96500feac0ecb51d9b546fbc960351b79ca8841ebbcdecebb25a913b3f0be3f9

Analysis

max time kernel
186s
max time network
194s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
02/02/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

backup.exe
Size

27.7MB
MD5

a49142418f2f305a43622c38db40a739
SHA1

74f0f4f880d57913986b42fff073e4a343b4ab5e
SHA256

96500feac0ecb51d9b546fbc960351b79ca8841ebbcdecebb25a913b3f0be3f9
SHA512

5f85fed73525b94af63d4088d09d9883a14da903ce6cac4ad0b4e743880a50d878b6a66828cc65d478b04343953c350343302a01707813dcee4d3ddd36061455
SSDEEP

786432:mZUdM3MQzJ3KBzcY87AwyKSuJJW81og1:m2M3MQzJ3K9E7AwykWcog

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 29 IoCs

pid	Process
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe
4132	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001acb4-1078.dat	upx
behavioral1/memory/4132-1082-0x00007FFE0EA20000-0x00007FFE0EE86000-memory.dmp	upx
behavioral1/files/0x000600000001ac62-1089.dat	upx
behavioral1/files/0x000600000001ac6b-1094.dat	upx
behavioral1/memory/4132-1096-0x00007FFE13820000-0x00007FFE1382F000-memory.dmp	upx
behavioral1/files/0x000600000001acb8-1095.dat	upx
behavioral1/files/0x000600000001ac67-1092.dat	upx
behavioral1/files/0x000600000001ac9b-1087.dat	upx
behavioral1/memory/4132-1088-0x00007FFE0F6D0000-0x00007FFE0F6F4000-memory.dmp	upx
behavioral1/files/0x000600000001ac64-1085.dat	upx
behavioral1/files/0x000600000001acb3-1099.dat	upx
behavioral1/memory/4132-1101-0x00007FFE0F350000-0x00007FFE0F369000-memory.dmp	upx
behavioral1/files/0x000600000001ac6a-1102.dat	upx
behavioral1/memory/4132-1103-0x00007FFE0F6B0000-0x00007FFE0F6C8000-memory.dmp	upx
behavioral1/files/0x000600000001acb7-1105.dat	upx
behavioral1/memory/4132-1109-0x00007FFE11C80000-0x00007FFE11C8D000-memory.dmp	upx
behavioral1/files/0x000600000001acb6-1110.dat	upx
behavioral1/memory/4132-1113-0x00007FFE0F2E0000-0x00007FFE0F30E000-memory.dmp	upx
behavioral1/memory/4132-1112-0x00007FFE0F310000-0x00007FFE0F345000-memory.dmp	upx
behavioral1/files/0x000600000001acc2-1116.dat	upx
behavioral1/memory/4132-1117-0x00007FFE0F150000-0x00007FFE0F20C000-memory.dmp	upx
behavioral1/memory/4132-1118-0x00007FFE0F2B0000-0x00007FFE0F2DB000-memory.dmp	upx
behavioral1/memory/4132-1114-0x00007FFE0F6A0000-0x00007FFE0F6AD000-memory.dmp	upx
behavioral1/memory/4132-1098-0x00007FFE0F430000-0x00007FFE0F45C000-memory.dmp	upx
behavioral1/files/0x000600000001ac9a-1121.dat	upx
behavioral1/files/0x000600000001ac9c-1123.dat	upx
behavioral1/files/0x000600000001ac6c-1120.dat	upx
behavioral1/memory/4132-1126-0x00007FFE0F280000-0x00007FFE0F2AE000-memory.dmp	upx
behavioral1/memory/4132-1127-0x00007FFE0F090000-0x00007FFE0F148000-memory.dmp	upx
behavioral1/memory/4132-1128-0x00007FFDFF040000-0x00007FFDFF3B9000-memory.dmp	upx
behavioral1/files/0x000600000001ac60-1131.dat	upx
behavioral1/memory/4132-1134-0x00007FFE0F260000-0x00007FFE0F274000-memory.dmp	upx
behavioral1/files/0x000600000001ac69-1133.dat	upx
behavioral1/memory/4132-1137-0x00007FFE0F080000-0x00007FFE0F090000-memory.dmp	upx
behavioral1/files/0x000600000001ac6d-1138.dat	upx
behavioral1/files/0x000600000001acb9-1140.dat	upx
behavioral1/files/0x000600000001acb9-1143.dat	upx
behavioral1/memory/4132-1144-0x00007FFE0CE40000-0x00007FFE0CFD7000-memory.dmp	upx
behavioral1/memory/4132-1145-0x00007FFDFEE60000-0x00007FFDFF036000-memory.dmp	upx
behavioral1/files/0x000600000001acba-1142.dat	upx
behavioral1/memory/4132-1146-0x00007FFE0F060000-0x00007FFE0F076000-memory.dmp	upx
behavioral1/files/0x000600000001acba-1141.dat	upx
behavioral1/files/0x000600000001ac57-1148.dat	upx
behavioral1/memory/4132-1150-0x00007FFDFEC00000-0x00007FFDFEE54000-memory.dmp	upx
behavioral1/files/0x000600000001acbd-1151.dat	upx
behavioral1/memory/4132-1153-0x00007FFE0EA20000-0x00007FFE0EE86000-memory.dmp	upx
behavioral1/memory/4132-1154-0x00007FFE0F6D0000-0x00007FFE0F6F4000-memory.dmp	upx
behavioral1/memory/4132-1155-0x00007FFDFDD40000-0x00007FFDFEBF2000-memory.dmp	upx
behavioral1/files/0x000600000001ac66-1156.dat	upx
behavioral1/memory/4132-1161-0x00007FFE0F350000-0x00007FFE0F369000-memory.dmp	upx
behavioral1/memory/4132-1162-0x00007FFE0F040000-0x00007FFE0F055000-memory.dmp	upx
behavioral1/memory/4132-1166-0x00007FFE0EA20000-0x00007FFE0EE86000-memory.dmp	upx
behavioral1/memory/4132-1167-0x00007FFE0F6D0000-0x00007FFE0F6F4000-memory.dmp	upx
behavioral1/memory/4132-1178-0x00007FFE0F280000-0x00007FFE0F2AE000-memory.dmp	upx
behavioral1/memory/4132-1179-0x00007FFE0F090000-0x00007FFE0F148000-memory.dmp	upx
behavioral1/memory/4132-1180-0x00007FFDFF040000-0x00007FFDFF3B9000-memory.dmp	upx
behavioral1/memory/4132-1181-0x00007FFE0F260000-0x00007FFE0F274000-memory.dmp	upx
behavioral1/memory/4132-1183-0x00007FFE0F060000-0x00007FFE0F076000-memory.dmp	upx
behavioral1/memory/4132-1184-0x00007FFE0CE40000-0x00007FFE0CFD7000-memory.dmp	upx
behavioral1/memory/4132-1185-0x00007FFDFEE60000-0x00007FFDFF036000-memory.dmp	upx
behavioral1/memory/4132-1186-0x00007FFDFEC00000-0x00007FFDFEE54000-memory.dmp	upx
behavioral1/memory/4132-1187-0x00007FFDFDD40000-0x00007FFDFEBF2000-memory.dmp	upx
behavioral1/files/0x000600000001acca-1189.dat	upx
behavioral1/memory/4132-1193-0x00007FFE0EFE0000-0x00007FFE0F023000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	discord.com
4	discord.com
12	discord.com

