25f82e6a9b1207929a9c92954b1a3983d960e0ab8898d3cf61391b278e41c5f0

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.398d279df482f9721cbfaf7383dc0970.exe
Size

29KB
MD5

398d279df482f9721cbfaf7383dc0970
SHA1

3a8f9568fd3b5f0fddffa7048c30cda5f31e68f1
SHA256

25f82e6a9b1207929a9c92954b1a3983d960e0ab8898d3cf61391b278e41c5f0
SHA512

ba10c1ca847364d9579fd75d1b4e42051a9ad584373509464448180c5038a1963440073851fca843867aebf976d5aee8aa5e3118b2067a1dfe7e71bc73590b13
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/nS:AEwVs+0jNDY1qi/q6

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1728	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2188-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x00090000000120ee-7.dat	upx
behavioral1/files/0x00090000000120ee-9.dat	upx
behavioral1/memory/1728-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2188-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2188-17-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/1728-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-67.dat	upx
behavioral1/memory/2188-377-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-378-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2188-1246-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-1247-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2188-1832-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-1833-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2188-2186-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-2228-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2188-2522-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-2523-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.398d279df482f9721cbfaf7383dc0970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.398d279df482f9721cbfaf7383dc0970.exe
File opened for modification	C:\Windows\java.exe	NEAS.398d279df482f9721cbfaf7383dc0970.exe
File created	C:\Windows\java.exe	NEAS.398d279df482f9721cbfaf7383dc0970.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.398d279df482f9721cbfaf7383dc0970.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.398d279df482f9721cbfaf7383dc0970.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NEAS.398d279df482f9721cbfaf7383dc0970.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.398d279df482f9721cbfaf7383dc0970.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.398d279df482f9721cbfaf7383dc0970.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.398d279df482f9721cbfaf7383dc0970.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	NEAS.398d279df482f9721cbfaf7383dc0970.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.398d279df482f9721cbfaf7383dc0970.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1728	2188	NEAS.398d279df482f9721cbfaf7383dc0970.exe	28
PID 2188 wrote to memory of 1728	2188	NEAS.398d279df482f9721cbfaf7383dc0970.exe	28
PID 2188 wrote to memory of 1728	2188	NEAS.398d279df482f9721cbfaf7383dc0970.exe	28
PID 2188 wrote to memory of 1728	2188	NEAS.398d279df482f9721cbfaf7383dc0970.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.398d279df482f9721cbfaf7383dc0970.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.398d279df482f9721cbfaf7383dc0970.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a57c70e76224190485c153af49c4c660

SHA1
d341060c818c72bca51d2be3508d17d61416c5ac

SHA256
8f2d6b79ca548a63687c94cf875864bef6f95176770876734ffc2d0dcdc81b16

SHA512
e1637ac11b0968a5dc45a8a53748eeeb79e4e8627a87bd8e7ec316df35fd6b3718a7842e581ecf099c50aeffa197830bfa8a535a350b25c7a24c46a7b7cc21d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2aa593b40cc2db6c5e112ca8c7b248ac

SHA1
86841055ae2d8ade9ac2051206ba62c8ff7b916e

SHA256
938a4c3e2095a3166dc5d27a9ca1dfd590b54fb3734122bad496ad017b6d5736

SHA512
ec69fc073786c84806aba232928bbeaa6f2fabe513ce0dc10cd2bc79986cdb11a65d1ac2df382cd0462e6eacd178336925564fd99fd69f225f9a85754025bb6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42cd874855e1cbd805be58db3b789a38

SHA1
359f03312151b9c4d6f2a99bd6d78631aa510db5

SHA256
106980433fd44ae55a730231f4bed2fbe505876d3df691c1803de22fcb51ba45

SHA512
6edc5797953c2e0ff5decfe86509aa492cd6b89a74cde72599eebb2db171fd5147d5f8400dda488f0649a41ae3af5397b974ba2822587e299c2aafa9d6af96d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70fc67320017cb7b5327c3decef61eda

SHA1
d2846069ef928c14e36228e24857f3bee3472bc3

SHA256
258a196342bbe005cf82fefa6c7311197a383e38bc903114ed9ad8d08fb61182

SHA512
ff689da8d6a94335bf0c342d657deb65550d00c68ce262242ba096cbb90d77aed4f3aef84f811457f4504471d0e3b12b951ee4f73eae1ad269b1c1cc397f8abc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e5398fdad1887cc7c2db0632d6f4ea6

SHA1
e448d78c0aa2e15b82be107aa2c6566c42a0f13a

SHA256
1bdff03a48dccac8017aab6cd11206398bdc77e9c25e0328be03016499f65c56

SHA512
81e303049aa3997beec62bb9b9749bb9e60e27c532f3687d94091932004cd04b730d1f7d355e13c176fa9939bb833693c92bdff85a9192be32a62d1b0ea88b01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e6c45b6b472bad6f726c8aa4ea1918c

SHA1
90daa210d7795307476bdbe904adf037b699de87

SHA256
faa96f3a900fc7e55fbc75a89cc1aaa785c9824f2296542bf6f049eb503efc2c

SHA512
48c598d792c29edb2258e0ec1e9848b61fcc083f0a44d3d3f141a239367597a08f85efdfbf71731982e70cda4920711a05c373ddc9a93b0ff383e96aef6fbd88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74035c88273eddf03947a520fadb2e22

SHA1
b384bf2c4d2e076bc44b2bfb59e649b9f2cb75bc

SHA256
634bd00d03ca5fff801880e1fb611c796cd388c60f92164936c6089ae0a8a69a

SHA512
217a77af068027b2cbb23ddfa671fe05543dca9ed5d0d92a514ab969ce74bb02b5953bd701e6fb96b516d9faeaa6963d78b502e0ae353f5e8ef089a3a5f9b353

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e6af64875e38ed17b25c56031cd33ab

SHA1
7d0a1f320fba1b50057ed87025fb95b07cfe1cb8

SHA256
e1c807361ee6f31cb721a46912e942d9ada37a7a32a5da366b9e5cc0ffaa8de3

SHA512
e8a29ddebbfcf83b2ca0c92fe095095ff408d040691e16004cb054944e3b41550b75424944906def2ee3661363f9537849fd9931c4e1c817d8c173258a239a87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf454f230796c539a35fba6ee8228fc2

SHA1
4a0053824bb867f0bfbbcb5b6116ace3d2392446

SHA256
42050c448a321ea5c2ea7f986dec91dfa1fe3fe580a95a435981d6987574a854

SHA512
8e1f1b860b5f9db345a9a9433eb87ce78da1464172b096ed15f3af119ed85329f926d66a1aaf6c72d8de81fd7be35858661b49fa60a4a0b6e6ec20c246eeb9c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6f56691b922a24c190a0add4f0599c0

SHA1
7f65a2f587f6cfa691a42af076713e3136385f8e

SHA256
184d5094425ad6bb600d7d068d7d8d842cea02e8a2ce74e8955747bcab819ecd

SHA512
2f9c84aff970a9534e3326ec7bb149e54b38795583d682f009ab15651b2936bf5ae4627c87dacaece4dcd8256917601232f9973de916c7b7176f5811fab4aab0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dfb0b1470f4ffbae2554a19a297e009c

SHA1
e5ec620f299dde258085a5df88d41a4865f1a689

SHA256
9f70f285c5993ab06c5e3855f6ef620779034851b739771ecba435782451e883

SHA512
7fa35ccaf459bfd75b87d1fd4c1a04e090bca54c6259b4856ab724f5d8e08fe2d2b8e09b0b8ee2d913c20deb76a4491862a991a97bccd5551d66f21f6a80c173

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc17a2cd708b6b9b9202f4ab11facd71

SHA1
4957ad6b09d597869c835ed94498a40f5658244e

SHA256
f071766baebed5f9a161ccc2585a7f4883dda36e0a4f7eab6bb16875488a0abb

SHA512
5f95e179503356d1802165915436c62d4df592cba2111f147d63634a96b28a7c2af0443e37a836decf98d21a4251adeee185e8fd67c65e4d0894f839f610bfa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4bb2a25859fb6f875e9ffdf828b753b

SHA1
5469d86d2063af3d6db01e0efd431e4cce6b2f33

SHA256
85022bc863f6e4a7ffce5472b89cf40c2d0e4f1658ca91c51ba5e1d8e1dba2a4

SHA512
992202764829d07c1e077c5e0fad054aa22818f56fe2660d43e8d20d08537be4dc5eeb82549cbc0b828c7f3a6b79b2c1d9ccf4158bad43b73a7ac3d875aba3d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22c7239169e82691f3ebda96c4c95129

SHA1
df1a33136ce90de9642db4a5eb8adfb4a8e03fe6

SHA256
abfc15620ba9311b2ed5cee1bdf172b701bd6c371dadf9a497e61a5e6ecd1be6

SHA512
d5da4ef3a4e3797c3f18b40306b4f22dbb67de3caa878d3cbda91b655db25a935fdfa5d6a7427ac359648d5e287d711ea26dcb85904b09258f84e83726b0cabc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23281465d9cbe4ddbd672950ac7737b3

