locky | d69be3adda5c9e44da6b9c7e3906100eb9d801e26d4436f55d38d6a1c02cad79

Analysis

max time kernel
482s
max time network
448s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Application65bbc577b4bf7.rar
Size

7.9MB
MD5

425043b149d5141589975e92a3c3475e
SHA1

308a07b116b2f46e424919d797c555bb4c066194
SHA256

d69be3adda5c9e44da6b9c7e3906100eb9d801e26d4436f55d38d6a1c02cad79
SHA512

1b069341765407d052c82c958c517b22721189e6dcb92c2625b4fa22c209bfae305783dcd3e5da9b85379d3cf1cebd7f8fb15015c28799a46b99ca27874c7523
SSDEEP

196608:22orhpx9tjnBg/FxkjvgR6esYAh7xhTuLtHmcB7a9T:ZoHxjjBQx4otsYKD80cFap

Score

10^/10

locky stealc discovery ransomware spyware stealer

Malware Config

Extracted

Family

stealc

http://109.107.182.60

Attributes

url_path
/118645f3b3a0b2f5.php

rc4.plain

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

.NET Reactor proctector 6 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/5316-110-0x0000000002520000-0x0000000002552000-memory.dmp	net_reactor
behavioral2/memory/5316-121-0x0000000004AF0000-0x0000000004B20000-memory.dmp	net_reactor
behavioral2/memory/4016-131-0x0000000004B70000-0x0000000004C10000-memory.dmp	net_reactor
behavioral2/memory/4016-134-0x0000000005220000-0x00000000052BE000-memory.dmp	net_reactor
behavioral2/memory/4016-148-0x0000000002680000-0x0000000004680000-memory.dmp	net_reactor
behavioral2/memory/4016-237-0x0000000072940000-0x00000000730F0000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 4 IoCs

Processes:

lic.exesetup.exeNKDSQLYABL.exeJUQDONRYJD.exe

pid process

4040 lic.exe
5004 setup.exe
5316 NKDSQLYABL.exe
4016 JUQDONRYJD.exe
Loads dropped DLL 2 IoCs

Processes:

RegAsm.exe

pid process

5672 RegAsm.exe
5672 RegAsm.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4040	lic.exe
5004	setup.exe
5316	NKDSQLYABL.exe
4016	JUQDONRYJD.exe

pid	process
5672	RegAsm.exe
5672	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

NKDSQLYABL.exeJUQDONRYJD.exe

description	pid	process	target process
PID 5316 set thread context of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 4016 set thread context of 1408	4016	JUQDONRYJD.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3604 1408 WerFault.exe RegAsm.exe
2320 1408 WerFault.exe RegAsm.exe

pid	pid_target	process	target process
3604	1408	WerFault.exe	RegAsm.exe
2320	1408	WerFault.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegAsm.exemsedge.exemsedge.exe

pid process

5672 RegAsm.exe
5672 RegAsm.exe
4052 msedge.exe
4052 msedge.exe
4304 msedge.exe
4304 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3200 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4304 msedge.exe
4304 msedge.exe
4304 msedge.exe
4304 msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	cmd.exe

pid	process
5672	RegAsm.exe
5672	RegAsm.exe
4052	msedge.exe
4052	msedge.exe
4304	msedge.exe
4304	msedge.exe

pid	process
3200	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exe7zFM.exe

description	pid	process
Token: SeRestorePrivilege	5244	7zFM.exe
Token: 35	5244	7zFM.exe
Token: SeRestorePrivilege	3200	7zFM.exe
Token: 35	3200	7zFM.exe
Token: SeSecurityPrivilege	3200	7zFM.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

7zFM.exe7zFM.exemsedge.exe

pid	process
5244	7zFM.exe
3200	7zFM.exe
3200	7zFM.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lic.exesetup.exe

pid process

4040 lic.exe
5004 setup.exe

pid	process
4040	lic.exe
5004	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exesetup.exeNKDSQLYABL.exeJUQDONRYJD.exemsedge.exe

description	pid	process	target process
PID 5980 wrote to memory of 5244	5980	cmd.exe	7zFM.exe
PID 5980 wrote to memory of 5244	5980	cmd.exe	7zFM.exe
PID 5004 wrote to memory of 5316	5004	setup.exe	NKDSQLYABL.exe
PID 5004 wrote to memory of 5316	5004	setup.exe	NKDSQLYABL.exe
PID 5004 wrote to memory of 5316	5004	setup.exe	NKDSQLYABL.exe
PID 5004 wrote to memory of 4016	5004	setup.exe	JUQDONRYJD.exe
PID 5004 wrote to memory of 4016	5004	setup.exe	JUQDONRYJD.exe
PID 5004 wrote to memory of 4016	5004	setup.exe	JUQDONRYJD.exe
PID 5316 wrote to memory of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 5316 wrote to memory of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 5316 wrote to memory of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 5316 wrote to memory of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 5316 wrote to memory of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 5316 wrote to memory of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 5316 wrote to memory of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 5316 wrote to memory of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 5316 wrote to memory of 5672	5316	NKDSQLYABL.exe	RegAsm.exe
PID 4016 wrote to memory of 1408	4016	JUQDONRYJD.exe	RegAsm.exe
PID 4016 wrote to memory of 1408	4016	JUQDONRYJD.exe	RegAsm.exe
PID 4016 wrote to memory of 1408	4016	JUQDONRYJD.exe	RegAsm.exe
PID 4016 wrote to memory of 1408	4016	JUQDONRYJD.exe	RegAsm.exe
PID 4016 wrote to memory of 1408	4016	JUQDONRYJD.exe	RegAsm.exe
PID 4016 wrote to memory of 1408	4016	JUQDONRYJD.exe	RegAsm.exe
PID 4016 wrote to memory of 1408	4016	JUQDONRYJD.exe	RegAsm.exe
PID 4016 wrote to memory of 1408	4016	JUQDONRYJD.exe	RegAsm.exe
PID 4016 wrote to memory of 1408	4016	JUQDONRYJD.exe	RegAsm.exe
PID 5004 wrote to memory of 4304	5004	setup.exe	msedge.exe
PID 5004 wrote to memory of 4304	5004	setup.exe	msedge.exe
PID 4304 wrote to memory of 3440	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 3440	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe
PID 4304 wrote to memory of 5792	4304	msedge.exe	msedge.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Application65bbc577b4bf7.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5980

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Application65bbc577b4bf7.rar"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2916

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Application65bbc577b4bf7.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3200

C:\Users\Admin\Desktop\lic.exe
"C:\Users\Admin\Desktop\lic.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004

C:\INSTALLER\NKDSQLYABL.exe
C:\INSTALLER\NKDSQLYABL.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5672

C:\INSTALLER\JUQDONRYJD.exe
C:\INSTALLER\JUQDONRYJD.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1304
4⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1276
4⤵
- Program crash
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=UZfBnXM8WuY
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe7e9146f8,0x7ffe7e914708,0x7ffe7e914718
3⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,17764422100696325383,11670531755940212039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
3⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,17764422100696325383,11670531755940212039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,17764422100696325383,11670531755940212039,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
3⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17764422100696325383,11670531755940212039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
3⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17764422100696325383,11670531755940212039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
3⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17764422100696325383,11670531755940212039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
3⤵
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17764422100696325383,11670531755940212039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
3⤵
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1408 -ip 1408
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1408 -ip 1408
1⤵
PID:5468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\INSTALLER\JUQDONRYJD.exe
Filesize
470KB

MD5
1b4933e50b6e756528255f230511d288

SHA1
1fc4b316d07d3d4e71cad9eef65fcb71daf080bc

SHA256
6ec07b7844078c50051812a6ca66137f9ebd1fd6b2d0f5972b55876855c8da69

SHA512
6e4ed1709ac798c0722cd03c78bd4396aafb646a8038e6020e2fa0fa9e840d029462c6fedbb33175f13213ff86af88d897de2d6c742c729d52c474f81f6d56f2

Download Submit
C:\INSTALLER\JUQDONRYJD.exe
Filesize
380KB

MD5
a6e1b2a95c23126fcb36b1f5d53582ca

SHA1
f7563ab7b09c56f484e7d7ae6d655cf7961e17bd

SHA256
e34abeec1cdde9f1e41539f505b2cd195507fcd8e13c0699621fc0d96e457770

SHA512
be90f2effb59baa2ffbef0b49a0067f59418dcf7943faaf4f95032f2279b829b790096fec957e3069322e7c9526e549a9639a36eb4a8f95ee82ed4023c29f055

Download Submit
C:\INSTALLER\NKDSQLYABL.exe
Filesize
255KB

MD5
4b77e8b0dfad7df785da1b3bbcda1350

SHA1
e5fc0c13747f096e423090b20e4e8205f59e2ee0

SHA256
fc5e0e33b0254d74bf2a8ae29846fc9a104f01f3a94541fe64b0b9f161556b14

SHA512
537df7a3f755ce78f6e63eb79d83d2bc3a0460c3ef00487d9293654dc716c362171618ffab736008afb2c468d9993d5d642440e9cc35b9a60dacfdb3e915d537

Download Submit
C:\INSTALLER\NKDSQLYABL.exe
Filesize
84KB

MD5
2705df1fb6ac6cef1fde9b73d880257e

SHA1
a963ec4b0980b73fab5e0fd20dfe29a8eba44d34

SHA256
c2b13b59b8d170dbc6eb1a4b6da6552186ec8fb4224c1c5d6eae714daaaf7533

SHA512
563e6841ac7630b919f3aff5568d0b79776e613508c02b8743a9066ca4160f4923ce9118046588e42f92b485786df4157721ed82e3ab2490c542e28977a407ae

Download Submit
C:\ProgramData\READ FAQ!!!.txt
Filesize
4KB

MD5
0744912a6b0cc3319d2ffa00832f3dd3

SHA1
5b54eb623121b63aec07a0bf1ce463b381c8a2a4

SHA256
fbba0e282def71de9b098c1710ba7fd4847fdbe541bdfddd1352019516f34fbc

SHA512
8a897f1a830b754904f5c7f77199ac3ccdc397d8d6377703a99267047cabbacb42a07dc69ac4930ea87db827d064d01bb131563a64e55876890697fd34e108ac

Download Submit
C:\ProgramData\mozglue.dll
Filesize
340KB

MD5
81f8a9c144269a180f24142df780fd5e

SHA1
58d63e96e80e292167784a9d60a08c640d97c5a3

SHA256
bf8152c20cb8df55748acaed9e65d2b9134c76e309596b93e61e1c2921eff6cd

SHA512
a84b5b7b5e632ded0eb05127f165ee3ec735aebb8fc65cb798416858131080240c56f5b57c75e583a94cf6f7d2e40bfffd3b05a17271444a598beb17fc14ec45

Download Submit
C:\ProgramData\mozglue.dll
Filesize
266KB

MD5
49488e446aa1729b621458445dc5ad6b

SHA1
befdd4c8e930f4f571b751a0d0a3383e06196a02

SHA256
3638aa747bc53859ad5ac37cb76d023363f07da06cf7ce0ed0e29054bda02782

SHA512
d9e4332e7fdeeb764dd224bae24b2e4ead9328fe9e88f73df77a699efbf4033f95b7dfcf5b2a2c683411793d1beb506ebd84f8a5489ea880db80bb4f6fe5215c

Download Submit
C:\ProgramData\nss3.dll
Filesize
370KB

MD5
612b4c246efdd2db53a3e4dbe2a617bb

SHA1
44d239591931d187fe5181f44187802c7617bbd6

SHA256
230d89bec179689e1a130dce4ca6d83788456359b065be0b054f619c5d2a82e7

SHA512
88a4fbbfdf3c0ac61649625dd69cd9f3f171832cb19717ef3935bb3b481d6eca1c8c3d04bb776a2534123ada178159d1ecf11a9f5f4c5a6e8fa6ca78cd5371aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
432B

MD5
7a0ee9cc382e0f350d3a9107d725ddf1

SHA1
736dfc777dff4b75a80e1314db9e5c4ad1db1441

SHA256
6b1f7bd2d3bb48990a33ffdce496de689011c9e826303f113db8134aef1ac2cd

SHA512
1b9d5114184120de10f76467cfa387185d791a37227aaf8baff4c55d4a7e0fe801a073e4df9c0591fdd348ac4c29c5c97d212899f565f495c699dc1a08c87dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
220c374131feecb0e262716e77655462

SHA1
b490c432f7e30c00501dcb19e6b40cab5419368c

SHA256
476bb60f29833749d732c1b5f3a6535aff117e002405b41010c5e212327aabb3

SHA512
00f06c1e6f8322adadcd5b8a437c0213d2f5b331e81a179e5c4e865355b3e89ff72946dbcab15b4ecbc525d4a820b22a753e024e368b3a41dc2bb117f7d6f8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7cd49bdbff152ba0fb8f0501404f9575

SHA1
c4d883ef8d42c1df13c85fd6cfcaca9ed8d3192f

SHA256
da222c3b9e5af8e8ce432afc1806cebf9aaa3e339b3145b015ce4ac5150e0aa5

SHA512
23e0fd3ac5283d1c6abf33f5ebc97f7b68192e0b3e44cb68e76ac0bcbd2b7f7fd3ccd0aebeae774fe1b0d73110596bba5a23c2794ab0fb0108cd09559caca3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
00e01903d4bc9633b415c369c8cdde1c

SHA1
7a20ad048e20e38f428b3883152852157beed0da

SHA256
617d4b6ef43fef9115e7d55ae912b9ef8de44bb935deb5a15e7063d28b6d5425

SHA512
2a475814b61ee1bfee1a905f8ceff4905c032f091ec16f2c903263de6346b8a210eff43839f9be58ead9d49eac958f2a2701a5e4ec00c3dbdc360655da8966f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
da501e07c2e4f0c56da44d46d614a406

SHA1
9624e765801de7e06f8df24ef37a54ac21297c65

SHA256
801e3e8abcaa2e4101192ab3f30c4fd1cc9a3c688df4e1cc33234d975a17aac0

SHA512
db90caa2a15943bbc197446fed2598dfe230ca0d5e0f0a40501a4b8bc02be3027dc5a53a4b72cd2926e68372b68dd26dd5cdfe741f0de1efce1ea70adc7df1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
f14b0092dad1ac96fd0318c58be70a33

SHA1
11f997590c57154603ad0d4a6b24a38d2d17effc

SHA256
aa050c95f6fc8c7a7e0d2636059aae25c25cb62572dfcdc5d398dee415e622de

SHA512
9790b0b6fb3ce2ca87a5a4dd449b31ec0243631bfba9e433def0a96704bd12a4567ce154726f5c6adabbfb45cb012a6ba11bae1ea3e3ee4342beee5e05fdea0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5ad497.TMP
Filesize
89B

MD5
51eed1d01c4e415e36260f0d6cf02fda

SHA1
cfb3a0fc23fa564acb23f59026a1ef8a8799b4af

SHA256
299e5aa53f51e3b24e09c4e7abd3ce9be291f6d7859bd5a8a7f87a5074b690df

SHA512
26257abe98d547f6726acd02c9dc0d3d3c047a974933c9ded8a9af64dd39e2b3472642bdd9df144781283a4a29180576f339266de87e5edfb77fb33d3a462eec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
45dc450f38a6285cd4b4e42695d2d0c1

SHA1
e881d70e47b724417ee291c185974efffb8dba66

SHA256
4b5ba7b77e8f6a5acdf2a8efb086d1875c627267ff97ba3d05cb620764f1da34

SHA512
0b2d9f223bfca4d943c48e302784f8ae8399507a21a121aa4808443452419d6859a41ae6399602a416a8d66983493a7da5c994209a8de08b05120805449928f8

Download Submit
C:\Users\Admin\Desktop\data\data.dat
Filesize
1.2MB

MD5
f2d3bcb9a38dfa4a90daccb9ca2a3b54

SHA1
7867f9902cd17d7af4e6a671a6e50c3dfd3ef9ad

SHA256
f073ec203af3d6f8aeddcd8e0c2cc003009224fc3b3c5545eb3add89bcab0890

SHA512
c3411d08305b6c46cfb1d1faa5e280e3a202859c54b2f4fa8383544085d8a13ec6ba2ff31bc8ba7719152ec5de9e03bc8170e73b04b9a76b54c9136ac8fe9186

Download Submit
C:\Users\Admin\Desktop\data\program.PNG
Filesize
696KB

MD5
a3d4494188555fd642820346806fd1d8

SHA1
53a37fb21d1fdc91cdea14721eeecac83cc2825c

SHA256
ace20dad2b8ef82a5f8674afc8e9ca05f5f3f63efc798d66b43eb7124dc802ca

SHA512
a4265bf8fb50fbdb1b13b3d03126b2ec354cbd4c0ee9baa51911700e1be73753f549b1a8cdace269b674afaab04b03f545a2a383f3fd8a0b7898b8498a4a25e4

Download Submit
C:\Users\Admin\Desktop\lic.exe
Filesize
2.1MB

MD5
0d47674bffc6c77d6b8c1f764a17d09e

SHA1
3c93deb431f547eddab92e4b6475ee45d66ddfdf

SHA256
d92d3e69f07de4d6c022dff7e83ea92bd736b6a1a6b236cd1ac6ad81e401dace

SHA512
0be9dc1c4f76f6ef0bcaadd051642e8b5ec63e70ceccdca6f10dac92cce10b5bbf55429b5a5507c5b931efc75f70a25c352e130d93bfc4b4d8c7fda6dc3b4527

Download Submit
C:\Users\Admin\Desktop\lic.exe
Filesize
1.5MB

MD5
0936fe53f87cd5f3b8a45c8a9d74b9a4

SHA1
45202fdcd585974eceb2d9226fbe606213dad9fd

SHA256
598c4b1c981fb5d7272bf6c5a4a16582e8fff17dbdce4fd44a5f6318b448ce21

SHA512
09c2f721c1430c79b8a1ce000daf9578780ab40ce5e25f43a0ef087fa8c862bd22102346b8d5f39cd3d6adb1150feaf03be988937fff429bd2550d427a6b163e

Download Submit
C:\Users\Admin\Desktop\setup.exe
Filesize
5.6MB

MD5
2ea048b7326f6b626a4f93826e4a659f

SHA1
dd2c7b12839df3202b1c11a4728b41cebe9fe006

SHA256
86641e9960c89b23e3b99ca6957f037b091fca22b672f6ed8a6299793cd5fb49

SHA512
51b977350515c8734c02c9b3ef4f9324adbc0ca3c4a1cd067af25bf190c5e8c79f34b8ae64c008769c9887de836247cb620eac8a6120269a23eb1b22b20ae29c

Download Submit
C:\Users\Admin\Desktop\setup.exe
Filesize
6.2MB

MD5
60071184edc1b743bae78356a4803f17

SHA1
9f458058dbb944717d6f60a23f4dab320ab0ae56

SHA256
0475eedf158c8fdd8b26b39e366a626f78256bb2e10e9cac8d2686338c3dc402

SHA512
52623c9f1a26d9cea1a064b2256c4b0a3aba16474c06ee6bda42489ab09c90a56cc5edd7d2ba8505e0d03c8d8a3611c33c5bb1105eb9cb0cda624a64e24919b1

Download Submit
\??\pipe\LOCAL\crashpad_4304_AVXAGPTDJCLIFPVU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1408-147-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-231-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-151-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1408-152-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-144-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4016-141-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/4016-237-0x0000000072940000-0x00000000730F0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-138-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/4016-136-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/4016-131-0x0000000004B70000-0x0000000004C10000-memory.dmp

Filesize
640KB

Download
memory/4016-143-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/4016-134-0x0000000005220000-0x00000000052BE000-memory.dmp

Filesize
632KB

Download
memory/4016-150-0x0000000072940000-0x00000000730F0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-148-0x0000000002680000-0x0000000004680000-memory.dmp

Filesize
32.0MB

Download
memory/4040-113-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/4040-441-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/4040-104-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/4040-115-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4040-90-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4040-440-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/5004-236-0x0000000000580000-0x0000000001BCC000-memory.dmp

Filesize
22.3MB

Download
memory/5004-242-0x0000000000580000-0x0000000001BCC000-memory.dmp

Filesize
22.3MB

Download
memory/5004-93-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/5004-276-0x0000000000580000-0x0000000001BCC000-memory.dmp

Filesize
22.3MB

Download
memory/5004-105-0x0000000000580000-0x0000000001BCC000-memory.dmp

Filesize
22.3MB

Download
memory/5004-234-0x0000000000580000-0x0000000001BCC000-memory.dmp

Filesize
22.3MB

Download
memory/5004-201-0x0000000000580000-0x0000000001BCC000-memory.dmp

Filesize
22.3MB

Download
memory/5004-127-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/5004-239-0x0000000000580000-0x0000000001BCC000-memory.dmp

Filesize
22.3MB

Download
memory/5004-244-0x0000000000580000-0x0000000001BCC000-memory.dmp

Filesize
22.3MB

Download
memory/5316-118-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/5316-110-0x0000000002520000-0x0000000002552000-memory.dmp

Filesize
200KB

Download
memory/5316-112-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/5316-135-0x0000000002580000-0x0000000004580000-memory.dmp

Filesize
32.0MB

Download
memory/5316-139-0x0000000072940000-0x00000000730F0000-memory.dmp

Filesize
7.7MB

Download
memory/5316-111-0x0000000072940000-0x00000000730F0000-memory.dmp

Filesize
7.7MB

Download
memory/5316-114-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/5316-116-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/5316-121-0x0000000004AF0000-0x0000000004B20000-memory.dmp

Filesize
192KB

Download
memory/5672-137-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/5672-128-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/5672-132-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/5672-232-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/5672-153-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download