0f039341ea5

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
MD5
931a67fffb696d947a1cf5de4e02193a

SHA1
04d185b5641c394bf16ee0712c503622c81021bd

SHA256
36fcc164264719077c074a60132a51627f4f2fdd5ff775a549685349945c0bf9

SHA512
51c608c8b7ca11ba05b051aca54e9fbccad321f34a1ddb22619e687a5a86c9f7020299383ef90792da87941086943489a0bc2d1af10287ce69cd99f56a168f02

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
MD5
931a67fffb696d947a1cf5de4e02193a

SHA1
04d185b5641c394bf16ee0712c503622c81021bd

SHA256
36fcc164264719077c074a60132a51627f4f2fdd5ff775a549685349945c0bf9

SHA512
51c608c8b7ca11ba05b051aca54e9fbccad321f34a1ddb22619e687a5a86c9f7020299383ef90792da87941086943489a0bc2d1af10287ce69cd99f56a168f02

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
MD5
931a67fffb696d947a1cf5de4e02193a

SHA1
04d185b5641c394bf16ee0712c503622c81021bd

SHA256
36fcc164264719077c074a60132a51627f4f2fdd5ff775a549685349945c0bf9

SHA512
51c608c8b7ca11ba05b051aca54e9fbccad321f34a1ddb22619e687a5a86c9f7020299383ef90792da87941086943489a0bc2d1af10287ce69cd99f56a168f02

Download Submit
\Users\Admin\AppData\Local\Temp\ubisoftant.exe
MD5
9d778c2eb91a8b335cc085ffc5728a17

SHA1
8ff274de9a05b447341d8821dad63f461913045c

SHA256
9ff78393a5e67786ed14a4f019ab112b1ca1c977d8b35b107871ccff7a0f44d0

SHA512
fb7b4c07d58e3f771e126c8d89d9735347189351f72d5470c84c99d539fdd2ea6a7b1595d8b55a9334c12d53fde8973511aecbbf76959df253e9c6a4e0223deb

Download Submit
\Users\Admin\AppData\Local\Temp\ubisoftant.exe
MD5
9d778c2eb91a8b335cc085ffc5728a17

SHA1
8ff274de9a05b447341d8821dad63f461913045c

SHA256
9ff78393a5e67786ed14a4f019ab112b1ca1c977d8b35b107871ccff7a0f44d0

SHA512
fb7b4c07d58e3f771e126c8d89d9735347189351f72d5470c84c99d539fdd2ea6a7b1595d8b55a9334c12d53fde8973511aecbbf76959df253e9c6a4e0223deb

Download Submit
\Users\Admin\AppData\Local\Temp\ubisoftant.exe
MD5
9d778c2eb91a8b335cc085ffc5728a17

SHA1
8ff274de9a05b447341d8821dad63f461913045c

SHA256
9ff78393a5e67786ed14a4f019ab112b1ca1c977d8b35b107871ccff7a0f44d0

SHA512
fb7b4c07d58e3f771e126c8d89d9735347189351f72d5470c84c99d539fdd2ea6a7b1595d8b55a9334c12d53fde8973511aecbbf76959df253e9c6a4e0223deb

Download Submit
\Users\Admin\AppData\Local\Temp\ubisoftant.exe
MD5
9d778c2eb91a8b335cc085ffc5728a17

SHA1
8ff274de9a05b447341d8821dad63f461913045c

SHA256
9ff78393a5e67786ed14a4f019ab112b1ca1c977d8b35b107871ccff7a0f44d0

SHA512
fb7b4c07d58e3f771e126c8d89d9735347189351f72d5470c84c99d539fdd2ea6a7b1595d8b55a9334c12d53fde8973511aecbbf76959df253e9c6a4e0223deb

Download Submit
\Users\Admin\AppData\Local\Temp\ubisoftant.exe
MD5
9d778c2eb91a8b335cc085ffc5728a17

SHA1
8ff274de9a05b447341d8821dad63f461913045c

SHA256
9ff78393a5e67786ed14a4f019ab112b1ca1c977d8b35b107871ccff7a0f44d0

SHA512
fb7b4c07d58e3f771e126c8d89d9735347189351f72d5470c84c99d539fdd2ea6a7b1595d8b55a9334c12d53fde8973511aecbbf76959df253e9c6a4e0223deb

