Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 05:58
Static task
static1
Behavioral task
behavioral1
Sample
2aedfa0dfb06ef02b268ec62486e6f80.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2aedfa0dfb06ef02b268ec62486e6f80.exe
Resource
win10v2004-20231215-en
General
-
Target
2aedfa0dfb06ef02b268ec62486e6f80.exe
-
Size
4.0MB
-
MD5
2aedfa0dfb06ef02b268ec62486e6f80
-
SHA1
0e998e4a93dd1fd666aece318b77d9f1756d9c17
-
SHA256
bd175fda8c98a44237f8da7e02e48f6aaf00365bec2e7e38b7b42414bd888d95
-
SHA512
f5db800199bed799c593b779909364727824ed22076939e10fba0bd83b8dbecf772de34e9d7c9a083cbf734a52a8056b2c38817e52890bfae2f9a5e8dff1979f
-
SSDEEP
98304:y8DDoeOv58eCbmQKYSA/tEcDtXH0QdCbu1Vq7qd9tknkPzg:y8Poe6G0YSAzJBdCbCVqGntknE8
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
redline
pab3
185.215.113.15:61506
Extracted
smokeloader
pub5
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
cryptbot
knurxh28.top
moraku02.top
-
payload_url
http://sargym03.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/452-380-0x0000000003D40000-0x0000000003DE3000-memory.dmp family_cryptbot behavioral1/memory/452-382-0x0000000003D40000-0x0000000003DE3000-memory.dmp family_cryptbot behavioral1/memory/452-383-0x0000000003D40000-0x0000000003DE3000-memory.dmp family_cryptbot behavioral1/memory/452-381-0x0000000003D40000-0x0000000003DE3000-memory.dmp family_cryptbot behavioral1/memory/452-408-0x0000000003D40000-0x0000000003DE3000-memory.dmp family_cryptbot behavioral1/memory/452-644-0x0000000003D40000-0x0000000003DE3000-memory.dmp family_cryptbot -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1672-137-0x0000000004880000-0x00000000048A2000-memory.dmp family_redline behavioral1/memory/1672-151-0x00000000049D0000-0x00000000049F0000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1672-137-0x0000000004880000-0x00000000048A2000-memory.dmp family_sectoprat behavioral1/memory/1672-151-0x00000000049D0000-0x00000000049F0000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2460-150-0x0000000003230000-0x00000000032CD000-memory.dmp family_vidar behavioral1/memory/2460-162-0x0000000000400000-0x0000000002D1A000-memory.dmp family_vidar behavioral1/memory/2460-376-0x0000000000400000-0x0000000002D1A000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS46829F36\libcurlpp.dll aspack_v212_v242 -
Executes dropped EXE 14 IoCs
Processes:
setup_installer.exesetup_install.exeTue16fdfa6cf2ae0.exeTue168468791c.exeTue165b45f01bf.exeTue16dbd9f0964.exeTue1643024cec44eb6.exeTue166801dd1c.exeTue1619562504c6402.exeTue16fdfa6cf2ae0.exeTue16c3a7ed6a67.exeTue16b2aff6f6632f.exeVolevo.exe.comVolevo.exe.compid process 2148 setup_installer.exe 2824 setup_install.exe 2788 Tue16fdfa6cf2ae0.exe 2664 Tue168468791c.exe 1232 Tue165b45f01bf.exe 1672 Tue16dbd9f0964.exe 1912 Tue1643024cec44eb6.exe 2460 Tue166801dd1c.exe 472 Tue1619562504c6402.exe 1052 Tue16fdfa6cf2ae0.exe 1156 Tue16c3a7ed6a67.exe 2408 Tue16b2aff6f6632f.exe 964 Volevo.exe.com 452 Volevo.exe.com -
Loads dropped DLL 56 IoCs
Processes:
2aedfa0dfb06ef02b268ec62486e6f80.exesetup_installer.exesetup_install.execmd.execmd.exeTue16fdfa6cf2ae0.execmd.execmd.execmd.exeTue16dbd9f0964.exeTue1643024cec44eb6.execmd.exeTue166801dd1c.execmd.exeTue1619562504c6402.execmd.exeTue16fdfa6cf2ae0.execmd.exeTue16b2aff6f6632f.execmd.exeVolevo.exe.comWerFault.exeWerFault.exepid process 1244 2aedfa0dfb06ef02b268ec62486e6f80.exe 2148 setup_installer.exe 2148 setup_installer.exe 2148 setup_installer.exe 2148 setup_installer.exe 2148 setup_installer.exe 2148 setup_installer.exe 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 1812 cmd.exe 1812 cmd.exe 1940 cmd.exe 2788 Tue16fdfa6cf2ae0.exe 2788 Tue16fdfa6cf2ae0.exe 2828 cmd.exe 1560 cmd.exe 1560 cmd.exe 2164 cmd.exe 2828 cmd.exe 1672 Tue16dbd9f0964.exe 1672 Tue16dbd9f0964.exe 1912 Tue1643024cec44eb6.exe 1912 Tue1643024cec44eb6.exe 2624 cmd.exe 2624 cmd.exe 2788 Tue16fdfa6cf2ae0.exe 2460 Tue166801dd1c.exe 2460 Tue166801dd1c.exe 2800 cmd.exe 472 Tue1619562504c6402.exe 472 Tue1619562504c6402.exe 2136 cmd.exe 1052 Tue16fdfa6cf2ae0.exe 1052 Tue16fdfa6cf2ae0.exe 2152 cmd.exe 2408 Tue16b2aff6f6632f.exe 2408 Tue16b2aff6f6632f.exe 1768 cmd.exe 964 Volevo.exe.com 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe 2372 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Tue16b2aff6f6632f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Tue16b2aff6f6632f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2264 2824 WerFault.exe setup_install.exe 2372 2460 WerFault.exe Tue166801dd1c.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Tue1643024cec44eb6.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue1643024cec44eb6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue1643024cec44eb6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue1643024cec44eb6.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Volevo.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Volevo.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Volevo.exe.com -
Processes:
Tue16c3a7ed6a67.exeTue165b45f01bf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 Tue16c3a7ed6a67.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Tue16c3a7ed6a67.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Tue165b45f01bf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Tue16c3a7ed6a67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Tue16c3a7ed6a67.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Tue16c3a7ed6a67.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Tue16c3a7ed6a67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Tue16c3a7ed6a67.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Tue16c3a7ed6a67.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Tue16c3a7ed6a67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 Tue165b45f01bf.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Tue1643024cec44eb6.exepowershell.exepid process 1912 Tue1643024cec44eb6.exe 1912 Tue1643024cec44eb6.exe 1924 powershell.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Tue1643024cec44eb6.exepid process 1912 Tue1643024cec44eb6.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeTue16c3a7ed6a67.exeTue165b45f01bf.exeTue16dbd9f0964.exedescription pid process Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 1156 Tue16c3a7ed6a67.exe Token: SeDebugPrivilege 1232 Tue165b45f01bf.exe Token: SeDebugPrivilege 1672 Tue16dbd9f0964.exe Token: SeShutdownPrivilege 1208 -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Volevo.exe.comVolevo.exe.compid process 964 Volevo.exe.com 964 Volevo.exe.com 964 Volevo.exe.com 452 Volevo.exe.com 452 Volevo.exe.com 452 Volevo.exe.com 452 Volevo.exe.com 452 Volevo.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Volevo.exe.comVolevo.exe.compid process 964 Volevo.exe.com 964 Volevo.exe.com 964 Volevo.exe.com 452 Volevo.exe.com 452 Volevo.exe.com 452 Volevo.exe.com -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2aedfa0dfb06ef02b268ec62486e6f80.exesetup_installer.exesetup_install.execmd.exedescription pid process target process PID 1244 wrote to memory of 2148 1244 2aedfa0dfb06ef02b268ec62486e6f80.exe setup_installer.exe PID 1244 wrote to memory of 2148 1244 2aedfa0dfb06ef02b268ec62486e6f80.exe setup_installer.exe PID 1244 wrote to memory of 2148 1244 2aedfa0dfb06ef02b268ec62486e6f80.exe setup_installer.exe PID 1244 wrote to memory of 2148 1244 2aedfa0dfb06ef02b268ec62486e6f80.exe setup_installer.exe PID 1244 wrote to memory of 2148 1244 2aedfa0dfb06ef02b268ec62486e6f80.exe setup_installer.exe PID 1244 wrote to memory of 2148 1244 2aedfa0dfb06ef02b268ec62486e6f80.exe setup_installer.exe PID 1244 wrote to memory of 2148 1244 2aedfa0dfb06ef02b268ec62486e6f80.exe setup_installer.exe PID 2148 wrote to memory of 2824 2148 setup_installer.exe setup_install.exe PID 2148 wrote to memory of 2824 2148 setup_installer.exe setup_install.exe PID 2148 wrote to memory of 2824 2148 setup_installer.exe setup_install.exe PID 2148 wrote to memory of 2824 2148 setup_installer.exe setup_install.exe PID 2148 wrote to memory of 2824 2148 setup_installer.exe setup_install.exe PID 2148 wrote to memory of 2824 2148 setup_installer.exe setup_install.exe PID 2148 wrote to memory of 2824 2148 setup_installer.exe setup_install.exe PID 2824 wrote to memory of 2128 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2128 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2128 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2128 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2128 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2128 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2128 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1812 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1812 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1812 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1812 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1812 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1812 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1812 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1560 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1560 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1560 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1560 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1560 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1560 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1560 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1940 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1940 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1940 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1940 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1940 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1940 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 1940 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2624 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2624 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2624 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2624 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2624 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2624 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2624 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2828 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2828 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2828 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2828 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2828 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2828 2824 setup_install.exe cmd.exe PID 2824 wrote to memory of 2828 2824 setup_install.exe cmd.exe PID 1812 wrote to memory of 2788 1812 cmd.exe Tue16fdfa6cf2ae0.exe PID 1812 wrote to memory of 2788 1812 cmd.exe Tue16fdfa6cf2ae0.exe PID 1812 wrote to memory of 2788 1812 cmd.exe Tue16fdfa6cf2ae0.exe PID 1812 wrote to memory of 2788 1812 cmd.exe Tue16fdfa6cf2ae0.exe PID 1812 wrote to memory of 2788 1812 cmd.exe Tue16fdfa6cf2ae0.exe PID 1812 wrote to memory of 2788 1812 cmd.exe Tue16fdfa6cf2ae0.exe PID 1812 wrote to memory of 2788 1812 cmd.exe Tue16fdfa6cf2ae0.exe PID 2824 wrote to memory of 2800 2824 setup_install.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue166801dd1c.exe4⤵
- Loads dropped DLL
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue166801dd1c.exeTue166801dd1c.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 9486⤵
- Loads dropped DLL
- Program crash
PID:2372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue165b45f01bf.exe4⤵
- Loads dropped DLL
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exeTue165b45f01bf.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue16b2aff6f6632f.exe4⤵
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue16c3a7ed6a67.exe4⤵
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1619562504c6402.exe4⤵
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue16dbd9f0964.exe4⤵
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue168468791c.exe4⤵
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 4324⤵
- Loads dropped DLL
- Program crash
PID:2264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1643024cec44eb6.exe4⤵
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue16fdfa6cf2ae0.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exeTue16c3a7ed6a67.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16b2aff6f6632f.exeTue16b2aff6f6632f.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2408 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:1324
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Vai.pdf2⤵PID:1424
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
PID:1768
-
C:\Windows\SysWOW64\PING.EXEping SFVRQGEO -n 301⤵
- Runs ping.exe
PID:1344
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.comVolevo.exe.com H1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:964 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com H2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:452
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^mtHoKMPFYDHibgXoaLvAaWsXCpDWIDAtGvzDsjSTgLhRLduwJPppYNJDMJFBoSWxeCBqVxQuTCkHIAkke$" Dal.pdf1⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1619562504c6402.exeTue1619562504c6402.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472
-
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe"C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe" -a1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052
-
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exeTue1643024cec44eb6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1912
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16dbd9f0964.exeTue16dbd9f0964.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue168468791c.exeTue168468791c.exe1⤵
- Executes dropped EXE
PID:2664
-
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exeTue16fdfa6cf2ae0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
1.7MB
MD509715e63b0f201fce0fe2e1a3f09d887
SHA18646e5e3782b48239cfcc8c6d8a22fb6341b7646
SHA256058d55f5a4da05259682b45166488acde6c3f228e39a0cf3a96cd4a3f4094f9c
SHA512b66b8efa68b8270a8823261a88e06a5ef8a4f03f03c8af02cc926d839fdad43b7df6aed19af3ddff9cbd68234ffd3509b81d74f7bf223e53fb173d40d50e3174
-
Filesize
1.4MB
MD554fc337115e32de7540b16c30500f3d8
SHA19a4eb9c3752efd26e88e022c40aca59b0e13fc87
SHA256a2d3df4a4790591670440fb94a03042422b04f6651c83d1f6223cd12c5c1f804
SHA512d468d265127905e466779b8f50341d9f3e9ae4bf95c0f93f3004287373b306004ae13210ce02f2bd0dae77694a4ba24a52449d2e43e9d10521b10ace84bcfdc1
-
Filesize
2.8MB
MD5ba7363cf29d36dbca8a2e30ee3a681cb
SHA16e1bcaa49bff83744818fbf4a43570b2dc9efba3
SHA256048a7d8f99be0d38da7c74188f5893db6e89646b30014d6701b528566fdf1371
SHA51235351d56ed687ceea2f18c4304125cc2d8e2565313287fc5c980b4d42209b65c0e2a080d37769ccb1be24adad801810004b43aae8fc154c829f88581e2281ab8
-
Filesize
2.6MB
MD56704eb8895bb417cb1cccb479cc5672e
SHA1685aecc08cb369b7d8f6a1f60f61f22565eb9314
SHA256470e8ec30a9e28bc99e991b2b25f5ac13c12d949361db149e58bb0aa2489cf25
SHA51214b0aa8314e3db2899bd87c45ae14a1a44d30e70b02cb1b453c6900c21f559fa3af41ea1511e7019112716ef204d856cae94c27cb5a813555f8ab31676b32871
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
1.4MB
MD5a6209722759997ac8aa3db612ade10ea
SHA1a9f2a89e388abe9b45627a365a9ba21358d5082c
SHA256557750ca1516461fda0f0fe0051a8a59f24efb50c04640fdfafbdb3834b845aa
SHA5128ae45e8e8613a4806090c8077b942dc6332858c97c1048561e2843b326ad5e96299937deabbbf78025736c6fe3664b44a239ba873d54b769025debdaa0eadfe8
-
Filesize
2.1MB
MD52de1749b1fdd76fd0e056846bf27400f
SHA14d5b5fcd89041b9f421dc73ed7c30a0095b2793d
SHA256f1f6a614b3029ce49862618e880557c3736d57fabd56b55bb352dd37247773e0
SHA51206fbf2a155b49de0e1203247d12337c8841b81c890da821f7dc3eb9824dab06a7f331705dd37e31265cc88ea79161aa0c3af5e0fb45c105707f35eda37953bdf
-
Filesize
1.9MB
MD5dca239b7e656c12e35e521ca8ffbf446
SHA1407bfc0c4af2f50e869b3e867d6967e715aab583
SHA2567724430d2607be34f80bd8755338220aac47ae7e6d8e15771b4c85a2d73a3df7
SHA5124221428cf43c89cdd1745682092d3bda089bea13f5859b5c63bd3f21fc1464323d84573d691b39f00600ecbc49a56cbfb21d2084b296414a38d6619ea5cd5070
-
Filesize
894KB
MD58110444f5679006728e049da671dea26
SHA191693a83172524af60b3dc25a2f1b543aee8de5f
SHA25677e73ae69cbfe9c3bd902a1a53f2b40a304444e1dc89652464b7b7ca1e6fcf5b
SHA512bfcbe022a24d31716ebb5b8b7c7cf010c60cd3ad6c538058fcde39ff2ae75981f9bdac64890862a528f62972c8f318cefebe52e7471fa5bf65e6f5fd0dd27bfc
-
Filesize
2.6MB
MD52ece127c2ec745fc1cd46012da3f6d66
SHA1172ca20766febe8c2f8bd4812466de3c3d0f0e31
SHA2565d2480c8d19a612b55b0e2fd71466ec8e10a3d8666f9b61494a10b361c62b062
SHA512ec945fd8a900b9e5a4f9967975df3e6b2bca131488b223f829384eb3338fc0b5109f15ec10573174cb3fa1993ea07c3e6bb28bb8551e3a92dc996bb987ff5f02
-
Filesize
1.8MB
MD57a0d0e10337b5fd6a1d698fd0c7b8913
SHA12aa561f75d3b08ad1af0403fb583522baeed9bd7
SHA256e1eeb5511793c9174cee5888b43eec0b487d93358bac5385ded1341bc5f539b1
SHA512a505a50c07833a610b81b8eb86c0ebc4f9e7a89733e592cbf78fbe8f02756f00cf5069b0ef835d9772488fee2dddd33c3f6b01a1c55f7082298e3d7601273f10
-
Filesize
1.7MB
MD5e03e85e32bf29dd7bf9a7b29f650dcaf
SHA1be8e9b92d6669a0106211e0ef097d34b18064d60
SHA2569d099c1b2062d5879e1f2b175794f1122213cb7f6afd759d089c4b01fea18eb3
SHA5125a70f7d1f5da8cd39105cced038ec6f0bff55e3e0d5795b17631308c53383f74ee98dd837779c915b8b2d9b80604b79d064127a6b91c38a1c0912f65229ceaa1