9b6394b0d1da147c5c718ebf3aba211ce2d4aefc63eb0dc80ed5cfc0db269bcd

Analysis

max time kernel
133s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmd_fw_installer_138430009_eb.exe
Size

5.4MB
MD5

b48216dca6f745a40645248384659fdd
SHA1

3bc265e7282bfb5c63be6cc73a2b7aad9a060904
SHA256

9b6394b0d1da147c5c718ebf3aba211ce2d4aefc63eb0dc80ed5cfc0db269bcd
SHA512

488fbd2b606c4f829b0ec05217b7d9be687cb885b988bc7cdcf7e1d61da2ef06fc422646696e24c2a1c1a63d793bda2293204037bd5a0178a673c00e91b226ec
SSDEEP

98304:n3oeoi7dSeyJ6A89FbeCD25kvriejkx9sZjMK6vx6IF/M8aWzBWcPNkNzt9e:n3oeoYSeyJ6vnKCD25kvmeh6vFF//aFU

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 36 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam	cmdinstall_138430009_eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options	cmdinstall_138430009_eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\Data	cmdinstall_138430009_eb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UsageStatHost	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\Options\Proxy	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\Instance	cmdinstall.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\Instance\{48222F79-874D-414E-9563-03C664764923} = "2660"	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\DbgTrace\cmdinstall_138430009_eb	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer	cmdinstall.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\VolatileData	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\Data	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options	cmdinstall_138430009_eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UsageStatHost = "cmc.comodo.com"	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\DbgTrace\cmdinstall	cmdinstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\Data\CmcWindowsVersion = "{\"release_id\":0,\"build\":0,\"ubr\":0,\"major\":1}"	cmdinstall_138430009_eb.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Testing purposes	cmdinstall_138430009_eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\Instance	cmdinstall_138430009_eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\Instance\{48222F79-874D-414E-9563-03C664764923} = "1696"	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\Options\Proxy	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\Options	cmdinstall_138430009_eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\InstallerName = "cfwinstallerx64"	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Testing purposes	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\VolatileData	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\Data	cmdinstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\EnableLogging	cmdinstall_138430009_eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	cmdinstall_138430009_eb.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS\Data	cmdinstall_138430009_eb.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	cmdinstall.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	cmdinstall.exe
File opened (read-only)	\??\U:	cmdinstall.exe
File opened (read-only)	\??\W:	cmdinstall.exe
File opened (read-only)	\??\O:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\Q:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\T:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\X:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\G:	cmdinstall.exe
File opened (read-only)	\??\I:	cmdinstall.exe
File opened (read-only)	\??\M:	cmdinstall.exe
File opened (read-only)	\??\P:	cmdinstall.exe
File opened (read-only)	\??\B:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\B:	cmdinstall.exe
File opened (read-only)	\??\V:	cmdinstall.exe
File opened (read-only)	\??\G:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\T:	cmdinstall.exe
File opened (read-only)	\??\S:	cmdinstall.exe
File opened (read-only)	\??\A:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\I:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\K:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\M:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\N:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\W:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\R:	cmdinstall.exe
File opened (read-only)	\??\Y:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\Y:	cmdinstall.exe
File opened (read-only)	\??\L:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\R:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\Z:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\Q:	cmdinstall.exe
File opened (read-only)	\??\J:	cmdinstall.exe
File opened (read-only)	\??\L:	cmdinstall.exe
File opened (read-only)	\??\O:	cmdinstall.exe
File opened (read-only)	\??\E:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\H:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\U:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\V:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\H:	cmdinstall.exe
File opened (read-only)	\??\S:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\J:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\E:	cmdinstall.exe
File opened (read-only)	\??\N:	cmdinstall.exe
File opened (read-only)	\??\X:	cmdinstall.exe
File opened (read-only)	\??\Z:	cmdinstall.exe
File opened (read-only)	\??\P:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\A:	cmdinstall.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	cmdinstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	cmdinstall_138430009_eb.exe

Executes dropped EXE 2 IoCs

pid	Process
2660	cmdinstall.exe
1696	cmdinstall_138430009_eb.exe

Loads dropped DLL 4 IoCs

pid	Process
2896	cmd_fw_installer_138430009_eb.exe
2660	cmdinstall.exe
1696	cmdinstall_138430009_eb.exe
1696	cmdinstall_138430009_eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	cmdinstall_138430009_eb.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b19000000010000001000000082218ffb91733e64136be5719f57c3a1040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be034140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	cmdinstall.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	cmdinstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cmdinstall.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	cmdinstall.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTcbPrivilege	2660	cmdinstall.exe
Token: SeTcbPrivilege	1696	cmdinstall_138430009_eb.exe
Token: SeDebugPrivilege	1696	cmdinstall_138430009_eb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2896	cmd_fw_installer_138430009_eb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1696	cmdinstall_138430009_eb.exe
1696	cmdinstall_138430009_eb.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2660	2896	cmd_fw_installer_138430009_eb.exe	28
PID 2896 wrote to memory of 2660	2896	cmd_fw_installer_138430009_eb.exe	28
PID 2896 wrote to memory of 2660	2896	cmd_fw_installer_138430009_eb.exe	28
PID 2896 wrote to memory of 2660	2896	cmd_fw_installer_138430009_eb.exe	28
PID 2896 wrote to memory of 2660	2896	cmd_fw_installer_138430009_eb.exe	28
PID 2896 wrote to memory of 2660	2896	cmd_fw_installer_138430009_eb.exe	28
PID 2896 wrote to memory of 2660	2896	cmd_fw_installer_138430009_eb.exe	28
PID 2660 wrote to memory of 1696	2660	cmdinstall.exe	29
PID 2660 wrote to memory of 1696	2660	cmdinstall.exe	29
PID 2660 wrote to memory of 1696	2660	cmdinstall.exe	29
PID 2660 wrote to memory of 1696	2660	cmdinstall.exe	29
PID 2660 wrote to memory of 1696	2660	cmdinstall.exe	29
PID 2660 wrote to memory of 1696	2660	cmdinstall.exe	29
PID 2660 wrote to memory of 1696	2660	cmdinstall.exe	29

C:\Users\Admin\AppData\Local\Temp\cmd_fw_installer_138430009_eb.exe
"C:\Users\Admin\AppData\Local\Temp\cmd_fw_installer_138430009_eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe" -log -setupname "cmd_fw_installer_138430009_eb.exe" -sfx "C:\Users\Admin\AppData\Local\Temp" -theme lycia -type web -mode cfwfree
  2⤵
  - Checks for any installed AV software in registry
  - Enumerates connected drives
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall_138430009_eb.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall_138430009_eb.exe" -log -theme "lycia" -setupname "cmd_fw_installer_138430009_eb.exe" -type "web" -mode "cfwfree" -sfx "C:\Users\Admin\AppData\Local\Temp" -logfile "C:\Users\Admin\AppData\Local\Temp\\cmdinstall.exe_24-02-22_23.02.26.log" -parent 2660 "Admin" 1136
    3⤵
    - Checks for any installed AV software in registry
    - Enumerates connected drives
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Comodo Downloader\cis\download\installs\8050\installer_data\binaries\files_info.dat

Filesize
34KB

MD5
f42c56a1f750bdf43155a2aee0f1407c

SHA1
0929dd9594fccffe5e7e43ea33a5eb6467afab0b

SHA256
86e8a71d1327fe5f26901c8a7d10bac322dce1ff621e1339db9c7b6ab905244c

SHA512
31dc56d6455391a0075ab59d438335c9d38da43e1ef974bcdf14be059d63d48f8a8f7a1f6cd9eb5e790519a3824f59387abafef48417bbeb74e34b526646b8d9

Download Submit
C:\ProgramData\Comodo Downloader\cis\download\installs\installer_data\installer_init.xml.tmp

Filesize
20KB

MD5
06c0057d77fc4789b1428dd6710cd5ab

SHA1
660445d67f92e84ee9aa96a7aa6cd50ba43148ca

SHA256
e3a998c06b37cec5570409e0714af72a1a936759b4420adf1b0dfaf43bb7218e

SHA512
497a86bd35149465ef3ce3d7b483a3d4950475963a9cc20075f4f92a54b05fbffa97b537b256c9bcc31a3a20f4229d33ceed45f6bd30fc9057cf879bbb368a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F26A2159BA21EA573A1C5E3DE2CF211_7541962669C96CEAB06421EC12621007

Filesize
766B

MD5
2e5fa4187fb6415eecc96ad803ef7a1f

SHA1
68b78c4f61f4d520b33f57cafea093af55d908b7

SHA256
b062016459e7153d726d2c02b9cce214725a628a07750b54478e9ff30fe0e6c3

SHA512
bc01349a89f2ef26f38e9eb075eaf6a11c34a0fe52a493d3b24d1d79ce81e797e5588e5e67dc32efc73a6f3a173c7f6e05de25f39e28217744d0702ae0d91b13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_941A5BE5FAF3230B9FC294754AF2A1C3

Filesize
509B

MD5
fea8620759cc1b00f3bb49e396daf6ce

SHA1
1858314388b1a18502a21d96acf2461057512e0a

SHA256
d55895833630c4627a1a796bb8c276ec08ef9c385ccea58b5b6c77186602efa2

SHA512
33d7131b3a8f71c7c2f8defe2ac9f83f1b3e8cf64aa68109c3c991d4daa0941d5f1a15b929dcbf899d2f21448a6b5e4981f06eb7c149af1af8dc759f8c4d7532

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5F26A2159BA21EA573A1C5E3DE2CF211_7541962669C96CEAB06421EC12621007

Filesize
484B

MD5
004b012f81369f0904188d00ff55a46d

SHA1
243296a84888fb39dee7c6992bfe3636df0cb970

SHA256
edb45099d01318e2464ee0e0b45ddfb07c0d8b7a667226c6b30b7cb8bc6d4963

SHA512
63fabe8abe2f0d601d5d668ccf3395e63e7ec02dc8758d32de7b22a6df9e157c00cc6f8691b559a6ed23144c0788fabda5f0054fc75263b65556122f1665f801

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_941A5BE5FAF3230B9FC294754AF2A1C3

Filesize
490B

MD5
f5cc5a633c71dca6a726ec6f6e37beb9

SHA1
b920292a3bc3ed1dec967996e1ccc93eb9d81399

SHA256
19417d7490d2e28a458e5d00c805aeaea8169f4fdc25a093a54ecf4128d82e6c

SHA512
7823b26098b9818ffa3c3b92dfc6c2fb4a489eab036bba74c9e8de2339611774851ce91b59dee9cfc2d892a5f898a34408e4d88a250e0d7addff899383e4da1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d52fb0f61424196805715e06a2ae3d2a

SHA1
262d27d1c4becb71929ec0c95c603481112e5be0

SHA256
d697d9d49e88ba58cd234972c4605f862f07ea65b8a5b3c1a8bd600def85dda6

SHA512
9a605c94809a8f60a63fffb156f00a7100877280b1af11b10af4508741b1eeff9c339200a8cd265bb3c1873ce8da0f02db17656691a997e3730dbdd17ee67aab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a7082394aa13d0f4d9a1b097594d29d

SHA1
ec871a030e2597e3fe621e0d7a0889e3258fa73f

SHA256
9656585b835bcd8618c8a05870708b0cf05f3479a9b44b857a6c589a71ad6327

SHA512
79a35689a500bbf4a3418c4916124bb6cbaa275d3ecc2dbd6aeb66fa213743cb2a38e1bf85854c6f097bf477343ff67f693e33888f98af48a63dfb7ceb0b6689

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdhtml.dll

Filesize
1.7MB

MD5
f90177244159a1851797a61c6c2d086c

SHA1
c90ac646a58c828d8aad43f873311f72374b68a2

SHA256
c955ce483e494ce07fe4fd38e08a523729f9cb3e22f4ad29fdf040cbb1b693e6

SHA512
1c6f4fd6fd6cdc7c92cb745817b44196ad8638648c7fc7aec12a1607177bc7bf5d3529224ee05e628d0fac21e2496e61760c274138c884fe1ff1735359f1116f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe

Filesize
3.4MB

MD5
0cbacd45075b383e88649045d1c8dbfe

SHA1
130b519d7375a5ad42a0201258451594ddc02acd

SHA256
1864547526db852f96d9b534240337f0696e1b8f4c449007227cc50321d2a807

SHA512
e94bdaf0436ca0080a6052c5054fe2f9b6aa57338a91932a2b89328e6832217d9c230fa594a20c6c0419c5645a2493817e6258307d77fe641547bff6429d74a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe

Filesize
192KB

MD5
e67b620c5a5deb3476de9e0237f73130

SHA1
2138fea56e5efc05662803375bd7853bee4bf037

SHA256
4d9b2c861874883974b49849374dd21c9248bdda27cc2a7584e9a3fbd9858963

SHA512
abbe1df643ac91a883f50d2ff13bc7bacbdb82be32549079811892a0f169b66acfc64c049710a9459f34ecdf7938937fb209c908e46e126ebe7f434b046df33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe

Filesize
105KB

MD5
f4d5edee6921a1e46f878c6add19bd66

SHA1
ba5e7cc4908b5dc6d8c9287141e11db2b0314a8d

SHA256
fcc2d8a8289f5ac2c22b9ee1ed428c35a824ee1180ce33ada601ccef9195b48d

SHA512
39db45e73ab01e12a3652d5c4b3ddd29245aff2a0d902ac7df296b1bf18f7d131c61790e1cc0eff51268439a819b07fa55b1bce67bffb7f13d43f73daac329f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall_138430009_eb.exe

Filesize
5.7MB

MD5
74cf93a3d559a630911fc94568b99e1e

SHA1
a5f164154e164174c715e493f440b1935ec53af8

SHA256
fe82eb2103b177370e742aee40a2b840805516ff23867f6b9bd3655a401eb50b

SHA512
c000d512e270d7f89058fe52a3ecfac6f60462eed21b134ebb57640cc6425e7ece9b6ce683acc666d8358875c8d621497a8e3eb95b4ad72311efb9d12c03100a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdres.dll

Filesize
367KB

MD5
a4b3e07a9d407bca7a0ed76ea7c4945f

SHA1
af16d87110e2f9e64d5c35a6d522151b69377bbc

SHA256
b115a17e7500dbc34cce1f8e84a59f072a26ad49be5dcde6ac5908e4d2ad3555

SHA512
77c6ba298f5bd4c04192660d365d2a45ecb23fa441818735bd01050677037e1976670dcb457b6684343fbccb02a6fcfd98f22ae9f2de263057157917ee28d981

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer_langdata.bin

Filesize
5KB

MD5
b80eda6258e28b537651f8e5ebd997ff

SHA1
826741e138e8342f4bc3303838e347a44bb93546

SHA256
6e960dfed451c2dfb99352d25d3df8dd46fe7d80c9af79805c0cfbd1a99a2709

SHA512
9fce1cb5fe8b6a2bc4d13c1ca3ec31c926c6dd33717f145da6952ae33144eb11a6ee9e751e1d3e2d5d6ce7768e9f9602773a917d9f5f8473670e6d631b932b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\themes\ilycia.set

Filesize
764KB

MD5
7b85f91536c8342ac64d3edece2af7fe

SHA1
1e28c62364f606f03078e985222a2e3400a483c6

SHA256
918e7aad857776a895ecdf850665c355026882bcf1e0eba279ff4f7aa4b6bbae

SHA512
42cbaca95018eba8b05d3d586dbe8537ec1130af9edd813c4e7affef88c804a4ae65d9a446a95326508cd21da03a7e6a7969f6de5a68e69ce86c827f4308ac5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9530.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9552.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmdinstall.exe_24-02-22_23.02.26.log

Filesize
10KB

MD5
bf18e953106e63d544db964ab22afb19

SHA1
b1da8eb5dfb77064c5ae1e87a1054fc79d2137d8

SHA256
5cb8c0138e3b1e80f0c4403d93f568ee7b6447b9c55c4692e4afa3e2dc797eaf

SHA512
bcece36f565c12401185febcaff1aa99cad02c860695ee8dc15551a2848d6510c91617aed67f629861c7fbc260fb38287ee260c0511b2d000dc8af5220a60d3a

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.dll

Filesize
277KB

MD5
7baac18fb157c76574ca3d7a2f5eb193

SHA1
6460577ce621fa28133096073376f6a88f8acd61

SHA256
347144ae998d96c6b8664abf56f3ff8cfa4dcdfd6e13205d7e8ee2f3b77eefc2

SHA512
513cc213da81db470f8675c29162f4b724bb92a690edd451025eb68588971eebb937f88cc5a659222f2bbbd99440aa56800bf4167bb8912ea87a0b2648b002ea

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdhtml.dll

Filesize
4.2MB

MD5
6d9aa26bb18af69dc74ae8e822eb53dd

SHA1
6ef20da9b9e70afa742f047f1c6f9d3e58290450

SHA256
cf140523b8834de1c37efa29b02adcdc88babc0f8ee90ba93dd98c260d7036c3

SHA512
3a9e8f15d207e98bb182f8d1838e93dba9750e6cfc79b72aab0706f969866447e50b3ab28bc1768a7cac7e7733cde80085cabcefefae0d287f08374578935c36

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe

Filesize
640KB

MD5
93abd7a54285f664238b5e2a582ddf85

SHA1
0c530782df2d17180e43224433dd5cb919658eb4

SHA256
2bcf201b387b5c36f669e3442606d362f9792fd84ff4fed957256b9d2856179e

SHA512
fc41464652a16ed7b61461c4bfc80481b15539367c7ade0543ae0fa69eb4f90a764300dff49e8da93f9c44fea9eecc44a9a6014e41b00cc4df5bcaf6edf270ae

Download Submit
memory/1696-1798-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads