dca7d0f66b7b870eeb4021759996c35a5fefdc98c5690b56bf901f69eebda23d

Analysis

max time kernel
120s
max time network
195s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

166fff8c1265d9f93bcb065d9fc41b55.exe
Size

1.1MB
MD5

166fff8c1265d9f93bcb065d9fc41b55
SHA1

bb419c9675286ca3bccf27a27ebe5652d1036e62
SHA256

dca7d0f66b7b870eeb4021759996c35a5fefdc98c5690b56bf901f69eebda23d
SHA512

7b63524d3e0a1ed2226e6c2dcf04551cd3adccf0336f654a41fee9f5b98b78460c402727687514bf28fa30d5f7ea68a43f7c2f16d4858bb30c238dec19e06d84
SSDEEP

24576:8bSaE4mvt/qO4FGAjOjBwVg/1eWzdXaLyt7YB:8bSv4mv4O4USjg/1eWzdJ7YB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1308	File.exe
1980	1430708483.exe

Loads dropped DLL 11 IoCs

pid	Process
1308	File.exe
1308	File.exe
1308	File.exe
1308	File.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2984	1980	WerFault.exe	29

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000800000001555b-62.dat	nsis_installer_1
behavioral1/files/0x000800000001555b-62.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	166fff8c1265d9f93bcb065d9fc41b55.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	166fff8c1265d9f93bcb065d9fc41b55.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	166fff8c1265d9f93bcb065d9fc41b55.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	166fff8c1265d9f93bcb065d9fc41b55.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2088	166fff8c1265d9f93bcb065d9fc41b55.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	166fff8c1265d9f93bcb065d9fc41b55.exe
Token: SeIncreaseQuotaPrivilege	2220	wmic.exe
Token: SeSecurityPrivilege	2220	wmic.exe
Token: SeTakeOwnershipPrivilege	2220	wmic.exe
Token: SeLoadDriverPrivilege	2220	wmic.exe
Token: SeSystemProfilePrivilege	2220	wmic.exe
Token: SeSystemtimePrivilege	2220	wmic.exe
Token: SeProfSingleProcessPrivilege	2220	wmic.exe
Token: SeIncBasePriorityPrivilege	2220	wmic.exe
Token: SeCreatePagefilePrivilege	2220	wmic.exe
Token: SeBackupPrivilege	2220	wmic.exe
Token: SeRestorePrivilege	2220	wmic.exe
Token: SeShutdownPrivilege	2220	wmic.exe
Token: SeDebugPrivilege	2220	wmic.exe
Token: SeSystemEnvironmentPrivilege	2220	wmic.exe
Token: SeRemoteShutdownPrivilege	2220	wmic.exe
Token: SeUndockPrivilege	2220	wmic.exe
Token: SeManageVolumePrivilege	2220	wmic.exe
Token: 33	2220	wmic.exe
Token: 34	2220	wmic.exe
Token: 35	2220	wmic.exe
Token: SeIncreaseQuotaPrivilege	2220	wmic.exe
Token: SeSecurityPrivilege	2220	wmic.exe
Token: SeTakeOwnershipPrivilege	2220	wmic.exe
Token: SeLoadDriverPrivilege	2220	wmic.exe
Token: SeSystemProfilePrivilege	2220	wmic.exe
Token: SeSystemtimePrivilege	2220	wmic.exe
Token: SeProfSingleProcessPrivilege	2220	wmic.exe
Token: SeIncBasePriorityPrivilege	2220	wmic.exe
Token: SeCreatePagefilePrivilege	2220	wmic.exe
Token: SeBackupPrivilege	2220	wmic.exe
Token: SeRestorePrivilege	2220	wmic.exe
Token: SeShutdownPrivilege	2220	wmic.exe
Token: SeDebugPrivilege	2220	wmic.exe
Token: SeSystemEnvironmentPrivilege	2220	wmic.exe
Token: SeRemoteShutdownPrivilege	2220	wmic.exe
Token: SeUndockPrivilege	2220	wmic.exe
Token: SeManageVolumePrivilege	2220	wmic.exe
Token: 33	2220	wmic.exe
Token: 34	2220	wmic.exe
Token: 35	2220	wmic.exe
Token: SeIncreaseQuotaPrivilege	432	wmic.exe
Token: SeSecurityPrivilege	432	wmic.exe
Token: SeTakeOwnershipPrivilege	432	wmic.exe
Token: SeLoadDriverPrivilege	432	wmic.exe
Token: SeSystemProfilePrivilege	432	wmic.exe
Token: SeSystemtimePrivilege	432	wmic.exe
Token: SeProfSingleProcessPrivilege	432	wmic.exe
Token: SeIncBasePriorityPrivilege	432	wmic.exe
Token: SeCreatePagefilePrivilege	432	wmic.exe
Token: SeBackupPrivilege	432	wmic.exe
Token: SeRestorePrivilege	432	wmic.exe
Token: SeShutdownPrivilege	432	wmic.exe
Token: SeDebugPrivilege	432	wmic.exe
Token: SeSystemEnvironmentPrivilege	432	wmic.exe
Token: SeRemoteShutdownPrivilege	432	wmic.exe
Token: SeUndockPrivilege	432	wmic.exe
Token: SeManageVolumePrivilege	432	wmic.exe
Token: 33	432	wmic.exe
Token: 34	432	wmic.exe
Token: 35	432	wmic.exe
Token: SeIncreaseQuotaPrivilege	432	wmic.exe
Token: SeSecurityPrivilege	432	wmic.exe
Token: SeTakeOwnershipPrivilege	432	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1308	2088	166fff8c1265d9f93bcb065d9fc41b55.exe	28
PID 2088 wrote to memory of 1308	2088	166fff8c1265d9f93bcb065d9fc41b55.exe	28
PID 2088 wrote to memory of 1308	2088	166fff8c1265d9f93bcb065d9fc41b55.exe	28
PID 2088 wrote to memory of 1308	2088	166fff8c1265d9f93bcb065d9fc41b55.exe	28
PID 1308 wrote to memory of 1980	1308	File.exe	29
PID 1308 wrote to memory of 1980	1308	File.exe	29
PID 1308 wrote to memory of 1980	1308	File.exe	29
PID 1308 wrote to memory of 1980	1308	File.exe	29
PID 1980 wrote to memory of 2220	1980	1430708483.exe	30
PID 1980 wrote to memory of 2220	1980	1430708483.exe	30
PID 1980 wrote to memory of 2220	1980	1430708483.exe	30
PID 1980 wrote to memory of 2220	1980	1430708483.exe	30
PID 1980 wrote to memory of 432	1980	1430708483.exe	33
PID 1980 wrote to memory of 432	1980	1430708483.exe	33
PID 1980 wrote to memory of 432	1980	1430708483.exe	33
PID 1980 wrote to memory of 432	1980	1430708483.exe	33
PID 1980 wrote to memory of 832	1980	1430708483.exe	35
PID 1980 wrote to memory of 832	1980	1430708483.exe	35
PID 1980 wrote to memory of 832	1980	1430708483.exe	35
PID 1980 wrote to memory of 832	1980	1430708483.exe	35
PID 1980 wrote to memory of 1812	1980	1430708483.exe	37
PID 1980 wrote to memory of 1812	1980	1430708483.exe	37
PID 1980 wrote to memory of 1812	1980	1430708483.exe	37
PID 1980 wrote to memory of 1812	1980	1430708483.exe	37
PID 1980 wrote to memory of 768	1980	1430708483.exe	39
PID 1980 wrote to memory of 768	1980	1430708483.exe	39
PID 1980 wrote to memory of 768	1980	1430708483.exe	39
PID 1980 wrote to memory of 768	1980	1430708483.exe	39
PID 1980 wrote to memory of 2984	1980	1430708483.exe	41
PID 1980 wrote to memory of 2984	1980	1430708483.exe	41
PID 1980 wrote to memory of 2984	1980	1430708483.exe	41
PID 1980 wrote to memory of 2984	1980	1430708483.exe	41

C:\Users\Admin\AppData\Local\Temp\166fff8c1265d9f93bcb065d9fc41b55.exe
"C:\Users\Admin\AppData\Local\Temp\166fff8c1265d9f93bcb065d9fc41b55.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\1430708483.exe
    C:\Users\Admin\AppData\Local\Temp\1430708483.exe 0*6*7*1*6*5*0*5*4*1*8 L0pCQzcsOTIsLxgvTU5BSkREOCwfJ04/TVZJTUtEQDwpICk9SE1PST85MSw1LiwfKT5JPzkvGC9KS04+UENPW0g8PSsvOC4bL05BUU5FTFhUTEc9Y3BzaDopKHJscS4/QVJDLU5ITyc8UEsqSEZGSRkuPUdJPkdIPD1TSFRMPkxEP0pBRBooQys4MTQxMy0gKT0xNygxGytDKz0nKh8pPzQ4KTAYLz4uPCcsICpMUUdETzxTWUtSRFJAO1k3GS5KTU8/UUJMXz9OSzs4ICpMUUdETzxTWUlBSEE8GC8/UURZUFJHOR8nRVI+Xj1IREdFTT09GihHSU5UWj5RR1dNPlE3LSAqUEc5TkVSTk9aVU1IPBgvUEY8LBsvP08wNSApS1RIT0lIQV5PRUY8TkdASUg9Rj1VTEU8GipJTltRTU5OQkw/OHRtcWQYL0w+U09NTkRKRldVTT5RWT9BVE88KiApQUg+QFg4LR8nSU1YQ1NJQUhFQldFSDxRU0tUQEA8XmFmbGQaKkRKU01ETzs9XkNLPTMzLSkxMSc0LSkxMxwuTElHPjwrLzMrMzApNisrHyk/T1JKS0dBPlhTQ0hFODEuLC8sKTAvJTM1MTIyMywjQEcbL1A9PEVvdGJrZlwlLWI0JjAlIVZjaWRqc3IjTk4kNSgsJS5eKk9PUS8zIyZBa2xrXVdfW0pjbyUtYjQrNygsNSUjS0NQTEQlLFwqZmRrYCdGXWNlaCglPmhta2xdJSxfMyopMCkuMSk0KCowLyZZXD5xZ3dtXnEfLWYsMS0qLiwrMC4pMzEwNCNTW19gbGQlLWI0KzcoLDUaKlVNSDxgdG5pJC1cJS1iJCpmYV5zKCsxLDVlJmloX24fLWZNcW1MaWdeQ2lybmdrYFxNW2dgYWByWmBkaGxpciQsYTEvLy8vMSsvLyogMmEtMyswMSowMCswIC5lKTQtKTYrLDYrLCQrZi4sNC0tOC8vNio0UytJcEdqXi9hPG9rR3lHbkxOQmdHeWlwTGMreERpZi5MPkYyRj5KbUpoMGlTPDMuR2pecEw8SWBSVmJnWUJWbFFqUE9TPzBRSyxnP1BlYUdKPkpoVEYpcUlMN2JfMl9rTks4
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703548997.txt bios get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2220
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703548997.txt bios get version
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:432
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703548997.txt bios get version
      4⤵
      PID:832
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703548997.txt bios get version
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703548997.txt bios get version
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 372
      4⤵
      Loads dropped DLL
      Program crash
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81703548997.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703548997.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703548997.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3D31.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
614KB

MD5
60bdf53bdd628249cedef71a6f14201b

SHA1
df11e39369b3c861fd4bc2a54829f121b8b10055

SHA256
3dff1c1a47a1f17f59ea8d455f96950cc060f7072abfeeacf3c704e7d5ac2dc4

SHA512
44e3fe5975588aecaf572bafac9e926eb7f33f5d371ebd7175b56a915e10701e802290f0df6994f45b17e8561656885dbb688dcacd2f33d1f5706ddc7f783b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D53.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\1430708483.exe

Filesize
512KB

MD5
d5f11f34f71a6d3400bcda44ff4733e4

SHA1
62ea2cbc3e05274d1f9be6aa63bb303c7c3d3fe7

SHA256
ad51c6bdc72fb9dab76a41ad5b7b0ccf5c04072f0ee07f3d71a314286fb0f253

SHA512
f86a59dda4827cde5ca8d48e14f2a6ad2017784d2265df1780a653d954ba8ac499e9340fb8e1636d7f729a68bd851762058e86fcc88a289adf6087daa4e6ce6b

Download Submit
\Users\Admin\AppData\Local\Temp\1430708483.exe

Filesize
311KB

MD5
e5a75cf75ee69c47fb24d1225fc1b932

SHA1
3119adced0b26f8dfca95229a9449989d525668e

SHA256
bd0232f3444d74eed175457f6419522e1046b18e5388172957879d4b0d601813

SHA512
aef939b9c143aaeccdef124a42fa6cba436c756bef78ddeff198e1afd96e124b7c0b98110d68dff2449a27e38fc8e90a47498d5ea541dfc9764878da07301184

Download Submit
\Users\Admin\AppData\Local\Temp\1430708483.exe

Filesize
276KB

MD5
7b69fc7242840f35e91bb7086fb8de83

SHA1
813d1c4998e0cfba6848e18cc7667d78bc56bfd5

SHA256
90234d69d35ae7378b24a06b7e8c8689ddf07d0232dd3c5ee76532d307600c27

SHA512
703f46c156c78f2e42504aac7e5d4d8c4d67c8fab397590e371ebd667d249ed5a8ce13cdb61893905f7e6476e5a51cdb9ce98f954d2e1bea6ce619c24a95daef

Download Submit
\Users\Admin\AppData\Local\Temp\1430708483.exe

Filesize
224KB

MD5
f0351011806dfc219665b07d6b1c9a2d

SHA1
99ddf7a27787ec9b4eb0ee5f8333f05b60aa74b2

SHA256
56bc102e5c8ff43d63591da58829f8cbec3041fc2e0ab62defa7d8905ce3f570

SHA512
4869a329de9ce84f2d9ccea9b98c38d8dfd067258a1206e0ea240964b691e29841f01983a890c75e18bcf86e4e8c10d42b83cfe12aa3ac75c407bd302231e2aa

Download Submit
\Users\Admin\AppData\Local\Temp\1430708483.exe

Filesize
928KB

MD5
aec53c763c894df449713b869c864a50

SHA1
55d9a69a1430a9a09a92ed20ff905056a7639dfb

SHA256
975abfb32435e0106cc7234c428dd9709e4b11982fe6310260822bb5cfaf4195

SHA512
8ebf51550eb4e84494e32ae6f281f051980923852678087b8e0d7bfcff5ad08b59b93846938994ded6987ea375fdfbe03562465f6fe38690eb7f0270830d0dbc

Download Submit
\Users\Admin\AppData\Local\Temp\nsz71A8.tmp\dsvfr.dll

Filesize
126KB

MD5
c77a97b9a08e2e742170cc1aa7c2fcb1

SHA1
98d637e1f3cf0fdebd74bf821aaf43bd42590a06

SHA256
e9f06c5e19f0682473abc1f73fd7c400dbb0d79124c161f4f863a2be7249ac72

SHA512
f73d8ba2dc2bb0707edbc0ba1fd9b89742fc91f787c5c58f9243dad42a2de64d655bd34068d3a92a7630810249f3fdeb389b2318a3d1482f29b5ce79e0fbc575

Download Submit
\Users\Admin\AppData\Local\Temp\nsz71A8.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
memory/2088-7-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-57-0x000000001B170000-0x000000001B1E8000-memory.dmp

Filesize
480KB

Download
memory/2088-8-0x0000000002160000-0x00000000021E0000-memory.dmp

Filesize
512KB

Download
memory/2088-110-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-111-0x0000000002160000-0x00000000021E0000-memory.dmp

Filesize
512KB

Download