161546849fbffcf6829641f4f44c71739f89144876a684657133f2e6bb2bd140

Analysis

max time kernel
122s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1485655eddec3797d0d4e3eac52d11bc.exe
Size

1.0MB
MD5

1485655eddec3797d0d4e3eac52d11bc
SHA1

3a2b3318b5114cd0fac594af6e178eacc8cd3f1e
SHA256

161546849fbffcf6829641f4f44c71739f89144876a684657133f2e6bb2bd140
SHA512

6d4ef5d23f2692a05bb61dcf0e285134d00a20223d49eab599b2fdb558ba57a04b10c005ba6daa9d1dc0ea58573670f154bebdcbc0277aad0eb4d9559c2c18de
SSDEEP

12288:fMiy4IadS4ms5I6e66fEheKhWsTCxef7cXYgvikavS+skI9rvMQQw6t9y8Yon:fbSaE4mvt/bJcjcXYgKzskIG5n

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2024	File.exe
2664	eicabfiaccj.exe

Loads dropped DLL 10 IoCs

pid	Process
2024	File.exe
2024	File.exe
2024	File.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2816	2664	WerFault.exe	30

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000016cdc-62.dat	nsis_installer_1
behavioral1/files/0x000b000000016cdc-62.dat	nsis_installer_2
behavioral1/files/0x000b000000016cdc-67.dat	nsis_installer_1
behavioral1/files/0x000b000000016cdc-67.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	1485655eddec3797d0d4e3eac52d11bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	1485655eddec3797d0d4e3eac52d11bc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	1485655eddec3797d0d4e3eac52d11bc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	1485655eddec3797d0d4e3eac52d11bc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1068	1485655eddec3797d0d4e3eac52d11bc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	1485655eddec3797d0d4e3eac52d11bc.exe
Token: SeIncreaseQuotaPrivilege	2944	wmic.exe
Token: SeSecurityPrivilege	2944	wmic.exe
Token: SeTakeOwnershipPrivilege	2944	wmic.exe
Token: SeLoadDriverPrivilege	2944	wmic.exe
Token: SeSystemProfilePrivilege	2944	wmic.exe
Token: SeSystemtimePrivilege	2944	wmic.exe
Token: SeProfSingleProcessPrivilege	2944	wmic.exe
Token: SeIncBasePriorityPrivilege	2944	wmic.exe
Token: SeCreatePagefilePrivilege	2944	wmic.exe
Token: SeBackupPrivilege	2944	wmic.exe
Token: SeRestorePrivilege	2944	wmic.exe
Token: SeShutdownPrivilege	2944	wmic.exe
Token: SeDebugPrivilege	2944	wmic.exe
Token: SeSystemEnvironmentPrivilege	2944	wmic.exe
Token: SeRemoteShutdownPrivilege	2944	wmic.exe
Token: SeUndockPrivilege	2944	wmic.exe
Token: SeManageVolumePrivilege	2944	wmic.exe
Token: 33	2944	wmic.exe
Token: 34	2944	wmic.exe
Token: 35	2944	wmic.exe
Token: SeIncreaseQuotaPrivilege	2944	wmic.exe
Token: SeSecurityPrivilege	2944	wmic.exe
Token: SeTakeOwnershipPrivilege	2944	wmic.exe
Token: SeLoadDriverPrivilege	2944	wmic.exe
Token: SeSystemProfilePrivilege	2944	wmic.exe
Token: SeSystemtimePrivilege	2944	wmic.exe
Token: SeProfSingleProcessPrivilege	2944	wmic.exe
Token: SeIncBasePriorityPrivilege	2944	wmic.exe
Token: SeCreatePagefilePrivilege	2944	wmic.exe
Token: SeBackupPrivilege	2944	wmic.exe
Token: SeRestorePrivilege	2944	wmic.exe
Token: SeShutdownPrivilege	2944	wmic.exe
Token: SeDebugPrivilege	2944	wmic.exe
Token: SeSystemEnvironmentPrivilege	2944	wmic.exe
Token: SeRemoteShutdownPrivilege	2944	wmic.exe
Token: SeUndockPrivilege	2944	wmic.exe
Token: SeManageVolumePrivilege	2944	wmic.exe
Token: 33	2944	wmic.exe
Token: 34	2944	wmic.exe
Token: 35	2944	wmic.exe
Token: SeIncreaseQuotaPrivilege	1516	wmic.exe
Token: SeSecurityPrivilege	1516	wmic.exe
Token: SeTakeOwnershipPrivilege	1516	wmic.exe
Token: SeLoadDriverPrivilege	1516	wmic.exe
Token: SeSystemProfilePrivilege	1516	wmic.exe
Token: SeSystemtimePrivilege	1516	wmic.exe
Token: SeProfSingleProcessPrivilege	1516	wmic.exe
Token: SeIncBasePriorityPrivilege	1516	wmic.exe
Token: SeCreatePagefilePrivilege	1516	wmic.exe
Token: SeBackupPrivilege	1516	wmic.exe
Token: SeRestorePrivilege	1516	wmic.exe
Token: SeShutdownPrivilege	1516	wmic.exe
Token: SeDebugPrivilege	1516	wmic.exe
Token: SeSystemEnvironmentPrivilege	1516	wmic.exe
Token: SeRemoteShutdownPrivilege	1516	wmic.exe
Token: SeUndockPrivilege	1516	wmic.exe
Token: SeManageVolumePrivilege	1516	wmic.exe
Token: 33	1516	wmic.exe
Token: 34	1516	wmic.exe
Token: 35	1516	wmic.exe
Token: SeIncreaseQuotaPrivilege	1652	wmic.exe
Token: SeSecurityPrivilege	1652	wmic.exe
Token: SeTakeOwnershipPrivilege	1652	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2024	1068	1485655eddec3797d0d4e3eac52d11bc.exe	29
PID 1068 wrote to memory of 2024	1068	1485655eddec3797d0d4e3eac52d11bc.exe	29
PID 1068 wrote to memory of 2024	1068	1485655eddec3797d0d4e3eac52d11bc.exe	29
PID 1068 wrote to memory of 2024	1068	1485655eddec3797d0d4e3eac52d11bc.exe	29
PID 2024 wrote to memory of 2664	2024	File.exe	30
PID 2024 wrote to memory of 2664	2024	File.exe	30
PID 2024 wrote to memory of 2664	2024	File.exe	30
PID 2024 wrote to memory of 2664	2024	File.exe	30
PID 2664 wrote to memory of 2944	2664	eicabfiaccj.exe	31
PID 2664 wrote to memory of 2944	2664	eicabfiaccj.exe	31
PID 2664 wrote to memory of 2944	2664	eicabfiaccj.exe	31
PID 2664 wrote to memory of 2944	2664	eicabfiaccj.exe	31
PID 2664 wrote to memory of 1516	2664	eicabfiaccj.exe	34
PID 2664 wrote to memory of 1516	2664	eicabfiaccj.exe	34
PID 2664 wrote to memory of 1516	2664	eicabfiaccj.exe	34
PID 2664 wrote to memory of 1516	2664	eicabfiaccj.exe	34
PID 2664 wrote to memory of 1652	2664	eicabfiaccj.exe	36
PID 2664 wrote to memory of 1652	2664	eicabfiaccj.exe	36
PID 2664 wrote to memory of 1652	2664	eicabfiaccj.exe	36
PID 2664 wrote to memory of 1652	2664	eicabfiaccj.exe	36
PID 2664 wrote to memory of 268	2664	eicabfiaccj.exe	38
PID 2664 wrote to memory of 268	2664	eicabfiaccj.exe	38
PID 2664 wrote to memory of 268	2664	eicabfiaccj.exe	38
PID 2664 wrote to memory of 268	2664	eicabfiaccj.exe	38
PID 2664 wrote to memory of 572	2664	eicabfiaccj.exe	40
PID 2664 wrote to memory of 572	2664	eicabfiaccj.exe	40
PID 2664 wrote to memory of 572	2664	eicabfiaccj.exe	40
PID 2664 wrote to memory of 572	2664	eicabfiaccj.exe	40
PID 2664 wrote to memory of 2816	2664	eicabfiaccj.exe	42
PID 2664 wrote to memory of 2816	2664	eicabfiaccj.exe	42
PID 2664 wrote to memory of 2816	2664	eicabfiaccj.exe	42
PID 2664 wrote to memory of 2816	2664	eicabfiaccj.exe	42

C:\Users\Admin\AppData\Local\Temp\1485655eddec3797d0d4e3eac52d11bc.exe
"C:\Users\Admin\AppData\Local\Temp\1485655eddec3797d0d4e3eac52d11bc.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\eicabfiaccj.exe
    C:\Users\Admin\AppData\Local\Temp\eicabfiaccj.exe 6-1-1-1-8-2-1-0-9-3-6 KU9IQzUvMjAuMBopUlRBSEdDPScdKUhEU1ZHUEpJOzoqGi5DSEtSSEQ0LjIvNTIfJ0FIRDQtGilPUU48U0JUVkY+NzIyMS0eLlM8T1A/UV5USko8aGtxajQuLnJqdC1EPFBFJ1NOTyU/T1AlRkhATh8uO0pIQ0JGPjc4UTAoc0N6WEprGi5DMDVMVE05QkwaLkMxNSswICZBLTcsMB8nQjM9JC4aKUM0PCUvHy9HT0k+VEJTV05RSU0+PVM8Hy5IUE5ETEBOWURUSzk7Hy9HT0k+VEJTV0xATTw6GilEV0RXU1FMNB0pP1dEXjtLQ0xASz83Hy5HR1FTXzlPSVFSRFE1MB8vS0U7SEpYTk1dVFJDOhopVUw8Kh4uREouNxouUVRGUkhNPFxRP0tCTkVDSE04RD9PUUs8GC1IU1ZPT0hTSEw9O3NybGIaKVFEU01QTUlFRFlPUkRRV0JAWUo6LBouR0g8Q1c9KB0pQ1JeQ1FMQE1AQFk/TUJRUU5TRTs6YFtrcmQYLUNPTktGSUBDXkFOPDgnKysuLTExJjEwICZRQ0dEPDAsMDc1JzAuLDMfLjxNVk5DTDs+XlNIRUM8NCY1KSwvMDQiMDkzJzcsLilPTA==
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704136715.txt bios get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2944
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704136715.txt bios get version
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704136715.txt bios get version
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1652
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704136715.txt bios get version
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704136715.txt bios get version
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 372
      4⤵
      Loads dropped DLL
      Program crash
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704136715.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6837.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
557KB

MD5
2bbef6270549cb4505dcb6c2593db77c

SHA1
ddce684a1a32fa1bd18c32645851f42756d2b365

SHA256
7effe89fb3dcf62ba4b8f17888337e389ce38fe33c821aa4254a81b8ea5e4f8a

SHA512
0f6993e4b799922c3abf460b515537dbc52fd6b78535a607a85e0b90b03f13ca4fae9b01e5b0faa80620b70dd5bd6ea49f36f720a0e5b43671a5b4afc868fcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
156KB

MD5
8c18a92ed3336f147780f3fde2330154

SHA1
718cb4449ef15fa96255ce3c56838c6b74c37082

SHA256
9661517971e49049f3977b464c25e5b278e8aba7a8115fc69177fcf7369b0c8c

SHA512
222f5666b9331caf9e52be96f4254e8385d3b733c6510e01a4f9738c931116ea3a616950dd63723818acf0d1ce8835a97ed9d619c1b40c4a00b0c45fa54d7ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6869.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\eicabfiaccj.exe

Filesize
477KB

MD5
7f3df6beeae0ce09069f2d58f9829aa7

SHA1
39b74841422e54cdd37010e9f60606fd2559086b

SHA256
f4f16fc4b93b682cbe8c61058392f88a34daa45da414bf830cabb06a6f094732

SHA512
b60c3dba07d03f6c8b22ee27bb6313564191fc0cf25a3b7d6bcd178c43a8e0e7fc43a9572dda577b6b3610e83af8d75e30cfcf15b3aaa7c78978af1f3b9de285

Download Submit
\Users\Admin\AppData\Local\Temp\eicabfiaccj.exe

Filesize
494KB

MD5
8744b62c09d9d50b2ecb95c87475be0b

SHA1
e69d79fb675f20d1ac5027206ece42d932903b3d

SHA256
0933a8314eba72749b8d974196e269f1f0b49414770f2c41e094ea651d5a296a

SHA512
15059dedbc649a16190b86dc5f53aaae722a98770863daa9b37b39e4b3ff97e87b64e23ff68f37bbe8735c64ad18ebdc0b97936185504600843e1a5cfe8b9c65

Download Submit
\Users\Admin\AppData\Local\Temp\eicabfiaccj.exe

Filesize
764KB

MD5
19e1c0943c995a63ec5b83ba1b404d09

SHA1
c0a21f36bc11a5f5e0a09867c27f05bfc641d0cc

SHA256
89c161ff48f57d514a3363c19b78a49caabbf54f88f2fb30093c3ec9c49d4bee

SHA512
a2d4bfcca608619ecec4bfb801f3aab4f9aae61aa7b94e176c719cf7ea6d533468f3d2b38fff512d3579c341b799c87526961414b62673f912b60c0701e517ff

Download Submit
\Users\Admin\AppData\Local\Temp\eicabfiaccj.exe

Filesize
761KB

MD5
671cc1b9c5e7f8dfbff255017d63e5df

SHA1
e3ca1233b05d113690f3872e7df5759ebc64f010

SHA256
2e2a2b5b68a3d0e9faccab36cec4b41ee76576f8a9a26296cd679525045212f1

SHA512
144b29b29302148278f2dd1b9ddb2ede8201f6a9ceb477254e826408bcd578d00cb64e2c8a2fe6acf312d9b2aac0b32634be1520e889ed0797e7080ad9220261

Download Submit
\Users\Admin\AppData\Local\Temp\eicabfiaccj.exe

Filesize
599KB

MD5
c0df318868be1eb889ecccba102b9b78

SHA1
8e4d7b2dbb7852914fe0a3e231b777c4a48a2ca3

SHA256
6df64fcd1ab27ca58eff59cf0c544d5ab6ed723f0bd40e945882a7e4a0f73907

SHA512
c829f541236e4d20fc02381d6d0eeded216184ebd0143f4f75835d9e3d01c65a57694a1acb19ccd014bf877a277829c3c2ab3e1337adccc27e82c489523e29c8

Download Submit
\Users\Admin\AppData\Local\Temp\eicabfiaccj.exe

Filesize
503KB

MD5
9592a844d92be89b4a89d92331c56560

SHA1
5803b3a16ca50380baf77d7ca96f9d56c36af4e6

SHA256
dc81ea49e7652115766c0a36e8c8af3480d702a3f00db8fcedb26ec7542de786

SHA512
4af9e5c0dabf35c450f8ed4de5de84a56430454e31f474e3d6a97ef9ed95b241b139dcda59c9c29d0bff764b610fdff9d773e8289aaa21feaaccac863f8b0065

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8F55.tmp\jnqcc.dll

Filesize
125KB

MD5
fa201b3a974e89c2698bd733a75f1ca9

SHA1
574b335dc91439ecaffaddf305dce5bbfa93cb16

SHA256
98ac4f5ba3c5ced121551da176662b0823496058c795b3cdac2291cc2b942ed6

SHA512
f7b0b08886d7fd6f1313d8d283e8f5663bd9dd3c59885f8f00de037580475f5a37682dc5a24d5e5ac09c4893dc063e48399d4b5ba248fd085439c0c2651cd09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8F55.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
memory/1068-7-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

Filesize
9.6MB

Download
memory/1068-57-0x000000001B250000-0x000000001B2C8000-memory.dmp

Filesize
480KB

Download
memory/1068-8-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/1068-103-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

Filesize
9.6MB

Download
memory/1068-104-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download