a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0

Analysis

max time kernel
288s
max time network
399s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Size

8.3MB
MD5

0109a577549d0c58f8f67abbeb07b039
SHA1

7a5e6239de9dcf98df3bdcc9b6076601422d7059
SHA256

a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0
SHA512

c22f144f7ea61b05d7bbec20ac88984554c19c5d8947732c159e7bb981cc972ec4c08110bede1b73042898a0ebe193b17279eddc061a1ae5f6c97b48d648abba
SSDEEP

196608:lOG/7EobI1aTZr+QjgcjhXc6IQtnQDRbUFjeVbBLTwbL:lFE81oQj+GQ2Fje5BLEX

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pack.exe

pid process

1968 pack.exe

pid	process
1968	pack.exe

Sets file execution options in registry 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro\debugger = "tasklist.exe"	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

Loads dropped DLL 33 IoCs

Processes:

a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

pid	process
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 47 IoCs

Processes:

pack.exea7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

description	ioc	process
File created	C:\Program Files (x86)\Movies App\SafetyNut\favicon.ico	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\safetycrt36.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetyldr_u.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\safetynut.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetynut.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetynut.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\safetycrt.dll	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\configmgrc2.cfg	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\safetyldr.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetycrt.dll	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\Internet Explorer Settings Update.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\SafetyNutManager.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\safetycrt36.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetycrt36.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetyldr.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\safetynut_ie.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetynut_ie.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\favicon.ico	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\safetynut.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\safetynut.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\safetynut_ie.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\configmgrc2.cfg	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\Internet Explorer Settings.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetycrt.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\safetyldr_u.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetyldr_u.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetycrt36.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\Internet Explorer Settings Update.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\Internet Explorer Settings Update.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\Internet Explorer Settings.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\x64\Internet Explorer Settings.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\Internet Explorer Settings.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\safetynut.exe	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\safetycrt.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\safetyldr_u.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\x64\Internet Explorer Settings Update.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetyldr.dll	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetynut_ie.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\Internet Explorer Settings Update.exe	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\configmgrc2.cfg	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\x64\configmgrc2.cfg	pack.exe
File created	C:\Program Files (x86)\Movies App\SafetyNut\Internet Explorer Settings Update.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\SafetyNutManager.exe	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\safetycrt.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\x64\safetycrt.dll	pack.exe
File opened for modification	C:\Program Files (x86)\Movies App\SafetyNut\safetyldr.dll	pack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

pid	process
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

description	pid	process
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
Token: SeDebugPrivilege	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe

description	pid	process	target process
PID 468 wrote to memory of 1968	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe	pack.exe
PID 468 wrote to memory of 1968	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe	pack.exe
PID 468 wrote to memory of 1968	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe	pack.exe
PID 468 wrote to memory of 1968	468	a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe	pack.exe

C:\Users\Admin\AppData\Local\Temp\a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe
"C:\Users\Admin\AppData\Local\Temp\a7b7901f7a800b2df3b87bab1ee7663ce6ed0beeede981040c714e5c373c97f0.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\nsk9767.tmp\pack.exe
C:\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\nsk9767.tmp\pack.exe "-oC:\Program Files (x86)\Movies App\SafetyNut" -y
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1968

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Movies App\SafetyNut\Internet Explorer Settings Update.exe
Filesize
1.1MB

MD5
738c94e92652c2ef11a5147e4088f82f

SHA1
87c436428ac7a9566ea9d2467c97292a6935e0dc

SHA256
addcc1602bf94f9bb64181a80522f5a3fe40b3dcdea664f835a059772236faac

SHA512
98d836a2342e45c9f22a1d751529a13be453ba0b770292791056953df57c4db8f627e76ca1392bb37539a613bbebb6b6c6c27a1e5dded2f3666e16b375636700

Download Submit
C:\Program Files (x86)\Movies App\SafetyNut\safetycrt.dll
Filesize
477KB

MD5
c1df2bf04a3f5463af5139182471bd88

SHA1
0016ccab08f5d57b6799c0074e30fbc5636254be

SHA256
23d5c8e9e073abf3a4dcfa81d6dc95a14febb699fb39ef84eb9ed5b306f683e9

SHA512
fd7db4ce0982ed5d70a49b56df40adc3a6411597341be663b27c51565a5935b6d015ade8aaee903b671bac136b89558cfbf0dea273961d4364576fe6000671df

Download Submit
C:\Program Files (x86)\Movies App\SafetyNut\safetycrt36.dll
Filesize
477KB

MD5
325f29ec42a4387fafc17e1bba9c5ac0

SHA1
4e2b363e2ad1df638466a97e320e675932e493ed

SHA256
a7aaf9406ddcfd73715786a8a6893c499c257adde604e9a1b8a9321011051ff9

SHA512
2aedd9ca5606331a0b1fb8fbc2ec97930460c468d6da3dd98e1cd9f039427a4425b786ca2f30a4a722d48b7a127325236ca308f581b3f4ee51ac511ea8dbf24f

Download Submit
C:\Program Files (x86)\Movies App\SafetyNut\x64\Internet Explorer Settings Update.exe
Filesize
1.1MB

MD5
6aaa61d229838e336a050009bfb1f619

SHA1
70204efaff2671496a3609c2615353ea7520a24c

SHA256
b4898f29484d3fd46614a5145912046e7cea3d46d846cb803e67af5342d5c6bf

SHA512
7a1e609f84eb18d8abf268070154433fcfd1a919a3e083fc457255eacfee000e3fa5c30f46e24f17159cd5e75e564a6295f30fc2461fc164a38273edf3b39d7b

Download Submit
C:\Program Files (x86)\Movies App\SafetyNut\x64\safetycrt.dll
Filesize
647KB

MD5
5c5d68de2ae1530ecf9056c7e3c02b51

SHA1
cd4889c1acea067ece0e19dcb4d20ef528ebca6d

SHA256
d6d872bb988068180152974770c5b70fc811396e47c7830ce2328429931e0ca8

SHA512
fc7b48df58644a658010e47f4ca210b22929857c49e5c63c044946794a45b8c3d67f491d85eee30a261c317de803dcb25efd3fc1abc92dfce4aec76dd29846b9

Download Submit
C:\Program Files (x86)\Movies App\SafetyNut\x64\safetycrt36.dll
Filesize
646KB

MD5
5a34f1d2da42dd0ce1b6b739aae498c2

SHA1
4f723f86f26694d1c1edbf4b754ecce2b6d8d8ff

SHA256
217aedbb3ba5e13ce41ddb0dc4f85384f0a11b57478aca77d145a431f4fadeb0

SHA512
5a1550fb119f8aa0845986071903f96beb98265ab6e2237497ffdb9866bb3ef2988fa0c14c3be97230cf395f4d3d5fe5703911865a8d9ce1dc5ad189bfc5c7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\nsk9767.tmp\pack.exe
Filesize
3.5MB

MD5
2c0c8f844b8db194494ec0862aca1bf8

SHA1
773dc9c434bbb9afe4685fe257688e4a2175c7f6

SHA256
661446c04d731c660b1e57ca9de6cb3754471deb2c98cec9209e99118883bc70

SHA512
ca76b072d6828c6197603308a576e4eaecceabe11fa1e02f64766fe31b61a5cf1f641fa3e9ae3a9dfa216e49972e6ce6accf1fd0f9397a6fb9b3d4139d8c7c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\nsk9767.tmp\pack.exe
Filesize
3.5MB

MD5
2c0c8f844b8db194494ec0862aca1bf8

SHA1
773dc9c434bbb9afe4685fe257688e4a2175c7f6

SHA256
661446c04d731c660b1e57ca9de6cb3754471deb2c98cec9209e99118883bc70

SHA512
ca76b072d6828c6197603308a576e4eaecceabe11fa1e02f64766fe31b61a5cf1f641fa3e9ae3a9dfa216e49972e6ce6accf1fd0f9397a6fb9b3d4139d8c7c48

Download Submit
\Users\Admin\AppData\Local\Temp\34CE.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5C9A.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5CE9.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5D67.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5DD5.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5E24.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5E54.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5EA3.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5F20.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5FAE.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\5FDE.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\9768.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\9798.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\9826.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\9875.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\9902.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\9E6.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\A034.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\A0B2.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\A120.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\A17E.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\A20C.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\A22C.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\A29A.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\A356.tmp
Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\Helper.dll
Filesize
2.0MB

MD5
df80fd9ee2891ecc997e48a09fa74f88

SHA1
9592fa0f405c309e4aa40eaedb5badf8067d85d3

SHA256
71a54c0f7bd02022f131f5cdee27394fde7fdb8feb74a8f20b48bd59fe79e2fc

SHA512
b9b3b14f02e09acc9f2bbd5d4e54bf95c6520eec16532bb1acebeb1474fb16300f416f2a4cce0a73a9a9821281db20d47e7ab4ea9bff7ce4c53a7975d1a18df6

Download Submit
\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\System.dll
Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\UserInfo.dll
Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\UserInfo.dll
Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\UserInfo.dll
Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\nsk9767.tmp\pack.exe
Filesize
3.5MB

MD5
2c0c8f844b8db194494ec0862aca1bf8

SHA1
773dc9c434bbb9afe4685fe257688e4a2175c7f6

SHA256
661446c04d731c660b1e57ca9de6cb3754471deb2c98cec9209e99118883bc70

SHA512
ca76b072d6828c6197603308a576e4eaecceabe11fa1e02f64766fe31b61a5cf1f641fa3e9ae3a9dfa216e49972e6ce6accf1fd0f9397a6fb9b3d4139d8c7c48

Download Submit
\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\nsk9767.tmp\pack.exe
Filesize
3.5MB

MD5
2c0c8f844b8db194494ec0862aca1bf8

SHA1
773dc9c434bbb9afe4685fe257688e4a2175c7f6

SHA256
661446c04d731c660b1e57ca9de6cb3754471deb2c98cec9209e99118883bc70

SHA512
ca76b072d6828c6197603308a576e4eaecceabe11fa1e02f64766fe31b61a5cf1f641fa3e9ae3a9dfa216e49972e6ce6accf1fd0f9397a6fb9b3d4139d8c7c48

Download Submit
\Users\Admin\AppData\Local\Temp\nsk2B3.tmp\registry.dll
Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
memory/468-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1968-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads