gandcrab | db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9

Analysis

max time kernel
161s
max time network
180s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Size

191KB
MD5

5bc5696a899074cb3623aa640602c8ad
SHA1

792d0ef1d01d80426aabc2c8bbeb680690d94798
SHA256

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9
SHA512

7574237d9495c0cf056b67fb7efa61d426f383976e8fb73b2370835fd1ed63a85d0061c24ee16472bb973acd7cbbb690638b07bb20057774ace0e13b4f87e221

Score

10^/10

gandcrab backdoor ransomware spyware stealer suricata upx

Malware Config

Extracted

Path

C:\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/cb99ace73fd0ad8 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAH1puCsQ4DEdXMJkqi47uZW7Nl7ZRwkRAp0Tf0eCPN7nSIsj7oujK+0alOSBNISAFmHWWGIoPAE0O7vr2M7qBmk9ujuyvKZy3moCoMRcYObs3obXWTeVL97p2v19xyCWpbN1DVGuIxEZ37HI3naO7g1HiCNliGy7GbZtcpFX8WylIjYvafC0CL+NLPd4R/I+nTK3aRPNPXU0uRjqPeZLPOkTxsIeUjEMeKbC24q1yM9QQ0BGA4lRh77X7gnUvdp+vSQ3QVGv2GtCbuvEonFPwKSIS2YctcQiWNNkLcCA6Tg3YRY6uSVFhC73v8na+JWwEp4vkW1bQ6jL7XGU8Grovymxs4GR7aN5LgI/0f8bqkELR1/4YwWzXIHJnCpz1bnlhDyxQs7GveUY5wwJmnpF/CFcy+o/R+i3y2X4+HGDhGionxBuSurEyWrtsrOIrB3L4kWjAxqb3BwB46864jbXefAZRvykykRWPvvlL9T0gsfo1mqKj/IkjZssBeinNLOw13WmNXwcQKWDADMkLFG8pZ+92GlDijZMSvWm3Led36m2ZCxQsgcou4X2PwZVzl/iLBNoRzeznZKx2CLiV227QW09Y1rc+u/GTYdShok471vr+/r8SjIWpBhexc3wBTQeZ8lEA7jnVtyr4LvxcmQNzJMyJdUAQs25U5FBZJP6I5lcjOriJWgKQ6DOMZMeBpowacDSc/UAV35NEo6hQ24/fLVag2Yf6/2wTY7SXh1Zfh04b5xGyBtIaB6py3x6R+wPuw2LIfq9mG1zv3xgbFZQFUlLbsVGPe4/qJBiottycqdcv+l7oNgf9rb06IYDMlSoZzpYeymxmrT4yUWDQ8Wlea61cknogJv2wQERq7ZCpvww/UjGGl1T1Z5y8u476zpM2kKOh3bABRk9eR34BIXRqcblM79MzljFsuyKBu60PBDtmWlKugwf33AFZAn9RcrJWZbTaWTy0FdBs1enzKG8rJL17uzx46XaPBQrnZGd2s8H7tElUZ6wLkzwFbRnX7ziWapqL8V8jgPZqIhaRIz1VMbh7rj/mp8QvCyKRg7lz/XbG19QQpiJfqe4+xFxYDSZSu1ExMsEaMIydAIldTGktcSDEl9ylRuXeZR+oJwVonT9yulIztFyMA70yiU8RWhAqLagwutDomyxMYqSuKLaqWYHgUYGY6mqLDAtsjQ6HUax0JdS7EAkidB7xli4TwqKxTdFrUwcVXpDjSWe+4bQfXcpoD+Nsx21IWLzBQ3aHNku5CvxW2/vA3Bl1FE1fEdhf3iB3taU3WEw1wgLgvABzG7pQTGcn9dV0mH/3UxLI/ECE3yh4HfOuNLhPr54afDrfG2J77WhNuooywNBXLhQmdSIDKUOl+OIwoDD1NPIvsNTb2gR3z+naslXYyQ3hZ4WDBvz7dIpax4SwghY4umQaFqY9KTrpX0Ud9pWz3EVmqJIaMmAIrWDIjiyejNd2dFm8oQQLvx1LqxYU3mAMxpCIwxBErWOBcZf4g86mM1a37ieMsojw380X/OvZOlOE+CCoHjATO4nanUY8DfEhRh4drTq1AAgfafo7q1f1J4CiXivpO/g3H6mMioCNkGwH3IbjByv7/3IxzlXkheWS2uB3+s7iXP+srpTLVyv4LGHXldGXzUxpmjf+hi+8uDibN0w40zwnqkcXwnHsXkTxD7rhedJqCISTYdXXwTik+ZhG+1etzkMeufoxGPFlH/Ub6iiTzajcKiyhgLyGfTKJCKFlJOLI8gsUMorznPOqVoyUbm9ZB7AS9RPdm9MXbOUPDlttbpifxKbD/JxEmjEoNinpX6KHFlsArK2mMcVGFgyCgy812BOWEDq1nOTykgwsyfWdCPKfUcUfg1eqGfbWxUmpQKW7UMsCOwqyg6lMbk9y0SSuU1/oNFaEd475LPB19yCGQngCNhPUqQZbaIKFFsdNZMpEGGJq5BokpQtWTMh1+DYfiJxvcgrKFvpuAFpiE//e/KqAaiJ8H5SgGz3RfEIJgszNsaVi0WXUkxdyAC0bc1iCK/soKXSuCWfShdYvLRUO1/Qj4UpnVD/PvWegqRqNmwWmr1kMo1MdH+DoQylidzCokGwJVGzQe1nZHR1u/af0Vz2nvPa1/Ls8CvcvloCePLnr9iYaG4dwUcTOyvNF4KlT/DD7dpaRkx2hqwCMhbtPa+wQpSalpUDrxn+OmldvcIIuRiYJcEFa7IIPRLoTZaWYKxsxlmuPPNODQSqst/MROw5ge0= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZGToRRtXYY7nBWqLfMTHCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisLEgkUHB6eL1/zU2ROshGthYOlrXBift/BGCEdEbtydK4o24b6bsY7hyY4zV2QKiqZRuTRsqAVO9JIUJp5FtwNQoBRPKnKw+CO5XALafi2Epg65rLQ3qxA5KyA70ZizpABFF3vTLNeat1xAZaHRCRliKfznQ1kfgN39ImRrf9yyrQR1nkLIqlsaw7HIYVcjpKTe2fFccJcA8PyhNj39SQ2/C2KZUErLtf0jsBdBMMpGrHpcOL7+fRYUP+Ik= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/cb99ace73fd0ad8

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe

pid process

1648 db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe

pid	process
1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BlockRename.crw => C:\Users\Admin\Pictures\BlockRename.crw.KRAB	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File renamed	C:\Users\Admin\Pictures\InstallUse.png => C:\Users\Admin\Pictures\InstallUse.png.KRAB	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File renamed	C:\Users\Admin\Pictures\ReceiveExport.png => C:\Users\Admin\Pictures\ReceiveExport.png.KRAB	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1648-59-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1648-61-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1648-62-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1648-64-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

pid	process
956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

description	ioc	process
File opened (read-only)	\??\A:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\G:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\P:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\X:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\E:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\H:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\L:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\N:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\V:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\W:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\Y:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\F:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\J:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\K:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\Q:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\T:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\Z:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\B:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\I:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\M:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\O:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\R:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\S:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened (read-only)	\??\U:	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

Drops file in Program Files directory 30 IoCs

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

description	ioc	process
File opened for modification	C:\Program Files\CompareCheckpoint.3gpp	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\ConfirmReceive.vst	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\SelectApprove.odp	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files (x86)\KRAB-DECRYPT.txt	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\ReceiveAdd.wax	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\SyncWatch.tiff	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files (x86)\3fd0d3b3fd0adf214.lock	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\3fd0d3b3fd0adf214.lock	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\ResumeCopy.raw	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\RevokePop.dwfx	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KRAB-DECRYPT.txt	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\BackupPing.dot	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\ConvertToUnpublish.pps	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\RestoreCopy.docm	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\SendRequest.raw	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\3fd0d3b3fd0adf214.lock	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\FindMeasure.WTV	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\RegisterPop.cr2	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\RestoreCompare.mp2v	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\3fd0d3b3fd0adf214.lock	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files\KRAB-DECRYPT.txt	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files\3fd0d3b3fd0adf214.lock	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\HideMeasure.vst	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KRAB-DECRYPT.txt	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\DisconnectRestore.pptx	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\EnterEdit.kix	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\OutExit.xsl	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\ClearDismount.nfo	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
File opened for modification	C:\Program Files\EnterSet.au	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea596e297fb7a9458536fc3333bf8bfa00000000020000000000106600000001000020000000829ea69eeef52eb759a1103c5e2352ce9d77793bf93131eb93b772d6862bc23b000000000e800000000200002000000017086bddd08e83130cee989f43b9bc1dc1d8bb90d75ea8c888b0db5e7c2f00e310000000b30ddd09205251619e4599455984f70940000000096ed4ae6f989561fcd061de4bd06aac100402cea90361acc3c98cb2f3b416825f197cf31378573aefa16e57462043d77d8f444baec3b53b63d9dcd1868e23c7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B25B3090-806D-11EC-953C-E61AA6254D84} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea596e297fb7a9458536fc3333bf8bfa000000000200000000001066000000010000200000003e16e629c2568b69363527ec56b27c727d3cf51b62c93fef980d9b8684ef1be8000000000e80000000020000200000002c99af7430542783be7f3b90a6f623b0c029b5922564b9ea8919f851340f3f83500000004abbde770ba077f56cf3cc7da694b71fe2e0699fd7b8979283cb52f9268cd04b697b359704fa02ea3cf93d888e5e0eb0df6ed60c66b132a12504808378b4dde713dc5cb3a753814ce3a46799b44df65040000000c67491160f1364934e847df1a0bbcc91d313b76ba205d7d7e385f802b72282df896401a357df7c16407e18854bc3671ff93c1b23cf9eac68f383580f347e4bee	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350161898"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exedb2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe

pid	process
956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exewmic.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
Token: SeIncreaseQuotaPrivilege	1408	wmic.exe
Token: SeSecurityPrivilege	1408	wmic.exe
Token: SeTakeOwnershipPrivilege	1408	wmic.exe
Token: SeLoadDriverPrivilege	1408	wmic.exe
Token: SeSystemProfilePrivilege	1408	wmic.exe
Token: SeSystemtimePrivilege	1408	wmic.exe
Token: SeProfSingleProcessPrivilege	1408	wmic.exe
Token: SeIncBasePriorityPrivilege	1408	wmic.exe
Token: SeCreatePagefilePrivilege	1408	wmic.exe
Token: SeBackupPrivilege	1408	wmic.exe
Token: SeRestorePrivilege	1408	wmic.exe
Token: SeShutdownPrivilege	1408	wmic.exe
Token: SeDebugPrivilege	1408	wmic.exe
Token: SeSystemEnvironmentPrivilege	1408	wmic.exe
Token: SeRemoteShutdownPrivilege	1408	wmic.exe
Token: SeUndockPrivilege	1408	wmic.exe
Token: SeManageVolumePrivilege	1408	wmic.exe
Token: 33	1408	wmic.exe
Token: 34	1408	wmic.exe
Token: 35	1408	wmic.exe
Token: SeIncreaseQuotaPrivilege	1408	wmic.exe
Token: SeSecurityPrivilege	1408	wmic.exe
Token: SeTakeOwnershipPrivilege	1408	wmic.exe
Token: SeLoadDriverPrivilege	1408	wmic.exe
Token: SeSystemProfilePrivilege	1408	wmic.exe
Token: SeSystemtimePrivilege	1408	wmic.exe
Token: SeProfSingleProcessPrivilege	1408	wmic.exe
Token: SeIncBasePriorityPrivilege	1408	wmic.exe
Token: SeCreatePagefilePrivilege	1408	wmic.exe
Token: SeBackupPrivilege	1408	wmic.exe
Token: SeRestorePrivilege	1408	wmic.exe
Token: SeShutdownPrivilege	1408	wmic.exe
Token: SeDebugPrivilege	1408	wmic.exe
Token: SeSystemEnvironmentPrivilege	1408	wmic.exe
Token: SeRemoteShutdownPrivilege	1408	wmic.exe
Token: SeUndockPrivilege	1408	wmic.exe
Token: SeManageVolumePrivilege	1408	wmic.exe
Token: 33	1408	wmic.exe
Token: 34	1408	wmic.exe
Token: 35	1408	wmic.exe
Token: SeBackupPrivilege	544	vssvc.exe
Token: SeRestorePrivilege	544	vssvc.exe
Token: SeAuditPrivilege	544	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

532 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

532 iexplore.exe
532 iexplore.exe
1340 IEXPLORE.EXE
1340 IEXPLORE.EXE
1340 IEXPLORE.EXE
1340 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe

pid process

1648 db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe

pid	process
532	iexplore.exe

pid	process
532	iexplore.exe
532	iexplore.exe
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE

pid	process
1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exedb2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exeiexplore.exe

description	pid	process	target process
PID 956 wrote to memory of 1648	956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
PID 956 wrote to memory of 1648	956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
PID 956 wrote to memory of 1648	956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
PID 956 wrote to memory of 1648	956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
PID 1648 wrote to memory of 532	1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe	iexplore.exe
PID 1648 wrote to memory of 532	1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe	iexplore.exe
PID 1648 wrote to memory of 532	1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe	iexplore.exe
PID 1648 wrote to memory of 532	1648	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe	iexplore.exe
PID 532 wrote to memory of 1340	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1340	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1340	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1340	532	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1408	956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe	wmic.exe
PID 956 wrote to memory of 1408	956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe	wmic.exe
PID 956 wrote to memory of 1408	956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe	wmic.exe
PID 956 wrote to memory of 1408	956	db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
"C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:532 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
3ec1519968b754aaa9a783bb99482dec

SHA1
babb497779892eb6e546e29c3bc97b8aa87589f3

SHA256
da35a16953a78784a2aa6dd938277a93d58250b696ab4652a8d05240ebad95d1

SHA512
c3275573da57ea0ca273c33db6f698da78cc5dd2d45e80c11a5b1ce3b6a01b422bea69da6266c316ca16fff840a542e98f9db8f3f3d7e7bd4b22d35a0681db60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
954929ce43b4c392785a78f019f358aa

SHA1
caa737db152a97e78d684f33578dc347f5e42ee9

SHA256
73faad6026652a3d53a08627aa9be2260345ca029b31eafcc265a27025fa3de0

SHA512
a06649e32d9db4a55ba14f21c1715058588b1cc820ac9cd7ce59a75fbe894f00fbcf51a54d742390940cc722fae120f6dd9cf7ee848c4f53effc3fe988d3c64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
MD5
53879f5fd7af722a70627f9e4b5adce5

SHA1
69de5fa9e86e2c7925a1a2b99fd8afca5f490297

SHA256
db2ac1b0d85aef160b4bdab57c3ebe3fb53eec7345ef703bc1a328f803ea3075

SHA512
d354a713c6912cec8df4203a69bc048a267ed3b357e1cb24aa96f6d910e1c96a946f8ea82524c0253f2395727efadc55c6672ebf0b0dac66dc4872d2161f55bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\KRAB-DECRYPT.txt
MD5
afcd9fdacd2991fd25ec06dd757d4ef5

SHA1
955df6950e161275f94bb70a01cf550271f1bdee

SHA256
28bc4114d45a1ccd76a4d42dd82cd5714048b197ab01f36ebfb6fc17bb5f1c27

SHA512
dc242357b51c38aafbcb0294ceff17a0fba2f353895091bb274c05317a3b7d7017b68443fa9342b7914e54c5d8db423ee17b2e796084df3d72998bd12a7d6e9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\KRAB-DECRYPT.txt
MD5
afcd9fdacd2991fd25ec06dd757d4ef5

SHA1
955df6950e161275f94bb70a01cf550271f1bdee

SHA256
28bc4114d45a1ccd76a4d42dd82cd5714048b197ab01f36ebfb6fc17bb5f1c27

SHA512
dc242357b51c38aafbcb0294ceff17a0fba2f353895091bb274c05317a3b7d7017b68443fa9342b7914e54c5d8db423ee17b2e796084df3d72998bd12a7d6e9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\KRAB-DECRYPT.txt
MD5
afcd9fdacd2991fd25ec06dd757d4ef5

SHA1
955df6950e161275f94bb70a01cf550271f1bdee

SHA256
28bc4114d45a1ccd76a4d42dd82cd5714048b197ab01f36ebfb6fc17bb5f1c27

SHA512
dc242357b51c38aafbcb0294ceff17a0fba2f353895091bb274c05317a3b7d7017b68443fa9342b7914e54c5d8db423ee17b2e796084df3d72998bd12a7d6e9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U9JYTBEA.txt
MD5
fa6cf5b56236f60e99c58e186b470257

SHA1
c6ea9caa04c8883de0d3cd828239d8d6729b2207

SHA256
a13b9ea6003f6cc1ff564549a1194ad7920817cea9e7fb3fe3f0b91fe81f2294

SHA512
2aea899c4471c9e247965c1abff31466421928a867535e0a4a1bbd2005eb2a79c3093aa3250925fe017823a3f55e913c2ac9f15ff68e8aa0e7f7c45b9ee2039a

Download Submit
\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
MD5
53879f5fd7af722a70627f9e4b5adce5

SHA1
69de5fa9e86e2c7925a1a2b99fd8afca5f490297

SHA256
db2ac1b0d85aef160b4bdab57c3ebe3fb53eec7345ef703bc1a328f803ea3075

SHA512
d354a713c6912cec8df4203a69bc048a267ed3b357e1cb24aa96f6d910e1c96a946f8ea82524c0253f2395727efadc55c6672ebf0b0dac66dc4872d2161f55bc

Download Submit
\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
MD5
53879f5fd7af722a70627f9e4b5adce5

SHA1
69de5fa9e86e2c7925a1a2b99fd8afca5f490297

SHA256
db2ac1b0d85aef160b4bdab57c3ebe3fb53eec7345ef703bc1a328f803ea3075

SHA512
d354a713c6912cec8df4203a69bc048a267ed3b357e1cb24aa96f6d910e1c96a946f8ea82524c0253f2395727efadc55c6672ebf0b0dac66dc4872d2161f55bc

Download Submit
memory/956-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/956-71-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1648-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1648-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1648-63-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1648-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1648-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1648-60-0x0000000000410000-0x0000000000419000-memory.dmp

Filesize
36KB

Download