metasploit | 2c05f216181f20e481650a7807ba0420c25ca7410748ef66e5bcb4f8de693c31

Analysis

max time kernel
292s
max time network
313s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2022 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe
Size

49.4MB
MD5

50f031c86135dfd7005ed6c048860914
SHA1

9f20e3545618f119d7e0ecec78b4aef43d4c0ad6
SHA256

5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c
SHA512

4aeac37df917c511cb35e44f4e807545a25529069ef3158febf71167b5658cd8e5b54e8aab0ae236a377e049efc9f0732bb47014cddf50c2abe927246e022fd4

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

70.251.211.113:80

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 7 IoCs

Processes:

FINALCRY.EXEUNMINEABLE MINER 1.1.0-BETA-MFI.EXEunMineable Miner.exeunMineable Miner.exeunMineable Miner.exeunMineable Miner.exeunMineable Miner.exe

pid	process
5012	FINALCRY.EXE
1820	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
4900	unMineable Miner.exe
2528	unMineable Miner.exe
1780	unMineable Miner.exe
2124	unMineable Miner.exe
2084	unMineable Miner.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exeunMineable Miner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	unMineable Miner.exe

Loads dropped DLL 12 IoCs

Processes:

UNMINEABLE MINER 1.1.0-BETA-MFI.EXEunMineable Miner.exeunMineable Miner.exeunMineable Miner.exeunMineable Miner.exeunMineable Miner.exe

pid	process
1820	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
1820	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
1820	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
4900	unMineable Miner.exe
2528	unMineable Miner.exe
1780	unMineable Miner.exe
2124	unMineable Miner.exe
2528	unMineable Miner.exe
2528	unMineable Miner.exe
2528	unMineable Miner.exe
2084	unMineable Miner.exe
2084	unMineable Miner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

unMineable Miner.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	unMineable Miner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	unMineable Miner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	unMineable Miner.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

unMineable Miner.exeunMineable Miner.exeunMineable Miner.exe

pid	process
1780	unMineable Miner.exe
1780	unMineable Miner.exe
2124	unMineable Miner.exe
2124	unMineable Miner.exe
2084	unMineable Miner.exe
2084	unMineable Miner.exe
2084	unMineable Miner.exe
2084	unMineable Miner.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

UNMINEABLE MINER 1.1.0-BETA-MFI.EXE

description pid process

Token: SeSecurityPrivilege 1820 UNMINEABLE MINER 1.1.0-BETA-MFI.EXE

description	pid	process
Token: SeSecurityPrivilege	1820	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exeUNMINEABLE MINER 1.1.0-BETA-MFI.EXEunMineable Miner.exe

description	pid	process	target process
PID 4184 wrote to memory of 5012	4184	5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe	FINALCRY.EXE
PID 4184 wrote to memory of 5012	4184	5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe	FINALCRY.EXE
PID 4184 wrote to memory of 5012	4184	5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe	FINALCRY.EXE
PID 4184 wrote to memory of 1820	4184	5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
PID 4184 wrote to memory of 1820	4184	5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
PID 4184 wrote to memory of 1820	4184	5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
PID 1820 wrote to memory of 4900	1820	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE	unMineable Miner.exe
PID 1820 wrote to memory of 4900	1820	UNMINEABLE MINER 1.1.0-BETA-MFI.EXE	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2528	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 1780	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 1780	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2124	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2124	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2084	4900	unMineable Miner.exe	unMineable Miner.exe
PID 4900 wrote to memory of 2084	4900	unMineable Miner.exe	unMineable Miner.exe

C:\Users\Admin\AppData\Local\Temp\5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe
"C:\Users\Admin\AppData\Local\Temp\5ce684113f882d6005329ffa8c260cf3d9cc8c3fda1c9329a11d8d253d059e3c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Local\Temp\FINALCRY.EXE
"C:\Users\Admin\AppData\Local\Temp\FINALCRY.EXE"
2⤵
- Executes dropped EXE
PID:5012

C:\Users\Admin\AppData\Local\Temp\UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
"C:\Users\Admin\AppData\Local\Temp\UNMINEABLE MINER 1.1.0-BETA-MFI.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
"C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
"C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe" --type=gpu-process --field-trial-handle=1628,11147638564519503292,7387209617405834142,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528

C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
"C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe" --type=utility --field-trial-handle=1628,11147638564519503292,7387209617405834142,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2168 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1780

C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
"C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe" --type=renderer --field-trial-handle=1628,11147638564519503292,7387209617405834142,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\resources\app.asar" --node-integration --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\resources\app.asar/ws.js" --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2376 /prefetch:1
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2124

C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
"C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe" --type=gpu-process --field-trial-handle=1628,11147638564519503292,7387209617405834142,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAEAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1632 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\D3DCompiler_47.dll
Filesize
4.3MB

MD5
fea40e5b591127ae3b065389d058a445

SHA1
621fa52fb488271c25c10c646d67e7ce5f42d4f8

SHA256
4b074a3976399dc735484f5d43d04b519b7bdee8ac719d9ab8ed6bd4e6be0345

SHA512
d2412b701d89e2762c72dd99a48283d601dd4311e3731d690cc2ab6cced20994fa67bf3fea4920291fc407cd946e20bdc85836e6786766a1b98a86febaa0e3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\chrome_100_percent.pak
Filesize
175KB

MD5
7c4728b2d58afdd97c4549c96b9561cc

SHA1
1e0d251eedd67e7021fc764b9188184617465c54

SHA256
419cfcc6dc5f38b2e0c970ebd4fad1ef55054579d5c0db2521d7ae494996aac3

SHA512
82d0931e4d1cf38f88050980f518cdacdc981c382771b1732bfbe69f601074a0e7378e27a7470c7dea4e287cb1617a5c038052908ed85134abcd5b6591b4e7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\chrome_200_percent.pak
Filesize
312KB

MD5
6af049ad6fd11ee90ad9db31c4e02082

SHA1
5d2f9a59a74dc584b5dd78aeb6de583e969e3eb7

SHA256
edecf8e1ac353bfdae534e42507e5a59973cb4cab76fbb1ff1a470363e725bc4

SHA512
c7fa6e1a57861e62b9b4d615a988c98d13cde8abc23eaed7c36c2ecb86409da4b65b1f579ca2f307e90eb4d08d14b07f7f41ccb8d8c165d6de67c09c16009715

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\d3dcompiler_47.dll
Filesize
4.3MB

MD5
fea40e5b591127ae3b065389d058a445

SHA1
621fa52fb488271c25c10c646d67e7ce5f42d4f8

SHA256
4b074a3976399dc735484f5d43d04b519b7bdee8ac719d9ab8ed6bd4e6be0345

SHA512
d2412b701d89e2762c72dd99a48283d601dd4311e3731d690cc2ab6cced20994fa67bf3fea4920291fc407cd946e20bdc85836e6786766a1b98a86febaa0e3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\ffmpeg.dll
Filesize
2.6MB

MD5
761adc75db5d404a49c96e8d49f5f72c

SHA1
716a8a994af2a06b1f766e6a1364afbc27fafa8c

SHA256
75a0592cdcbc5331dfb9310c68ee82c634685d5b2edc6d214a0841d62c6fe51b

SHA512
056307a08103a1a6dc1a2fecda1e13727c65b30607258496cba9560c53e04dd4b0af22decd7a3483ff44fe8ad7d706b2e81b5d3c859a484cb6bc1de9dfffed23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\ffmpeg.dll
Filesize
2.6MB

MD5
761adc75db5d404a49c96e8d49f5f72c

SHA1
716a8a994af2a06b1f766e6a1364afbc27fafa8c

SHA256
75a0592cdcbc5331dfb9310c68ee82c634685d5b2edc6d214a0841d62c6fe51b

SHA512
056307a08103a1a6dc1a2fecda1e13727c65b30607258496cba9560c53e04dd4b0af22decd7a3483ff44fe8ad7d706b2e81b5d3c859a484cb6bc1de9dfffed23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\ffmpeg.dll
Filesize
2.6MB

MD5
761adc75db5d404a49c96e8d49f5f72c

SHA1
716a8a994af2a06b1f766e6a1364afbc27fafa8c

SHA256
75a0592cdcbc5331dfb9310c68ee82c634685d5b2edc6d214a0841d62c6fe51b

SHA512
056307a08103a1a6dc1a2fecda1e13727c65b30607258496cba9560c53e04dd4b0af22decd7a3483ff44fe8ad7d706b2e81b5d3c859a484cb6bc1de9dfffed23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\ffmpeg.dll
Filesize
2.6MB

MD5
761adc75db5d404a49c96e8d49f5f72c

SHA1
716a8a994af2a06b1f766e6a1364afbc27fafa8c

SHA256
75a0592cdcbc5331dfb9310c68ee82c634685d5b2edc6d214a0841d62c6fe51b

SHA512
056307a08103a1a6dc1a2fecda1e13727c65b30607258496cba9560c53e04dd4b0af22decd7a3483ff44fe8ad7d706b2e81b5d3c859a484cb6bc1de9dfffed23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\ffmpeg.dll
Filesize
2.6MB

MD5
761adc75db5d404a49c96e8d49f5f72c

SHA1
716a8a994af2a06b1f766e6a1364afbc27fafa8c

SHA256
75a0592cdcbc5331dfb9310c68ee82c634685d5b2edc6d214a0841d62c6fe51b

SHA512
056307a08103a1a6dc1a2fecda1e13727c65b30607258496cba9560c53e04dd4b0af22decd7a3483ff44fe8ad7d706b2e81b5d3c859a484cb6bc1de9dfffed23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\ffmpeg.dll
Filesize
2.6MB

MD5
761adc75db5d404a49c96e8d49f5f72c

SHA1
716a8a994af2a06b1f766e6a1364afbc27fafa8c

SHA256
75a0592cdcbc5331dfb9310c68ee82c634685d5b2edc6d214a0841d62c6fe51b

SHA512
056307a08103a1a6dc1a2fecda1e13727c65b30607258496cba9560c53e04dd4b0af22decd7a3483ff44fe8ad7d706b2e81b5d3c859a484cb6bc1de9dfffed23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\icudtl.dat
Filesize
10.0MB

MD5
3f019441588332ac8b79a3a3901a5449

SHA1
c8930e95b78deef5b7730102acd39f03965d479a

SHA256
594637e10b8f5c97157413528f0cbf5bc65b4ab9e79f5fa34fe268092655ec57

SHA512
ee083ae5e93e70d5bbebe36ec482aa75c47d908df487a43db2b55ddd6b55c291606649175cf7907d6ab64fc81ead7275ec56e3193b631f8f78b10d2c775fd1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\locales\en-US.pak
Filesize
79KB

MD5
98c8cfc3cb98ab34e06d4323b8bcb043

SHA1
2c0bda072161530b710fa0a1dfc3c23926184afe

SHA256
35adc5aeeebfe440e295b88d2a4089360ada33c353843b1f5438f4118501878b

SHA512
25edeca13b4a29f63bdc4f135eda1b1b8c72f3a58315f57895950bdc15f56b2af1aca42affe397716f5965437ece836f683265a33ec919b8b26056634612ed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\resources.pak
Filesize
4.6MB

MD5
d9022282a7fbf3aa354559ab6a9c7926

SHA1
ff1f2b77d80848bc1a51e48c21a033eb57d8776c

SHA256
ddc85d749b19cbabae11a0b8f7114daf75900179a2147280dd0f9f8faee7d65c

SHA512
6b9ab157cf8e10d8a79ea2ad4e247210fe2a7fd75dab086eb55951d4e028af3060e1f42175be936c6b093abc2c3071c0fd1c45afee3c567a79e1b722fe5f5d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\resources\app.asar
Filesize
10.5MB

MD5
56436c8a3ba77d5ac4bbe00cc2c97825

SHA1
6f59c3ea5118f8f76cb2ce00b724ac9ebf7c3047

SHA256
b9c22e7ee72b4ee35771b9bc074473e82e2c887a2747d64639b7f19df0aaed7b

SHA512
994d3fa56e358331cb94b3784887bc99bede7046d9092ba58e9b81838a6d81169e8d639c0b95dd81dd525c790faa25c59cb1ff21ecf21c6130dc3e28470242d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\swiftshader\libEGL.dll
Filesize
391KB

MD5
6bd0c5a03e7f19cbb5c518044c7130f3

SHA1
4c4e98408ab3fb86a618acde1cf94b609c4b0bff

SHA256
973b12941561c5d26c05adc19c52000617f72e3dd5a43878e029dc2f6f99cc20

SHA512
0da91b4333a9a6e018aa56ba3fc0062be275b83a9bdfa9e121cc05775bac4a92332326fbbc0cd8f237d771975e1b17e02198f90debb77ecdfa6e598ec9efbab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\swiftshader\libGLESv2.dll
Filesize
3.6MB

MD5
200548d5857d447ac99dec69497265bc

SHA1
0dcefba9194ebc0db03b5dc99ed06fb138273df4

SHA256
9e2e44e13df5cbe06997456be41edc0c84f11729031facc0389d22356ce906cd

SHA512
dec485921f8f9c4e92ab0e783c296b8cb04611cd8a7cd52175fe85ff32838761ed42647ecd67f93e4cc2d03debe78c04d49979d732e49a5ea0591112ac33caa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\swiftshader\libegl.dll
Filesize
391KB

MD5
6bd0c5a03e7f19cbb5c518044c7130f3

SHA1
4c4e98408ab3fb86a618acde1cf94b609c4b0bff

SHA256
973b12941561c5d26c05adc19c52000617f72e3dd5a43878e029dc2f6f99cc20

SHA512
0da91b4333a9a6e018aa56ba3fc0062be275b83a9bdfa9e121cc05775bac4a92332326fbbc0cd8f237d771975e1b17e02198f90debb77ecdfa6e598ec9efbab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\swiftshader\libglesv2.dll
Filesize
3.6MB

MD5
200548d5857d447ac99dec69497265bc

SHA1
0dcefba9194ebc0db03b5dc99ed06fb138273df4

SHA256
9e2e44e13df5cbe06997456be41edc0c84f11729031facc0389d22356ce906cd

SHA512
dec485921f8f9c4e92ab0e783c296b8cb04611cd8a7cd52175fe85ff32838761ed42647ecd67f93e4cc2d03debe78c04d49979d732e49a5ea0591112ac33caa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
Filesize
105.6MB

MD5
ffba392db38ec891fed77b3493c1ec9d

SHA1
05de5b0f568cb2b9efd37620bd285b0678268f5e

SHA256
cd74899e937896dc6b397326edafee7044db60e0ea07e687aab50d85d2251d93

SHA512
beb2e1039eedb8562844c6302a1263005e1a863e262dcf6f405d4eb2a0250bd1704fb13ac8c4e6fc199334e62378fa6f65a0799b32035a93226c02f58abfd686

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
Filesize
105.6MB

MD5
ffba392db38ec891fed77b3493c1ec9d

SHA1
05de5b0f568cb2b9efd37620bd285b0678268f5e

SHA256
cd74899e937896dc6b397326edafee7044db60e0ea07e687aab50d85d2251d93

SHA512
beb2e1039eedb8562844c6302a1263005e1a863e262dcf6f405d4eb2a0250bd1704fb13ac8c4e6fc199334e62378fa6f65a0799b32035a93226c02f58abfd686

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
Filesize
105.6MB

MD5
ffba392db38ec891fed77b3493c1ec9d

SHA1
05de5b0f568cb2b9efd37620bd285b0678268f5e

SHA256
cd74899e937896dc6b397326edafee7044db60e0ea07e687aab50d85d2251d93

SHA512
beb2e1039eedb8562844c6302a1263005e1a863e262dcf6f405d4eb2a0250bd1704fb13ac8c4e6fc199334e62378fa6f65a0799b32035a93226c02f58abfd686

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
Filesize
105.6MB

MD5
ffba392db38ec891fed77b3493c1ec9d

SHA1
05de5b0f568cb2b9efd37620bd285b0678268f5e

SHA256
cd74899e937896dc6b397326edafee7044db60e0ea07e687aab50d85d2251d93

SHA512
beb2e1039eedb8562844c6302a1263005e1a863e262dcf6f405d4eb2a0250bd1704fb13ac8c4e6fc199334e62378fa6f65a0799b32035a93226c02f58abfd686

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
Filesize
105.6MB

MD5
ffba392db38ec891fed77b3493c1ec9d

SHA1
05de5b0f568cb2b9efd37620bd285b0678268f5e

SHA256
cd74899e937896dc6b397326edafee7044db60e0ea07e687aab50d85d2251d93

SHA512
beb2e1039eedb8562844c6302a1263005e1a863e262dcf6f405d4eb2a0250bd1704fb13ac8c4e6fc199334e62378fa6f65a0799b32035a93226c02f58abfd686

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\unMineable Miner.exe
Filesize
105.6MB

MD5
ffba392db38ec891fed77b3493c1ec9d

SHA1
05de5b0f568cb2b9efd37620bd285b0678268f5e

SHA256
cd74899e937896dc6b397326edafee7044db60e0ea07e687aab50d85d2251d93

SHA512
beb2e1039eedb8562844c6302a1263005e1a863e262dcf6f405d4eb2a0250bd1704fb13ac8c4e6fc199334e62378fa6f65a0799b32035a93226c02f58abfd686

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\v8_context_snapshot.bin
Filesize
166KB

MD5
24a8ccb59d71f491e0ca72fc2b113955

SHA1
3715f364c55b8d8b2bb0ce9fe3328d00095a6cae

SHA256
9bb627f1c7c1e085f599a5e89a0481954b81d97024c7bbe0217b400369e63342

SHA512
0796d96c11295fff12a39556494bcac580c69839a8833390f8b3e4e339e7a0ba25267fe8fe1db9c5f489d325efbffe455b9ca3bf3a3fe55184ae630b9d77cffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\vulkan-1.dll
Filesize
609KB

MD5
f42bd3fe42b621dd22ec256bf9b75220

SHA1
009a2dff88ce949f8759ec5d051b2e0aaf6cbf61

SHA256
6259cfb756eb8870f3884b39fd53ded73af5c8e3e8d50dbd679d8be3349fa443

SHA512
3779b41e08cbafe4ffcacfd856468abde8e48d42bad57659cbce21fea858883e68893613adbfb37327e617f77f3375abd38a80d5ba36fc22d127e755b92d2f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sHbgfPRjTAXbdOIMxYc2U48b54\vulkan-1.dll
Filesize
609KB

MD5
f42bd3fe42b621dd22ec256bf9b75220

SHA1
009a2dff88ce949f8759ec5d051b2e0aaf6cbf61

SHA256
6259cfb756eb8870f3884b39fd53ded73af5c8e3e8d50dbd679d8be3349fa443

SHA512
3779b41e08cbafe4ffcacfd856468abde8e48d42bad57659cbce21fea858883e68893613adbfb37327e617f77f3375abd38a80d5ba36fc22d127e755b92d2f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\FINALCRY.EXE
Filesize
80KB

MD5
22ec85518b0d8ee54a6ffb0f0fca4ede

SHA1
98f66e653044da182814f902dcb286abd676cb00

SHA256
5fac232a5cc01d171ac5a41810aad7492fe1817e0da4d6b064d0dcac94da4aee

SHA512
70dab7b52554115c0568c5d777195940f99c344c0778a81add1f4db1553bd4e646759013d4e448698982977b245d113ba1741b9e65ce53780c07c6ccc4201c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FINALCRY.EXE
Filesize
80KB

MD5
22ec85518b0d8ee54a6ffb0f0fca4ede

SHA1
98f66e653044da182814f902dcb286abd676cb00

SHA256
5fac232a5cc01d171ac5a41810aad7492fe1817e0da4d6b064d0dcac94da4aee

SHA512
70dab7b52554115c0568c5d777195940f99c344c0778a81add1f4db1553bd4e646759013d4e448698982977b245d113ba1741b9e65ce53780c07c6ccc4201c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
Filesize
49.3MB

MD5
99ce811f013f5b3c5f0e159bf1c20943

SHA1
0c8786e97893cdae89f9a8936db5535d532cad5d

SHA256
6dabed61bc3bea8fc54dc471e106488d225e7b37e8d95aa141c4b520e0e91c02

SHA512
36590b20d30a317ffaf470e36be9db812fa12009699095891d14d3d1082943dbe2c8ef93d887317ad6ca4b4caa9875df6fe4fcb1fc0a6b5a23df5cb8a713ba37

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNMINEABLE MINER 1.1.0-BETA-MFI.EXE
Filesize
49.3MB

MD5
99ce811f013f5b3c5f0e159bf1c20943

SHA1
0c8786e97893cdae89f9a8936db5535d532cad5d

SHA256
6dabed61bc3bea8fc54dc471e106488d225e7b37e8d95aa141c4b520e0e91c02

SHA512
36590b20d30a317ffaf470e36be9db812fa12009699095891d14d3d1082943dbe2c8ef93d887317ad6ca4b4caa9875df6fe4fcb1fc0a6b5a23df5cb8a713ba37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAF9A.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAF9A.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAF9A.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1780-157-0x0000000000000000-mapping.dmp

Download
memory/1820-135-0x0000000000000000-mapping.dmp

Download
memory/2084-169-0x0000000000000000-mapping.dmp

Download
memory/2124-160-0x0000000000000000-mapping.dmp

Download
memory/2528-154-0x0000000000000000-mapping.dmp

Download
memory/4900-141-0x0000000000000000-mapping.dmp

Download
memory/5012-132-0x0000000000000000-mapping.dmp

Download