Download Submit
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
MD5
9b556d99e3f32187b336a7d091e298f3

SHA1
fd132cf3106584a106909f3d96f476a1aede6043

SHA256
22167c9d39466648b4544fc60d48e631b743b73e1cab0fe179223e4785e3a6e3

SHA512
aa50f8d8f72869fcfc02ed0ef306aaa2a2076f0eea3a27b0d0e0a8a0a1f86502d5ef1e0e4a1f29ad985623b0d99dd4cf90f834fb4bdd5bce06ebc5fc3ef30c6f

Download Submit
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
MD5
9b556d99e3f32187b336a7d091e298f3

SHA1
fd132cf3106584a106909f3d96f476a1aede6043

SHA256
22167c9d39466648b4544fc60d48e631b743b73e1cab0fe179223e4785e3a6e3

SHA512
aa50f8d8f72869fcfc02ed0ef306aaa2a2076f0eea3a27b0d0e0a8a0a1f86502d5ef1e0e4a1f29ad985623b0d99dd4cf90f834fb4bdd5bce06ebc5fc3ef30c6f

Download Submit
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
MD5
9b556d99e3f32187b336a7d091e298f3

SHA1
fd132cf3106584a106909f3d96f476a1aede6043

SHA256
22167c9d39466648b4544fc60d48e631b743b73e1cab0fe179223e4785e3a6e3

SHA512
aa50f8d8f72869fcfc02ed0ef306aaa2a2076f0eea3a27b0d0e0a8a0a1f86502d5ef1e0e4a1f29ad985623b0d99dd4cf90f834fb4bdd5bce06ebc5fc3ef30c6f

Download Submit
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
MD5
9b556d99e3f32187b336a7d091e298f3

SHA1
fd132cf3106584a106909f3d96f476a1aede6043

SHA256
22167c9d39466648b4544fc60d48e631b743b73e1cab0fe179223e4785e3a6e3

SHA512
aa50f8d8f72869fcfc02ed0ef306aaa2a2076f0eea3a27b0d0e0a8a0a1f86502d5ef1e0e4a1f29ad985623b0d99dd4cf90f834fb4bdd5bce06ebc5fc3ef30c6f

Download Submit
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
MD5
9b556d99e3f32187b336a7d091e298f3

SHA1
fd132cf3106584a106909f3d96f476a1aede6043

SHA256
22167c9d39466648b4544fc60d48e631b743b73e1cab0fe179223e4785e3a6e3

SHA512
aa50f8d8f72869fcfc02ed0ef306aaa2a2076f0eea3a27b0d0e0a8a0a1f86502d5ef1e0e4a1f29ad985623b0d99dd4cf90f834fb4bdd5bce06ebc5fc3ef30c6f

Download Submit
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
MD5
9b556d99e3f32187b336a7d091e298f3

SHA1
fd132cf3106584a106909f3d96f476a1aede6043

SHA256
22167c9d39466648b4544fc60d48e631b743b73e1cab0fe179223e4785e3a6e3

SHA512
aa50f8d8f72869fcfc02ed0ef306aaa2a2076f0eea3a27b0d0e0a8a0a1f86502d5ef1e0e4a1f29ad985623b0d99dd4cf90f834fb4bdd5bce06ebc5fc3ef30c6f

Download Submit
\Users\Admin\AppData\Local\Temp\update_5e6d00.exe
MD5
9b556d99e3f32187b336a7d091e298f3

SHA1
fd132cf3106584a106909f3d96f476a1aede6043

SHA256
22167c9d39466648b4544fc60d48e631b743b73e1cab0fe179223e4785e3a6e3

SHA512
aa50f8d8f72869fcfc02ed0ef306aaa2a2076f0eea3a27b0d0e0a8a0a1f86502d5ef1e0e4a1f29ad985623b0d99dd4cf90f834fb4bdd5bce06ebc5fc3ef30c6f

Download Submit
memory/296-3-0x0000000001010000-0x0000000001111000-memory.dmp

Filesize
1.0MB

Download
memory/296-2-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/544-94-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/544-81-0x00000000049C0000-0x00000000049D1000-memory.dmp

Filesize
68KB

Download
memory/544-82-0x0000000000320000-0x0000000000370000-memory.dmp

Filesize
320KB

Download
memory/544-84-0x0000000004810000-0x00000000048A2000-memory.dmp

Filesize
584KB

Download
memory/544-70-0x0000000000000000-mapping.dmp

Download
memory/700-100-0x000007FEF7850000-0x000007FEF7ACA000-memory.dmp

Filesize
2.5MB

Download
memory/880-178-0x0000000000000000-mapping.dmp

Download
memory/880-181-0x0000000000320000-0x00000000003B2000-memory.dmp

Filesize
584KB

Download
memory/880-182-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/880-179-0x0000000004840000-0x0000000004851000-memory.dmp

Filesize
68KB

Download
memory/888-76-0x0000000000000000-mapping.dmp

Download
memory/1052-78-0x0000000000000000-mapping.dmp

Download
memory/1160-44-0x00000000746E0000-0x0000000074883000-memory.dmp

Filesize
1.6MB

Download
memory/1160-18-0x0000000000000000-mapping.dmp

Download
memory/1160-80-0x000000000050C000-0x000000000050D000-memory.dmp

Filesize
4KB

Download
memory/1244-128-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

Filesize
88KB

Download
memory/1256-38-0x0000000000000000-mapping.dmp

Download
memory/1324-174-0x00000000049E0000-0x00000000049F1000-memory.dmp

Filesize
68KB

Download
memory/1324-176-0x00000000002B0000-0x000000000031B000-memory.dmp

Filesize
428KB

Download
memory/1324-173-0x0000000000000000-mapping.dmp

Download
memory/1324-177-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1344-109-0x0000000000000000-mapping.dmp

Download
memory/1344-126-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/1488-45-0x0000000000000000-mapping.dmp

Download
memory/1512-88-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1512-85-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1512-87-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1512-52-0x0000000000000000-mapping.dmp

Download
memory/1512-79-0x00000000062F0000-0x0000000006301000-memory.dmp

Filesize
68KB

Download
memory/1596-138-0x0000000000000000-mapping.dmp

Download
memory/1624-60-0x0000000000000000-mapping.dmp

Download
memory/1688-91-0x00000000746E0000-0x0000000074883000-memory.dmp

Filesize
1.6MB

Download
memory/1688-144-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1688-97-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/1688-156-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1688-150-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1688-149-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/1688-32-0x0000000000000000-mapping.dmp

Download
memory/1688-140-0x0000000000000000-mapping.dmp

Download
memory/1688-148-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1688-141-0x0000000070950000-0x000000007103E000-memory.dmp

Filesize
6.9MB

Download
memory/1704-123-0x0000000000000000-mapping.dmp

Download
memory/1732-24-0x0000000000000000-mapping.dmp

Download
memory/2008-155-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2008-142-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2008-147-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2008-137-0x0000000070950000-0x000000007103E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-136-0x0000000000000000-mapping.dmp

Download
memory/2008-151-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/2008-152-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2008-162-0x00000000004F0000-0x0000000000501000-memory.dmp

Filesize
68KB

Download
memory/2028-92-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2028-95-0x0000000000840000-0x0000000000842000-memory.dmp

Filesize
8KB

Download
memory/2028-93-0x00000000007F0000-0x0000000000813000-memory.dmp

Filesize
140KB

Download
memory/2028-96-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2028-10-0x0000000000000000-mapping.dmp

Download
memory/2028-15-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-89-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2100-172-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

Filesize
4KB

Download
memory/2144-135-0x0000000000000000-mapping.dmp

Download
memory/2432-143-0x0000000000000000-mapping.dmp

Download
memory/2596-167-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/2596-157-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2596-154-0x0000000070950000-0x000000007103E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-153-0x0000000000000000-mapping.dmp

Download
memory/2876-134-0x0000000000000000-mapping.dmp

Download
memory/2948-170-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2948-169-0x000007FEFC0A1000-0x000007FEFC0A3000-memory.dmp

Filesize
8KB

Download
memory/2948-168-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads