9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Resubmissions

09-10-2023 22:51

231009-2syt5sba42 10

26-04-2023 10:03

230426-l3jvzaae4s 10

Analysis

max time kernel
142s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09-10-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader (9).msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3032	readerdc64.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B98.tmp	msiexec.exe
File created	C:\Windows\Installer\f775870.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77586e.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f77586d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77586d.msi	msiexec.exe
File created	C:\Windows\Installer\f77586e.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	readerdc64.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	readerdc64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	readerdc64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2272	msiexec.exe
2272	msiexec.exe
2532	powershell.exe
2532	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeSecurityPrivilege	2272	msiexec.exe
Token: SeCreateTokenPrivilege	2096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2096	msiexec.exe
Token: SeLockMemoryPrivilege	2096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2096	msiexec.exe
Token: SeMachineAccountPrivilege	2096	msiexec.exe
Token: SeTcbPrivilege	2096	msiexec.exe
Token: SeSecurityPrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeLoadDriverPrivilege	2096	msiexec.exe
Token: SeSystemProfilePrivilege	2096	msiexec.exe
Token: SeSystemtimePrivilege	2096	msiexec.exe
Token: SeProfSingleProcessPrivilege	2096	msiexec.exe
Token: SeIncBasePriorityPrivilege	2096	msiexec.exe
Token: SeCreatePagefilePrivilege	2096	msiexec.exe
Token: SeCreatePermanentPrivilege	2096	msiexec.exe
Token: SeBackupPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeShutdownPrivilege	2096	msiexec.exe
Token: SeDebugPrivilege	2096	msiexec.exe
Token: SeAuditPrivilege	2096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2096	msiexec.exe
Token: SeChangeNotifyPrivilege	2096	msiexec.exe
Token: SeRemoteShutdownPrivilege	2096	msiexec.exe
Token: SeUndockPrivilege	2096	msiexec.exe
Token: SeSyncAgentPrivilege	2096	msiexec.exe
Token: SeEnableDelegationPrivilege	2096	msiexec.exe
Token: SeManageVolumePrivilege	2096	msiexec.exe
Token: SeImpersonatePrivilege	2096	msiexec.exe
Token: SeCreateGlobalPrivilege	2096	msiexec.exe
Token: SeBackupPrivilege	2148	vssvc.exe
Token: SeRestorePrivilege	2148	vssvc.exe
Token: SeAuditPrivilege	2148	vssvc.exe
Token: SeBackupPrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2704	DrvInst.exe
Token: SeRestorePrivilege	2704	DrvInst.exe
Token: SeRestorePrivilege	2704	DrvInst.exe
Token: SeRestorePrivilege	2704	DrvInst.exe
Token: SeRestorePrivilege	2704	DrvInst.exe
Token: SeRestorePrivilege	2704	DrvInst.exe
Token: SeRestorePrivilege	2704	DrvInst.exe
Token: SeLoadDriverPrivilege	2704	DrvInst.exe
Token: SeLoadDriverPrivilege	2704	DrvInst.exe
Token: SeLoadDriverPrivilege	2704	DrvInst.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	msiexec.exe
Token: SeRestorePrivilege	2272	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2096	msiexec.exe
2096	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3032	readerdc64.exe
3032	readerdc64.exe
3032	readerdc64.exe
3032	readerdc64.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2532	2272	msiexec.exe	34
PID 2272 wrote to memory of 2532	2272	msiexec.exe	34
PID 2272 wrote to memory of 2532	2272	msiexec.exe	34
PID 2272 wrote to memory of 3032	2272	msiexec.exe	36
PID 2272 wrote to memory of 3032	2272	msiexec.exe	36
PID 2272 wrote to memory of 3032	2272	msiexec.exe	36
PID 2272 wrote to memory of 3032	2272	msiexec.exe	36
PID 2532 wrote to memory of 2180	2532	powershell.exe	38
PID 2532 wrote to memory of 2180	2532	powershell.exe	38
PID 2532 wrote to memory of 2180	2532	powershell.exe	38
PID 2180 wrote to memory of 3064	2180	csc.exe	39
PID 2180 wrote to memory of 3064	2180	csc.exe	39
PID 2180 wrote to memory of 3064	2180	csc.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\AdobePDFReader (9).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jjnhv0vj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6ECB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6EBA.tmp"
      4⤵
      PID:3064
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:3032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "0000000000000318"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77586f.rbs

Filesize
7KB

MD5
02d4dbf40ca2e168f87b608d4f991759

SHA1
bb8460f43ad661f390d7065297f885916d0ab5a2

SHA256
9242f2ddef24c9ac04bda79917c0781748dcb57709c05cef21e04944ee0d8e2e

SHA512
a3a7d591776dc77b6f8d1241d7afdea929cecf94daab30d42f9b39d75d021b8fa2752e7c667c5199b98cf6b87fbcd36f3b3883c530bab8f1e83180dd69aaecb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6ECB.tmp

Filesize
1KB

MD5
249acb58577f1c7a2cf2ed1c562b8836

SHA1
9750bde522d85d77d4a85720e6e64cc5d6f3e8b1

SHA256
4c9e6fd1dbc7da00ae520a41de7a9a8c43a70dd1fece0fe08099eb05e2483fa1

SHA512
6a6a038328280e215a9b35079f472cd2e7cdb44c1477a54fbbe049410bffe40be6c52a391db19345f7912cfd15b5bc50bbddd2d1b1f685759c55a58278d0b444

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjnhv0vj.dll

Filesize
3KB

MD5
d341af723034dd836f7c75de0c21b3d1

SHA1
d40284a01c2053b67d9cbf5f95a35cd8d03e4667

SHA256
56265678a0114d0a89d9c7d6beab3b00e17ea9e3abee31032f12be42cb1e5103

SHA512
124fe45527c688f5a1349b06cbc9397f3cb37336d782a350017e5afda1683201af35573502f29ec652387e0c928cbc1f7818ec319507b297592013bbbd172baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjnhv0vj.pdb

Filesize
7KB

MD5
bd8b4003795305c3aa61ad64b598aef7

SHA1
db20384b7363337041acc80d026af4e9166631c9

SHA256
a891317abd3eff8846d0fe35ead289fb5fcd7e7ee4d8cb315d703c71d5ff39e7

SHA512
471bf7a31100b540641b85ef21ee8ee44b537bb73833414ad16887470ba2c38710da1ba12b0fcfbb4a110f718f03e4b9584c3931b0bd1f8428d3d5240ed8d8a3

Download Submit
C:\Windows\Installer\f77586d.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6EBA.tmp

Filesize
652B

MD5
2f49d17d0da1e879c4016f77962815b7

SHA1
4dee3d971ebf3fcee4f8962f07289ab1aeaa9f4a

SHA256
0ef38d47c7136ec6c53f1e2c0bd083f1873293d0b1174e47ed55d19f6b0bdd3d

SHA512
3b8fded803dfa7548a90247cc741ee393b97497672b61de48c2a9e941723274d17cb53d19489bdfa2401c3fad18b3a1935f7315336f1b8e4f9236c31ca7ea505

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jjnhv0vj.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jjnhv0vj.cmdline

Filesize
309B

MD5
3395cdf6367e0e446f598aec5481d050

SHA1
13e4b372f77139b5c4fec9a97ee6eee52010c58c

SHA256
2c75017d64e70cb34c370f953ff0c05d49565eeba8a59ebe0ccdd7968cf41797

SHA512
b999d215fdc2184cea4fdc80fdc2f6056509c5e303073892b92c09850b2fdc9452cbee23286f77d60c51046f5d7862d631d9bead3c5d161a753fcac37c76e82b

Download Submit
memory/2180-52-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/2532-43-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2532-39-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-37-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2532-38-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2532-42-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-41-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2532-40-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2532-44-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2532-114-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2532-113-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-105-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/3032-18-0x0000000000E70000-0x00000000012A9000-memory.dmp

Filesize
4.2MB

Download
memory/3032-25-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/3032-115-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/3032-116-0x0000000000E70000-0x00000000012A9000-memory.dmp

Filesize
4.2MB

Download
memory/3032-123-0x0000000000E70000-0x00000000012A9000-memory.dmp

Filesize
4.2MB

Download