SHA1
a08ddb1c4a114ad50afaa08dd99f3b766b2f8ee9

SHA256
a3e7e6cef89af88280aa56a2f9f8cb9828394bdaa5ec95a38677b11139cc7fb9

SHA512
c449d4068518bfc78f5b8f50627ff54c9b56427fe54e3d2529e5a5384d0406d11c8588056225a2fb75aca0d45ab3fe1706e73f877f3f4a1f404a7185df464432

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46b97de2150bf49c41ee40e4ab6a525f

SHA1
f75311e32568d570310945caacda845d9255d5f7

SHA256
c467d7c4b9739021455b6a3e0b9304ed459512fa07623e7b9d8a6ee03e14ac0c

SHA512
12dad9526a3ff9843fd64a427f346edb40f3a48c5412338988722ee37118d32f47008e4f6bb5e128e2b29ed99772ce53354ae4fea83932a55e7af1082743dc90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a67bcc40a70d5ffa94a6ad6d6151e641

SHA1
733328f1a5f6233017a72d2d1ff965bb08a81950

SHA256
0bf909fce190c8aafaccce713ed356230c5bd9344fcdb37835e8d279908435c3

SHA512
ff967fe356909358b472dedd67c6091c767a144bbc603fcf5270a75bab536795bcd310f74b866f3236c61cf2462c258fd6a6995ce2d5fe3d91adbc41d99b4fe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b820f477cdc4f46524165c3a23071365

SHA1
417cc86934699d40bfbfa25be31c111a3c6d6171

SHA256
31f8fff6695e40a916d2d802582a825b7e411ea6de632562c9f2739f3ecbf96b

SHA512
a6238d1cca4f432bec56171da2df6cfb71cb244c87d8b403eaf861be9eac906868fff39e669873442715d6e7cfad7f06c1cdf7d5c52a53925c330f8e44c9db63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05a9b246572d8510b41167acaafab1ce

SHA1
9e6e6a260b8345dafd99684439111b6f7b6b6c6b

SHA256
b132da6454f34bec707c7dadaff7e94e9cb7b2a5966fe45a94483aac74fa7ab9

SHA512
56b114a315b28cff537cf466553aa5e74d837292806f78c7b446b9ee364e22f63d9120aa4f80621d8012d59a08543da477a01f3cd7014ba2e8eebf94525314c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
343e3783f6386f6e40b6695ca20b3ee6

SHA1
4ca9dff5b8bad21fb078054fa24a4e014cf465ae

SHA256
e90c283a8ddccf1cbee773feb05b2b1a7ff5d69e6b5deb480c3998547ab00f90

SHA512
2d6d54fb6ae13cb2894cdaa1345f1367852d12a9bf620d991b3ab54e04c3464a7ba507d77f7247b88644a4ea17e8924afda71be57c56385d4eb011052eaf0027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8135742c489767b5bcd3fb781380b32

SHA1
670027d88bf1a9449248500175ec553fe18b5469

SHA256
72f7657d93d1814c9b23a436b7333fd649b12907f041ef0b5a99f4cade2bbfab

SHA512
c4812ea6dd8ee7ed4ffe3feb02631c6a9c2d9dca318a6343d6c99fda411192337c2f6bcfe0411d35850ce4ccf0b46409fa8192ce321191c97bc42a6b62ef0d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5013f24a3abe411b915c15c08e07f62e

SHA1
0c8eafded2de9390497f88c798301ae8dcbc88da

SHA256
4322345898e6b7f7db0f6884ff0c2b1d290a10e586e5753d8cfef7a08472d1a5

SHA512
db90df5dd8f18431fa59ad3ff71e6a0704f542a22033b886152836662c5560a6eff3d9110f1f5377a5f6fdefc31a23631fe48cfbe14a3ee1984127c143028454

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed57186013f1f81ab2b10b5feb6523dd

SHA1
d2af9d92bb66af8ae18ce55e7e3da0ef1f2a1771

SHA256
f42df71a654010f614d0293f5e487e865918680429c4574dcb3c37e0c4c44ef8

SHA512
ad5ce4a2e0ba1c1d601d5923fbc2bbd05d0ba508335a47e8772265589767efbbee9ec8aca8772f248c5c8c367e7c589d195805ea150cdc0d91ec172710e9afc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31452b9dd3779ec0d46d02d8f31db3b4

SHA1
342be8bccb99e667df1cff4acd594f3fc7dd6b14

SHA256
df57960d40248b50bef44398e7ba3469ecb8967578fd3619f6a282af93f5431d

SHA512
70020d8e029f356a7da34823b99335422278906cce00cb8ce726ccc143f15d760531dbba3c3c2c399df604a669cca3325380d78c5ccb10585b83fc1b95e2e014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\231WYO8G\default[1].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\231WYO8G\default[2].htm

Filesize
302B

MD5
485828cfdc2c1efc0c51ff9b74dd34f8

SHA1
6f685134b031e9b2fff0eb8c7212c99bfba3719f

SHA256
615a15f6247f8f979b3a066801c98489018b1d137fd5d9b7bce73824acc70f06

SHA512
69736b9700c2f47feab282d8bf8bd6f02c9f62ecb9c02466b6cf76b1cd4b1becc70803123e73427c871c2aeb2eb64540edf95a342f78d9211ac0571e8fd1f426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\231WYO8G\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQGVC737\default[7].htm

Filesize
305B

MD5
157431349a057954f4227efc1383ecad

SHA1
69ccc939e6b36aa1fabb96ad999540a5ab118c48

SHA256
8553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac

SHA512
6405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZDJKTMWH\default[1].htm

Filesize
302B

MD5
51b86971925c7d24d895ff89fdebc8f5

SHA1
d037148e50a77f0de8421e0ef81f87f9f73570da

SHA256
3b50a39db6499f5cb2d3b6cec01daa5c33fcf80c0722707c6014e23ed1577280

SHA512
1bc88174ee963971ca43e106828d9e74473cf1aa664f6d4fa43ec9631610ab4c1dc9a0c84f5c89dd2b627eaf64f57dee99eca84b88eb14c36bf7285cb9d7f0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZDJKTMWH\default[3].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZDJKTMWH\default[4].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZDJKTMWH\default[5].htm

Filesize
304B

MD5
57e90e4154b7cd9f1ef8a42a680d4eb6

SHA1
e9e1cdb76f921a0579fe13b55645c58bf2406144

SHA256
5f43170f230ecbe938dae2f5ab36fb2a0fae41195154fe8df32d6016f957fdf3

SHA512
9ce03985f48ab068de1de5d3cb8bd0e2b63280ad4eabc1280ab39d1d1b215291da6c1a7bb3f1b68b7e3ceb571a3cfc1de5b998e2a61100eda530e0e169bf0033

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBCC2.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBDB0.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB261.tmp

Filesize
29KB

MD5
34a3c9d44c3e56d6b7e12dcb88de037f

SHA1
d8b0ea5b05c39a039129ba5fbb075403fd2addf3

SHA256
c1896edeba6a61fa75248f638bbdecf481016a2b31d1b09d9e7142652299fdc3

SHA512
076feedac9a35aee2948965849453f402ac269d284e913f4a10a20797fd6784565168330575b0e6dcae7b88a12a1127eb14e4e3aa91d0d980c648c2983c3ea52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucuAhcog.log

Filesize
256B

MD5
800652d5038ec22dfa1eb6d4a83d9ac3

SHA1
998461d70631dbe49b3de81d7cdf56f3df53294b

SHA256
c659dc9167dde482399c0d8316966b77b6bd3e45b12e83577a918743a3461768

SHA512
1ecdfe7070696c2d6f9ac90e556cd548fe8748bd80bf56d9a37419f1d1169c27a6996d47a26d9da8825c0ab2d6ff51d96544ebc31148ec516fa589f3e8cd6c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
df08e92f4e24a8758e959385779a0822

SHA1
e089f5ef83d0f3c43d5c7e290f70776915927f7e

SHA256
e3666d12cf0db99161c78988560a020b2b2d566f18f45cf05e0e889a4b918050

SHA512
3a70fbb09bf59d2f8e865837b9ca5de596b987f7c756c8e05cb9e11d004055092356a51638279ac375ce3ba509c32dd825abbfb53808fef540e0b730c9d31a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
b6d69a2c9a7f9301e4ca164ad636f30e

SHA1
b176d9e6e4f6b87251274a14857f5a2d73574b64

SHA256
a5665b3cbfdab68ed0d9468772727bb0572d4da76a3660bd61e845210aa0e6d2

SHA512
4849d38f1d8c8a59395ab6335ca9c3e1a804ededcfcf01c88a9d890e02d25209d703bfc8759e7ed2f69851922953ef93d6c06ea7517414a0ba0a3fae5ae78b73

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1728-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-2523-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-1247-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-378-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-1833-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-2228-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2188-2186-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2188-17-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2188-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2188-1832-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2188-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2188-377-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2188-2522-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2188-1246-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2188-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads