9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
59s
max time network
120s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/04/2023, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader.msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1528	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c8529.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI870B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c8529.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c8528.msi	msiexec.exe
File created	C:\Windows\Installer\6c8528.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\6c852b.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	readerdc64.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	readerdc64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	readerdc64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1772	msiexec.exe
1772	msiexec.exe
1552	powershell.exe
1552	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1264	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeSecurityPrivilege	1772	msiexec.exe
Token: SeCreateTokenPrivilege	1264	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1264	msiexec.exe
Token: SeLockMemoryPrivilege	1264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1264	msiexec.exe
Token: SeMachineAccountPrivilege	1264	msiexec.exe
Token: SeTcbPrivilege	1264	msiexec.exe
Token: SeSecurityPrivilege	1264	msiexec.exe
Token: SeTakeOwnershipPrivilege	1264	msiexec.exe
Token: SeLoadDriverPrivilege	1264	msiexec.exe
Token: SeSystemProfilePrivilege	1264	msiexec.exe
Token: SeSystemtimePrivilege	1264	msiexec.exe
Token: SeProfSingleProcessPrivilege	1264	msiexec.exe
Token: SeIncBasePriorityPrivilege	1264	msiexec.exe
Token: SeCreatePagefilePrivilege	1264	msiexec.exe
Token: SeCreatePermanentPrivilege	1264	msiexec.exe
Token: SeBackupPrivilege	1264	msiexec.exe
Token: SeRestorePrivilege	1264	msiexec.exe
Token: SeShutdownPrivilege	1264	msiexec.exe
Token: SeDebugPrivilege	1264	msiexec.exe
Token: SeAuditPrivilege	1264	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1264	msiexec.exe
Token: SeChangeNotifyPrivilege	1264	msiexec.exe
Token: SeRemoteShutdownPrivilege	1264	msiexec.exe
Token: SeUndockPrivilege	1264	msiexec.exe
Token: SeSyncAgentPrivilege	1264	msiexec.exe
Token: SeEnableDelegationPrivilege	1264	msiexec.exe
Token: SeManageVolumePrivilege	1264	msiexec.exe
Token: SeImpersonatePrivilege	1264	msiexec.exe
Token: SeCreateGlobalPrivilege	1264	msiexec.exe
Token: SeBackupPrivilege	452	vssvc.exe
Token: SeRestorePrivilege	452	vssvc.exe
Token: SeAuditPrivilege	452	vssvc.exe
Token: SeBackupPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1036	DrvInst.exe
Token: SeRestorePrivilege	1036	DrvInst.exe
Token: SeRestorePrivilege	1036	DrvInst.exe
Token: SeRestorePrivilege	1036	DrvInst.exe
Token: SeRestorePrivilege	1036	DrvInst.exe
Token: SeRestorePrivilege	1036	DrvInst.exe
Token: SeRestorePrivilege	1036	DrvInst.exe
Token: SeLoadDriverPrivilege	1036	DrvInst.exe
Token: SeLoadDriverPrivilege	1036	DrvInst.exe
Token: SeLoadDriverPrivilege	1036	DrvInst.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1264	msiexec.exe
1264	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1528	readerdc64.exe
1528	readerdc64.exe
1528	readerdc64.exe
1528	readerdc64.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1552	1772	msiexec.exe	32
PID 1772 wrote to memory of 1552	1772	msiexec.exe	32
PID 1772 wrote to memory of 1552	1772	msiexec.exe	32
PID 1772 wrote to memory of 1528	1772	msiexec.exe	34
PID 1772 wrote to memory of 1528	1772	msiexec.exe	34
PID 1772 wrote to memory of 1528	1772	msiexec.exe	34
PID 1772 wrote to memory of 1528	1772	msiexec.exe	34
PID 1552 wrote to memory of 1056	1552	powershell.exe	35
PID 1552 wrote to memory of 1056	1552	powershell.exe	35
PID 1552 wrote to memory of 1056	1552	powershell.exe	35
PID 1056 wrote to memory of 908	1056	csc.exe	36
PID 1056 wrote to memory of 908	1056	csc.exe	36
PID 1056 wrote to memory of 908	1056	csc.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AdobePDFReader.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\schaioiz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC91F4.tmp"
      4⤵
      PID:908
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C0" "0000000000000490"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c852a.rbs

Filesize
7KB

MD5
9db7a88fc543eed8ff2a8a11a0f730df

SHA1
c93efa85b9a40d67edcd9d7ac70c832f0bb04370

SHA256
577a9fba755e05d4e7315ee2d8a97ab5cfd4d09f5dccf63e06494cf6f72249d5

SHA512
ee083e959e24c8d4d265d63ab32de6f12d022d6d60079284e7ea59bab300bc4f8be19979a5a5a777875148009f9f15bb2a27620f5541f4e102c690691296e965

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91F5.tmp

Filesize
1KB

MD5
794a18139f3150c4033d76217b62c13e

SHA1
6a58e9b3cee71b7a5565bdcaa9f68e5dcd2ae055

SHA256
a61677f692099e1543fce4df01241a214a3c26ba8c1527f5b2ce9e8a82519b65

SHA512
65ae42eae4341cf2d13c609b402130631196ef084971dd686e48711149ca1ed18d55f497c1532768e12a599bce6c7f27ec79a4349b3f4fa933036afa08e951e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\schaioiz.dll

Filesize
3KB

MD5
5884de113ae9b6c24e7355c96a88ec58

SHA1
1e656a2c593eb6061e613f92e65d6c7b3e79d13e

SHA256
6c29c5410c39638b3dd9c5d4a0f8799e7f0e48105fe5b6b26a25e0039a79eb26

SHA512
4f96e4cfa705efac0c909afb6a3d0f15658137dd93709e689b29eebc9c3e1acb4d373cfdabdff3c3aff0b69325c72db168cff9e333fc4c8262ecd51c86304947

Download Submit
C:\Users\Admin\AppData\Local\Temp\schaioiz.pdb

Filesize
7KB

MD5
33ca6a38cbc394dcf45772a8e39c4100

SHA1
035cd182842389bc9edbac8878a015a1ad1ed4ed

SHA256
00e926cbd5dd7498845e82487a4a677ee4ec2b6e7343448d3c895ea0082a2102

SHA512
32427866a8932cb2ce45df109623bceea68cd7a65c7ec4b7b78efa312fa70a8e13f2801190e6102c43a2b3b60c5b0e8fa2817b26b5fc70c825865aa5283b0441

Download Submit
C:\Windows\Installer\6c8528.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC91F4.tmp

Filesize
652B

MD5
d622b2620ae8d50a4356ba56186c7a4b

SHA1
90652283edbf876438bbc790aaf4435b4e3ef5bb

SHA256
71c83ca2cfe8400b38e8de219c11cc8af044dffb97fce184727c5d7c4ca3649f

SHA512
4e5f3197811c52f2ba36702afb9dc5841fa20d2af5f3d7d2a611137e6c5f461c086ce113672d3bf37109a226892aec1bd5df7e09279f949317a1d93ff7ada30b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\schaioiz.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\schaioiz.cmdline

Filesize
309B

MD5
21cff2e22128c5336ec2c9d26bf4e515

SHA1
6faf58bf4c80ecbcf7fb6183a72fa545804c85e3

SHA256
b2ff4a8fc62c7d346a8fae4a1489df8e35da9e67a2d4628ac6d78869a9449d9c

SHA512
55d343a76007cfcd8a078b5cee8cc717f3ea6a9bc111df98b096ef0b6ccd1493bcc0fe381d1ba976f453a5de1bf52037e17a6e117e2a05ca646cb9ea137215c8

Download Submit
memory/1528-88-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/1528-86-0x0000000000E70000-0x00000000012A9000-memory.dmp

Filesize
4.2MB

Download
memory/1552-90-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1552-89-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1552-87-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1552-85-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/1552-109-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download
memory/1552-112-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1552-113-0x00000000027EB000-0x0000000002822000-memory.dmp

Filesize
220KB

Download