7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06/08/2023, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
Size

460KB
MD5

3cccb0426afe6bc0ff4dfc4a071e46d1
SHA1

31273d47ef275f8c2fd537806bff7bc1e95f7060
SHA256

7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664
SHA512

e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078
SSDEEP

12288:9uiy8Y80UbUMg0HqBNYzM8H03kKuIZHv:9/ttFg0HXTH0zu4Hv

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2948	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
1868	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Loads dropped DLL 8 IoCs

pid	Process
2604	cmd.exe
2604	cmd.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2428	2948	WerFault.exe	36
1668	1868	WerFault.exe	39

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2860	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2372	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2948	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
1868	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
Token: SeDebugPrivilege	2948	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
Token: SeDebugPrivilege	1868	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2604	2516	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	31
PID 2516 wrote to memory of 2604	2516	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	31
PID 2516 wrote to memory of 2604	2516	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	31
PID 2516 wrote to memory of 2604	2516	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	31
PID 2604 wrote to memory of 2376	2604	cmd.exe	33
PID 2604 wrote to memory of 2376	2604	cmd.exe	33
PID 2604 wrote to memory of 2376	2604	cmd.exe	33
PID 2604 wrote to memory of 2376	2604	cmd.exe	33
PID 2604 wrote to memory of 2372	2604	cmd.exe	34
PID 2604 wrote to memory of 2372	2604	cmd.exe	34
PID 2604 wrote to memory of 2372	2604	cmd.exe	34
PID 2604 wrote to memory of 2372	2604	cmd.exe	34
PID 2604 wrote to memory of 2860	2604	cmd.exe	35
PID 2604 wrote to memory of 2860	2604	cmd.exe	35
PID 2604 wrote to memory of 2860	2604	cmd.exe	35
PID 2604 wrote to memory of 2860	2604	cmd.exe	35
PID 2604 wrote to memory of 2948	2604	cmd.exe	36
PID 2604 wrote to memory of 2948	2604	cmd.exe	36
PID 2604 wrote to memory of 2948	2604	cmd.exe	36
PID 2604 wrote to memory of 2948	2604	cmd.exe	36
PID 2948 wrote to memory of 2428	2948	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	37
PID 2948 wrote to memory of 2428	2948	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	37
PID 2948 wrote to memory of 2428	2948	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	37
PID 2948 wrote to memory of 2428	2948	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	37
PID 2920 wrote to memory of 1868	2920	taskeng.exe	39
PID 2920 wrote to memory of 1868	2920	taskeng.exe	39
PID 2920 wrote to memory of 1868	2920	taskeng.exe	39
PID 2920 wrote to memory of 1868	2920	taskeng.exe	39
PID 1868 wrote to memory of 1668	1868	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	40
PID 1868 wrote to memory of 1668	1868	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	40
PID 1868 wrote to memory of 1668	1868	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	40
PID 1868 wrote to memory of 1668	1868	7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe	40

C:\Users\Admin\AppData\Local\Temp\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2372
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2860
- - C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 3096
      4⤵
      Loads dropped DLL
      Program crash
      PID:2428

C:\Windows\system32\taskeng.exe
taskeng.exe {3E2E6760-F00D-4B32-828A-8F084FF52F4E} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
  C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 2380
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b48ffeca9b635ef82b015d3ec28bf051

SHA1
3966d0ba2a4e3398f78271cb651bab631a6ba18e

SHA256
83e46256a7e44351a5025e2c88366f26f6b15beda9f587ca89489dcc97236e62

SHA512
db822b6cff7e27d1660d331ae07f91003e336e365fadfe4df848a3f3d4a770667a2577f95598e73f392f4e4dc4d0b38a55aa9ed33fd2c3326457cf722e1509bc

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2BB5.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2CB2.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\h1ctrj9wxx\port.dat

Filesize
4B

MD5
876e8108f87eb61877c6263228b67256

SHA1
25181a120353245bdb915b6936830ee5e45f79b4

SHA256
0e652b392bbd6ab2fabe314848f97340dab6f2cc368648235f1351c9ff8bc730

SHA512
bb72995c0e689ed9da3f8aa669da0747254d4c9c46287de97dd6f4977e7beb575c6f89982374119353a720547962b3a493231a062e59ee6d008fe9779cd32cb1

Download Submit
\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
\Users\Admin\AppData\Local\EsetSecurity\7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664exe_JC.exe

Filesize
460KB

MD5
3cccb0426afe6bc0ff4dfc4a071e46d1

SHA1
31273d47ef275f8c2fd537806bff7bc1e95f7060

SHA256
7ebed8205611f34363bc35484fdfaba6da74b5de9e9c1128041bc9cb6e232664

SHA512
e05347abf93f333d88dd1a8dc3693f55a677fa466edf0059986beedf2af3dfe0c6f8f19828bc82205f863d2e9b2bde499cf8761aa54c9c783117fcf3dd3c4078

Download Submit
memory/1868-888-0x00000000067E0000-0x0000000006820000-memory.dmp

Filesize
256KB

Download
memory/1868-887-0x0000000000400000-0x0000000002463000-memory.dmp

Filesize
32.4MB

Download
memory/1868-889-0x00000000067E0000-0x0000000006820000-memory.dmp

Filesize
256KB

Download
memory/1868-890-0x00000000067E0000-0x0000000006820000-memory.dmp

Filesize
256KB

Download
memory/1868-891-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/1868-1138-0x00000000067E0000-0x0000000006820000-memory.dmp

Filesize
256KB

Download
memory/1868-1144-0x00000000067E0000-0x0000000006820000-memory.dmp

Filesize
256KB

Download
memory/1868-1145-0x00000000067E0000-0x0000000006820000-memory.dmp

Filesize
256KB

Download
memory/1868-1146-0x00000000067E0000-0x0000000006820000-memory.dmp

Filesize
256KB

Download
memory/1868-1147-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-86-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-92-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-98-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-100-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-102-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-104-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-106-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-108-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-110-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-112-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-114-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-118-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-122-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-124-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-126-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-120-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-116-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-388-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/2516-389-0x00000000068B0000-0x00000000068F0000-memory.dmp

Filesize
256KB

Download
memory/2516-390-0x0000000000260000-0x00000000002B2000-memory.dmp

Filesize
328KB

Download
memory/2516-391-0x00000000068B0000-0x00000000068F0000-memory.dmp

Filesize
256KB

Download
memory/2516-392-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-396-0x0000000000400000-0x0000000002463000-memory.dmp

Filesize
32.4MB

Download
memory/2516-397-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-94-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-63-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-90-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-88-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-55-0x0000000000260000-0x00000000002B2000-memory.dmp

Filesize
328KB

Download
memory/2516-96-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-56-0x00000000042E0000-0x0000000004324000-memory.dmp

Filesize
272KB

Download
memory/2516-57-0x0000000000400000-0x0000000002463000-memory.dmp

Filesize
32.4MB

Download
memory/2516-58-0x00000000068B0000-0x00000000068F0000-memory.dmp

Filesize
256KB

Download
memory/2516-59-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-54-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/2516-82-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-84-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-80-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-78-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-74-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-61-0x00000000068B0000-0x00000000068F0000-memory.dmp

Filesize
256KB

Download
memory/2516-60-0x00000000068B0000-0x00000000068F0000-memory.dmp

Filesize
256KB

Download
memory/2516-62-0x00000000068F0000-0x0000000006932000-memory.dmp

Filesize
264KB

Download
memory/2516-64-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-66-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-76-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-72-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-70-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2516-68-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/2948-407-0x00000000069A0000-0x00000000069E0000-memory.dmp

Filesize
256KB

Download
memory/2948-804-0x00000000069A0000-0x00000000069E0000-memory.dmp

Filesize
256KB

Download
memory/2948-803-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2948-802-0x00000000069A0000-0x00000000069E0000-memory.dmp

Filesize
256KB

Download
memory/2948-801-0x00000000069A0000-0x00000000069E0000-memory.dmp

Filesize
256KB

Download
memory/2948-800-0x00000000069A0000-0x00000000069E0000-memory.dmp

Filesize
256KB

Download
memory/2948-731-0x00000000069A0000-0x00000000069E0000-memory.dmp

Filesize
256KB

Download
memory/2948-414-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2948-411-0x00000000069A0000-0x00000000069E0000-memory.dmp

Filesize
256KB

Download
memory/2948-409-0x00000000069A0000-0x00000000069E0000-memory.dmp

Filesize
256KB

Download
memory/2948-405-0x0000000000400000-0x0000000002463000-memory.dmp

Filesize
32.4MB

Download