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2043086938"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2043086938"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000089891e0716f62f439c10c1e3593a9758000000000200000000001066000000010000200000002f996006197304cba74308a95b2d3a862490920ed789c2da9607c09b2eda71a6000000000e8000000002000020000000efeaaba6e77d8f64a84f2556a8e6796d8c3bbce23c3d011f0b355faf0f5152e5200000002aadf663b2f22ea69f1c8ad6a2d898bad60be73fd1d6cd68077b5f041c4eac6b4000000036397f3075cdcfd8f175cab305d430a796948bcdf36d01db38ef61d3383b9ec5fdde11f1eb1012075b3018770f45fead9f14d23e740375ffa5e934de75017152	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06fdf7ba055da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A55ACAC6-C193-11EE-9D1D-4E2C1743BD6E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30498f7aa055da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31085984"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000089891e0716f62f439c10c1e3593a975800000000020000000000106600000001000020000000aa09a69ec81cf2e04f4fec9ebe447f55f2e30259a855ab859aebb63173f8f137000000000e80000000020000200000004cd9805a950d6e5b685cc509895f1b60198d89f94a31369fe38c7f46a8acf1dd20000000e0a7babae49b1b3473bb57e5914234bef017898d5432cce6a2a158802af6f625400000004d2778b780273f7a281ac532989fb56f8ca782be97d78b411d44ec4e8aabd103a20a8db8b8492523bd0ae4820363675629222499831977ea184dbb07deaba910	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31085984"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	backup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	backup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	backup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c000000010000000400000000080000040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f19000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	backup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4776	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4776	iexplore.exe
4776	iexplore.exe
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4132	4604	backup.exe	73
PID 4604 wrote to memory of 4132	4604	backup.exe	73
PID 4132 wrote to memory of 3820	4132	backup.exe	74
PID 4132 wrote to memory of 3820	4132	backup.exe	74
PID 4776 wrote to memory of 4884	4776	iexplore.exe	77
PID 4776 wrote to memory of 4884	4776	iexplore.exe	77
PID 4776 wrote to memory of 4884	4776	iexplore.exe	77

C:\Users\Admin\AppData\Local\Temp\backup.exe
"C:\Users\Admin\AppData\Local\Temp\backup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\backup.exe"
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RestoreSwitch.mht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4776 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI46042\PIL\_imaging.cp310-win_amd64.pyd

Filesize
735KB

MD5
3cad7cd6aa6fdfd1128d99b073cb5c34

SHA1
ac5fd1bde9e001ffa007b976ae4378d04945efad

SHA256
3fd3124f221d81a96c409f4c6aa7d471363f117975856a93217661195a62c7ff

SHA512
18a6fbdf4ca3f4a6f73757afbd9a5cf1eedf72a9a1786e33e9e0e506e0c934ca4b477b832b1ed804df32b52b47d03fa61ff9d396581626a2bc367695fc04f16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_bz2.pyd

Filesize
47KB

MD5
146882055f62fa941b35ceaf55ec62e3

SHA1
01aca05e26fdc818cc2299caf253746029514f57

SHA256
e8b4347a15269e3b823db9c180cc42936190c6663d6f07ad27e98177258f4879

SHA512
ddd326fde279d57384867f6aa1e94b1fb6a8383caa75e4169225bde1aeff0bddd8d173ca4fa968ff96c6a973977f93cbaeffdbde250e923802f70a51bc40fe88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_hashlib.pyd

Filesize
35KB

MD5
35793590b768e741ddc149e52c2e5b2b

SHA1
5a76c4c9caa7892552db3b67234554cb6d4a4c06

SHA256
c1f576d7cbacd6a62cd95671726e2cb146f4e0e8d1b58d082cdb6c776671cc85

SHA512
92426cc79dcddab6fdc8f375ea309d3d56c33696fb8512dff6a4a0bd72b163bfb04a83a149fb73869af95a79c5b28a03b92704a256be38d527df9eedc56e6fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_queue.pyd

Filesize
25KB

MD5
7129a7f1ae6ae6f919c0298cec7d142a

SHA1
42ccf00f1489fcce2ba1426d4537bc2e05f4d079

SHA256
24c2537424983e14704e41cc00ed66b5bb1523148e988987bebf956134217414

SHA512
2d66b01505d83e48e85103f77b8426bda266e1ae423f86cd6b787c6d9671fbc65cc9ca3b58708ebfc32246b2f2e6e337706c5733e93b51450c97c987d94b38b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\_tkinter.pyd

Filesize
38KB

MD5
d99f37b06794aadd3f8dc82950bf51f6

SHA1
4a239125c0f3dd30446ad674d52fea206130a5de

SHA256
80cca4913b9624220260d4ab485b1b702389eadc2a4802ca5c4a7858c7460967

SHA512
f14740a569db084fa768b509a0e982f6c55c855e2255e7ecda2322f8ac93c871972bb47b886ab7406f2f87e2276ef0e54e142c243cbb232f41b03e614fac205e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\base_library.zip

Filesize
1.0MB

MD5
9d779f0f155b831bb3138a4fb56e5fa0

SHA1
8a310faaa9749757babbec5b812bccdddd646c9c

SHA256
20e98e2c791d969a833ef79d911034afdf517f02c36ee7d60b9f6d451d126929

SHA512
8ed5a8e8645ac42325211ae9e46d8610d39d90ac51c5e44c87b5eb2c393d67b898905c2603b9a0d87322998d65642952149ebb3955af9e110d8aa0fe4f673b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
8cf5810399c71627ac0a8e354fd7e4c6

SHA1
d7d74b934511702a1d1418fb50d0430936969d80

SHA256
279a58735cd7888cf313dd72c1f997184b4d3a3cce0634705109c561335d02e6

SHA512
370611fba6feb7a2374c3637c13d59ee916f3a056238a89b1f42a38f4d102e882616c130d5653dc1cec215c77d867d35688d2bdb5987f12210307c7714aebe27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\pyexpat.pyd

Filesize
87KB

MD5
fd76e7a46d6096107ac445c2d36780f2

SHA1
a8c9615c7a50df0f2b8d2bba579506d1f25ac1a6

SHA256
5c3892d9040970ba49621b0615c091b20458e12a26aeaaa93676c9aa018c3b33

SHA512
9a57ffcf02af1d89b4bdeb23d35126ad52d1d5fb9c7623f7e7688e26cc94b04d9fc0499d3e1d29322d2a4689d0c0e4e2817466339f269abd4be35c1e436bb2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\python310.dll

Filesize
1.4MB

MD5
d8724b3aea1dd1e6dbc7a7c67036403d

SHA1
956c728a154ef201f65e800630af7df817f2470e

SHA256
e7b0263596bb437881805be35117b896f450bebc9deee30126efa02c5c8c567e

SHA512
9da5ca02351c09ee99b2be60a0e88f0e49d43c2c19d122e69a213aefe7b4c4f89950bddbbb678d712309239cc5f1a916ffd5bc2bb33ebde11e1fdd98cb82a52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\pywin32_system32\pythoncom310.dll

Filesize
193KB

MD5
94f9a7b80ddcbc0623be6e796ce119bd

SHA1
49a29ee4054dd8c2547c065b651102705024593d

SHA256
43f57b57e3e8666f52a7f6525cf107ca8b685c582a111e6891e23fd4742a502b

SHA512
c2be1ac0bcfabfb331e67b9652bc02ab40a22c8c6bad053d646773a1ecdc4cbe57b4f024602ec48e1214110fa56191a6cf732de1c0871226c9462a25b15d7aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\pywin32_system32\pywintypes310.dll

Filesize
62KB

MD5
4834c005c00a4ea31e940da3e2c75354

SHA1
cac4d010d0ee8b9d87106b4a5f1f1b63ce91bdfc

SHA256
2dc712b833e26819296ae2918cf297a1efabb37e5802a6738aa3a12906861e02

SHA512
368b98894049b8fa77bd7ce2a3fecb949f53bd39f0927828e97e2f77ec9ada056a1ee426d456c126537d4205aabf55867a0710ea3bf6539baca5c73f86242a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\select.pyd

Filesize
25KB

MD5
ab2e74e38b6d52556fd2fcba83addf2b

SHA1
555d21b349492fa93ceda2125bc8d2cfda17549d

SHA256
97ec1943ae449591463ad078c535163d330ec1d0efd76ae3b15835b9f32c4018

SHA512
4d7c602cf3c91a38532e5f86cafb07ddf9487627a251cae05b53fcb2c73c7d8a464a584b51500e32c0eacfdf6ac64b59b17741d545413515549b48c4d9b6239f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\tcl86t.dll

Filesize
672KB

MD5
41516ac18982d2084885c978cfaaf450

SHA1
093436e307b7d25f94f110cf1fd32a691469edc6

SHA256
dd5959c24728bc1407a584d6d951299817009ac9f4bfe152bd898fb264701a2f

SHA512
f39d9a2635fcef64c71921e913f49ad24d8a7ccd8fa9fe95a9b7f00a89978c25cf03fd4ed62780ec5b43b1fe5685fde1a491fa01f55ff9c0b2020899cf0f8adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\tk86t.dll

Filesize
620KB

MD5
254ccf220b63c67149b33bd3caacf750

SHA1
779bc7caa824d8282096f776e89fef3e82dd4e27

SHA256
8ec383af255ff32bf597d14bdbc959aac77ac6de910bfd824f682ecc158197ac

SHA512
63240a203d0b937bdde1e282f13255876fc5d75123c2eb3aa5685549f8a3429fc5cab1c653055fc7651bbfc705936f0300171ba35d1818b45b1f9a4b830b3405

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\tls_client\dependencies\tls-client-64.dll

Filesize
3.9MB

MD5
2511079db3f92edb4f5de3fe83bc9547

SHA1
d6eb563d67892460307438dcef85daf387f70706

SHA256
a92f1ed1a91fe53ed753c19610794e9b757680ec4fc0c25a8bdabb7551e2307e

SHA512
30906e17047ee14f1ddafa698c7c8125fe798538c3ca6bd6e3b89197f10017955f8e8d16f8c6243a07e55612fab5e103c5313c584fbb5c253ab58d662a7bba3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\ucrtbase.dll

Filesize
987KB

MD5
4787d6a587a04513ec60770af6ace5eb

SHA1
da64c5819d1a497077cf70492cff3fc820313294

SHA256
106d96ebb4435aab3d5147f1de1e0b3a2e68b3b23229a084b3149941633aa248

SHA512
95f6fc61cfb99ee80c788331289026e29234ed7e664e154a09dc51b60eeccd79d3f7bb56a106769676f8cc02983ad6c9bc8b9f47eb23aa5e7e701b3386ab6a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46042\yaml\_yaml.cp310-win_amd64.pyd

Filesize
79KB

MD5
3cef4d3e320e824b545d5aeca8dfd345

SHA1
ee952033f7b69416448725391f83e4616b977f3a

SHA256
74b375914481ba8bbbae2f44687574cd7a8652ceeee57a6272dc0793a556a6fb

SHA512
d52ebfa414669098a7d589850dc602706f85dc31a910d5912f87cdbf882934031a72f51082513c91787907a23a0c7aa1083f974ae71fc3f91174b1febb36934a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\VCRUNTIME140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\_asyncio.pyd

Filesize
35KB

MD5
058fbedc41227aaf2af0e65589df6b03

SHA1
2b512080fec234c6e98c56fbe3b728dea74061dc

SHA256
04264316a0aaaba43e1d7b6261ac2bacd106794112adc9b135eb63ba7b60e686

SHA512
04a0d492b071dbb11840f11fcf95bb16a33454d3e819f23a64bb136257f7b5b8f0d03f95923c721aa571ac402967162a03983b85330dc0dc189b066afdeda96d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\_ctypes.pyd

Filesize
58KB

MD5
a4ebf775c6b4155430e2c0c45938736d

SHA1
2699bcb98e002fddd5e952b233804f6e1350f03a

SHA256
d6a0f0f86902788750ce789d6389ba3320d4a5d317cf181298f0781f8cc0d14c

SHA512
673c5d2965460ae6eb8257dd67e439b793445d50038443f6650c4e9f2aa3e2e40832a8209fdca35ed8a59d90f46252536d393dade707aa318c709133b027e2fb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\_lzma.pyd

Filesize
85KB

MD5
400f029fcc720eb760183be18e3a7d10

SHA1
f774f2dca2d3271b920c19483f66b039193280e0

SHA256
cd936fe80e65861567cec25dd211caea01ef2936ee37606408a991fd06e53e3a

SHA512
618c9309f8cfc9516eaa990e54f9f75422d9de94c4a4d465a2e34cb115acbbaf3ce8454192351745cdf8024be67fd8e582bea236d951a8a778889a537d1ea6ac

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\_overlapped.pyd

Filesize
31KB

MD5
fb509e98aca11f4dc9ebb55c81ec823b

SHA1
0353d86eb7189875247806610f6fdcf127f5edb9

SHA256
1ca88e54a03ffc3f4381fa47b80b81453961a1c51eaeeee67ef4bcbcf6cd54bc

SHA512
419df8c93bb7d9f610af6a26312c0faeb38b3b93081fc1dd6f881803d2baa5bc659b05565e92c2656a74f6feb43e93647f09a2eec3722121f00249a4f1cf8e58

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\_socket.pyd

Filesize
42KB

MD5
1689ba01c74f48f4816d02b091ff3444

SHA1
a0dec7c734ab5cdea49f60008f12cfe66ed85181

SHA256
8dc7509f1b866c22636868a7d7ecaa9ae7b9474b6cd3145ff989b5b245ea44cb

SHA512
994b54c996357de14e4a34f69d47b4c6736f421130e68ea67272b0ffcd44ab9bf380ea4dd1d83ac25d29db62d991407d8f7619c343bb13ac239d8e02cab25308

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\_ssl.pyd

Filesize
62KB

MD5
adb0dfa8a2e30bfbd06c657fd327f044

SHA1
587a7dbdcee26c62ccddccc77d37db7a7e1717d5

SHA256
403c8acaf788829ceac7e5026f80ba3bbdb17b4189e82c4819af83d87a7f2701

SHA512
4e8ee43d678671736b1754bf441787458850ca82552a2a3014c53e3d92b0941a1ab67c468763c334c12b957b2b27227685f4b4828fa129220b3a978848b6dae2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\_uuid.pyd

Filesize
24KB

MD5
b68c98113c8e7e83af56ba98ff3ac84a

SHA1
448938564559570b269e05e745d9c52ecda37154

SHA256
990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2

SHA512
33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\libffi-7.dll

Filesize
23KB

MD5
3e91e70021fcbe76c38d87a62f9f424f

SHA1
067d8076aba98177bc1aaaf0102ac5ed411f8312

SHA256
e2880494d9509fb0314fc77ab4c9a68a39cdb8a0a24838d04d4ac252fa12f270

SHA512
7908116d924c1b5a424a5d998caa5f21587a622b3a1811293406b331934cc57077fe078e3e62ea471db37c59e108bba4e285e1caaa54a4e4ceb71c04382c649a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\libssl-1_1.dll

Filesize
204KB

MD5
d07feb06c94612c5f934108778dc622d

SHA1
473a4a3d6674c534cd6df59f720c9f847e04af68

SHA256
5a40ed810016249ca62e4f715d96da751b6ffe3997c653ad0a3d186f968203da

SHA512
303a8f4d6dd5d0abbc9bca838817df6feab965c4861ecccaf0e664dd5b7a2912ef1965bcfa0b9c87faa2b322d4f8586cfa567b3b30eb94587c73780963e415a7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\tcl86t.dll

Filesize
192KB

MD5
5dd41eed3382cc0fdbbcddb27b9c6a1a

SHA1
9ff38b599fe99c3c4980916b7dd105a8f6fb55bd

SHA256
4a16caae152eac4a66b077c6c437c1b24b7dabe686413cbc5efc2b4acaeb9d55

SHA512
5e781a8ae89fff058beb40eafe85ab2269ef1d9ee7cd29891511a35a5a0c2a351570bac8d45abdfff4d80bf15f85bcc79c5b94873ab18ee5ad29c5f5544e7681

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\tk86t.dll

Filesize
320KB

MD5
deb27a5e8c567cc9670928b26e122b38

SHA1
a9271e6b38fa4a403e6f28c8b4ef3201456ad923

SHA256
ff8a0152516792009843f7378efcfce471d1fa6f4fe9757a80ff8ded5107fd9d

SHA512
7aa5f2d95f31f8e270f5728f48ee9364f2e92eb5877912472f6b09ce676202b25081932af7a9797d7b7891de704a2acba73e019ed29d76eb81b36c4a553718a3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI46042\win32\win32api.pyd

Filesize
48KB

MD5
4de3f5e30d9c378ad545eb01450da7f5

SHA1
effbbb776bd64b9aef4134b7475675c77a646e8d

SHA256
bc28f70df94e15fbc3bcc23097ca68609786c2b0ed063aa3da6b0c071e0ca03c

SHA512
3a2a8044235eb4e40c14fc13ce68d68885971c707c2b7966f64c0e1cce51c5535eb3e56d8ac2770cd5e2e1a6e3133cb4b2456831a2610af1c235deffbc9bef50

Download Submit
memory/4132-1117-0x00007FFE0F150000-0x00007FFE0F20C000-memory.dmp

Filesize
752KB

Download
memory/4132-1183-0x00007FFE0F060000-0x00007FFE0F076000-memory.dmp

Filesize
88KB

Download
memory/4132-1129-0x00000245D6D20000-0x00000245D7099000-memory.dmp

Filesize
3.5MB

Download
memory/4132-1127-0x00007FFE0F090000-0x00007FFE0F148000-memory.dmp

Filesize
736KB

Download
memory/4132-1134-0x00007FFE0F260000-0x00007FFE0F274000-memory.dmp

Filesize
80KB

Download
memory/4132-1126-0x00007FFE0F280000-0x00007FFE0F2AE000-memory.dmp

Filesize
184KB

Download
memory/4132-1137-0x00007FFE0F080000-0x00007FFE0F090000-memory.dmp

Filesize
64KB

Download
memory/4132-1098-0x00007FFE0F430000-0x00007FFE0F45C000-memory.dmp

Filesize
176KB

Download
memory/4132-1114-0x00007FFE0F6A0000-0x00007FFE0F6AD000-memory.dmp

Filesize
52KB

Download
memory/4132-1118-0x00007FFE0F2B0000-0x00007FFE0F2DB000-memory.dmp

Filesize
172KB

Download
memory/4132-1144-0x00007FFE0CE40000-0x00007FFE0CFD7000-memory.dmp

Filesize
1.6MB

Download
memory/4132-1145-0x00007FFDFEE60000-0x00007FFDFF036000-memory.dmp

Filesize
1.8MB

Download
memory/4132-1112-0x00007FFE0F310000-0x00007FFE0F345000-memory.dmp

Filesize
212KB

Download
memory/4132-1146-0x00007FFE0F060000-0x00007FFE0F076000-memory.dmp

Filesize
88KB

Download
memory/4132-1113-0x00007FFE0F2E0000-0x00007FFE0F30E000-memory.dmp

Filesize
184KB

Download
memory/4132-1109-0x00007FFE11C80000-0x00007FFE11C8D000-memory.dmp

Filesize
52KB

Download
memory/4132-1103-0x00007FFE0F6B0000-0x00007FFE0F6C8000-memory.dmp

Filesize
96KB

Download
memory/4132-1150-0x00007FFDFEC00000-0x00007FFDFEE54000-memory.dmp

Filesize
2.3MB

Download
memory/4132-1101-0x00007FFE0F350000-0x00007FFE0F369000-memory.dmp

Filesize
100KB

Download
memory/4132-1153-0x00007FFE0EA20000-0x00007FFE0EE86000-memory.dmp

Filesize
4.4MB

Download
memory/4132-1154-0x00007FFE0F6D0000-0x00007FFE0F6F4000-memory.dmp

Filesize
144KB

Download
memory/4132-1155-0x00007FFDFDD40000-0x00007FFDFEBF2000-memory.dmp

Filesize
14.7MB

Download
memory/4132-1088-0x00007FFE0F6D0000-0x00007FFE0F6F4000-memory.dmp

Filesize
144KB

Download
memory/4132-1161-0x00007FFE0F350000-0x00007FFE0F369000-memory.dmp

Filesize
100KB

Download
memory/4132-1162-0x00007FFE0F040000-0x00007FFE0F055000-memory.dmp

Filesize
84KB

Download
memory/4132-1096-0x00007FFE13820000-0x00007FFE1382F000-memory.dmp

Filesize
60KB

Download
memory/4132-1165-0x00000245D6D20000-0x00000245D7099000-memory.dmp

Filesize
3.5MB

Download
memory/4132-1166-0x00007FFE0EA20000-0x00007FFE0EE86000-memory.dmp

Filesize
4.4MB

Download
memory/4132-1167-0x00007FFE0F6D0000-0x00007FFE0F6F4000-memory.dmp

Filesize
144KB

Download
memory/4132-1178-0x00007FFE0F280000-0x00007FFE0F2AE000-memory.dmp

Filesize
184KB

Download
memory/4132-1179-0x00007FFE0F090000-0x00007FFE0F148000-memory.dmp

Filesize
736KB

Download
memory/4132-1180-0x00007FFDFF040000-0x00007FFDFF3B9000-memory.dmp

Filesize
3.5MB

Download
memory/4132-1181-0x00007FFE0F260000-0x00007FFE0F274000-memory.dmp

Filesize
80KB

Download
memory/4132-1128-0x00007FFDFF040000-0x00007FFDFF3B9000-memory.dmp

Filesize
3.5MB

Download
memory/4132-1184-0x00007FFE0CE40000-0x00007FFE0CFD7000-memory.dmp

Filesize
1.6MB

Download
memory/4132-1185-0x00007FFDFEE60000-0x00007FFDFF036000-memory.dmp

Filesize
1.8MB

Download
memory/4132-1186-0x00007FFDFEC00000-0x00007FFDFEE54000-memory.dmp

Filesize
2.3MB

Download
memory/4132-1187-0x00007FFDFDD40000-0x00007FFDFEBF2000-memory.dmp

Filesize
14.7MB

Download
memory/4132-1082-0x00007FFE0EA20000-0x00007FFE0EE86000-memory.dmp

Filesize
4.4MB

Download
memory/4132-1193-0x00007FFE0EFE0000-0x00007FFE0F023000-memory.dmp

Filesize
268KB

Download
memory/4132-1194-0x00007FFE0EA20000-0x00007FFE0EE86000-memory.dmp

Filesize
4.4MB

Download
memory/4132-1215-0x00007FFDFDD40000-0x00007FFDFEBF2000-memory.dmp

Filesize
14.7MB

Download
memory/4132-1218-0x00007FFE0EA20000-0x00007FFE0EE86000-memory.dmp

Filesize
4.4MB

Download
memory/4132-1217-0x00007FFE0EFE0000-0x00007FFE0F023000-memory.dmp

Filesize
268KB

Download
memory/4132-1220-0x00007FFE13820000-0x00007FFE1382F000-memory.dmp

Filesize
60KB

Download
memory/4132-1219-0x00007FFE0F6D0000-0x00007FFE0F6F4000-memory.dmp

Filesize
144KB

Download
memory/4132-1223-0x00007FFE0F350000-0x00007FFE0F369000-memory.dmp

Filesize
100KB

Download
memory/4132-1222-0x00007FFE0F430000-0x00007FFE0F45C000-memory.dmp

Filesize
176KB

Download
memory/4132-1227-0x00007FFE0F2E0000-0x00007FFE0F30E000-memory.dmp

Filesize
184KB

Download
memory/4132-1228-0x00007FFE0F150000-0x00007FFE0F20C000-memory.dmp

Filesize
752KB

Download
memory/4132-1225-0x00007FFE0F310000-0x00007FFE0F345000-memory.dmp

Filesize
212KB

Download
memory/4132-1226-0x00007FFE0F6A0000-0x00007FFE0F6AD000-memory.dmp

Filesize
52KB

Download
memory/4132-1224-0x00007FFE11C80000-0x00007FFE11C8D000-memory.dmp

Filesize
52KB

Download
memory/4132-1230-0x00007FFE0F280000-0x00007FFE0F2AE000-memory.dmp

Filesize
184KB

Download
memory/4132-1231-0x00007FFE0F090000-0x00007FFE0F148000-memory.dmp

Filesize
736KB

Download
memory/4132-1232-0x00007FFDFF040000-0x00007FFDFF3B9000-memory.dmp

Filesize
3.5MB

Download
memory/4132-1229-0x00007FFE0F2B0000-0x00007FFE0F2DB000-memory.dmp

Filesize
172KB

Download
memory/4132-1221-0x00007FFE0F6B0000-0x00007FFE0F6C8000-memory.dmp

Filesize
96KB

Download
memory/4132-1233-0x00007FFE0F260000-0x00007FFE0F274000-memory.dmp

Filesize
80KB

Download
memory/4132-1234-0x00007FFE0F080000-0x00007FFE0F090000-memory.dmp

Filesize
64KB

Download
memory/4132-1242-0x00007FFE0F060000-0x00007FFE0F076000-memory.dmp

Filesize
88KB

Download
memory/4132-1243-0x00007FFE0CE40000-0x00007FFE0CFD7000-memory.dmp

Filesize
1.6MB

Download
memory/4132-1244-0x00007FFDFEC00000-0x00007FFDFEE54000-memory.dmp

Filesize
2.3MB

Download
memory/4132-1245-0x00007FFDFDD40000-0x00007FFDFEBF2000-memory.dmp

Filesize
14.7MB

Download
memory/4132-1246-0x00007FFE0F040000-0x00007FFE0F055000-memory.dmp

Filesize
84KB

Download
memory/4132-1247-0x00007FFDFEE60000-0x00007FFDFF036000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads