cryptbot | ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77

Resubmissions

10-04-2024 04:40

240410-fa2mesgd4v 10

09-04-2024 17:09

240409-vpkd1sdb73 10

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

3.9MB
MD5

7ae4349cc7e8c98084c05e2085b56645
SHA1

db7a339d5731471435450be094ba711ca7194685
SHA256

b89fdf606986324fa9260f434dc1561d716985d0886fba180b88f3afb9dec729
SHA512

5196ac4aa9ca69c342fa5a391f011881db608600cbfbfb4ae1391477ec59aa83846c955ed73573a09828b7b574a5a0b07e19871245ac19518c03480b9fc8ec3d
SSDEEP

98304:xaCvLUBsgxkKH8DBAPbT7J7go2i2JjQCQ+gHhjPrLi:x7LUCgSKH84zGo2i2Jc1BHi

Malware Config

Extracted

Family

nullmixer

http://marisana.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.171/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.185

Extracted

Family

redline

Botnet

pab3

185.215.113.15:61506

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

cryptbot

knurxh28.top

moraku02.top

Attributes

payload_url
http://sargym03.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2416-389-0x0000000003FE0000-0x0000000004083000-memory.dmp	family_cryptbot
behavioral3/memory/2416-390-0x0000000003FE0000-0x0000000004083000-memory.dmp	family_cryptbot
behavioral3/memory/2416-391-0x0000000003FE0000-0x0000000004083000-memory.dmp	family_cryptbot
behavioral3/memory/2416-392-0x0000000003FE0000-0x0000000004083000-memory.dmp	family_cryptbot
behavioral3/memory/2416-411-0x0000000003FE0000-0x0000000004083000-memory.dmp	family_cryptbot
behavioral3/memory/2416-646-0x0000000003FE0000-0x0000000004083000-memory.dmp	family_cryptbot

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2764-133-0x0000000003310000-0x0000000003332000-memory.dmp	family_redline
behavioral3/memory/2764-145-0x0000000004DC0000-0x0000000004DE0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2764-133-0x0000000003310000-0x0000000003332000-memory.dmp	family_sectoprat
behavioral3/memory/2764-145-0x0000000004DC0000-0x0000000004DE0000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/2220-147-0x0000000002D20000-0x0000000002DBD000-memory.dmp	family_vidar
behavioral3/memory/2220-152-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar
behavioral3/memory/2220-379-0x0000000000400000-0x0000000002D1A000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\libstdc++-6.dll	aspack_v212_v242

Executes dropped EXE 13 IoCs

Processes:

setup_install.exeTue19301d0ee47f9.exeTue1928d87039b3a61.exeTue19519844d595cb.exeTue1911a97ae09.exeTue1931cb6307cc71e4.exeTue19167b39532817c6.exeTue19301d0ee47f9.exeTue19638bb08519f.exeTue195f40779b28e9814.exeTue190a6b23f5160050.exeVolevo.exe.comVolevo.exe.com

pid	process
2656	setup_install.exe
2896	Tue19301d0ee47f9.exe
2664	Tue1928d87039b3a61.exe
2696	Tue19519844d595cb.exe
2764	Tue1911a97ae09.exe
808	Tue1931cb6307cc71e4.exe
2904	Tue19167b39532817c6.exe
1840	Tue19301d0ee47f9.exe
2220	Tue19638bb08519f.exe
1016	Tue195f40779b28e9814.exe
1504	Tue190a6b23f5160050.exe
688	Volevo.exe.com
2416	Volevo.exe.com

Loads dropped DLL 52 IoCs

Processes:

setup_installer.exesetup_install.execmd.execmd.exeTue19301d0ee47f9.execmd.execmd.execmd.exeTue1911a97ae09.execmd.exeTue1931cb6307cc71e4.execmd.execmd.exeTue19638bb08519f.exeTue195f40779b28e9814.exeTue19301d0ee47f9.execmd.exeTue190a6b23f5160050.execmd.exeVolevo.exe.comWerFault.exeWerFault.exe

pid	process
2792	setup_installer.exe
2792	setup_installer.exe
2792	setup_installer.exe
2656	setup_install.exe
2656	setup_install.exe
2656	setup_install.exe
2656	setup_install.exe
2656	setup_install.exe
2656	setup_install.exe
2656	setup_install.exe
2656	setup_install.exe
2456	cmd.exe
2456	cmd.exe
2032	cmd.exe
2896	Tue19301d0ee47f9.exe
2896	Tue19301d0ee47f9.exe
2512	cmd.exe
2892	cmd.exe
2892	cmd.exe
2508	cmd.exe
2764	Tue1911a97ae09.exe
2764	Tue1911a97ae09.exe
2476	cmd.exe
2476	cmd.exe
808	Tue1931cb6307cc71e4.exe
808	Tue1931cb6307cc71e4.exe
2896	Tue19301d0ee47f9.exe
2572	cmd.exe
2572	cmd.exe
2888	cmd.exe
2220	Tue19638bb08519f.exe
2220	Tue19638bb08519f.exe
1016	Tue195f40779b28e9814.exe
1016	Tue195f40779b28e9814.exe
1840	Tue19301d0ee47f9.exe
1840	Tue19301d0ee47f9.exe
1904	cmd.exe
1504	Tue190a6b23f5160050.exe
1504	Tue190a6b23f5160050.exe
1920	cmd.exe
688	Volevo.exe.com
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Tue190a6b23f5160050.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Tue190a6b23f5160050.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

27 iplogger.org
28 iplogger.org
35 iplogger.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

380 2656 WerFault.exe setup_install.exe
1308 2220 WerFault.exe Tue19638bb08519f.exe

flow	ioc
27	iplogger.org
28	iplogger.org
35	iplogger.org

pid	pid_target	process	target process
380	2656	WerFault.exe	setup_install.exe
1308	2220	WerFault.exe	Tue19638bb08519f.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Tue1931cb6307cc71e4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue1931cb6307cc71e4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue1931cb6307cc71e4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue1931cb6307cc71e4.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Volevo.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Volevo.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Volevo.exe.com

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Tue19167b39532817c6.exeTue19519844d595cb.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue19167b39532817c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Tue19519844d595cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Tue19519844d595cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Tue19519844d595cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Tue19519844d595cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue19167b39532817c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue19167b39532817c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Tue19519844d595cb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Tue19519844d595cb.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

540 PING.EXE

pid	process
540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Tue1931cb6307cc71e4.exepowershell.exe

pid	process
808	Tue1931cb6307cc71e4.exe
808	Tue1931cb6307cc71e4.exe
2632	powershell.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Tue1931cb6307cc71e4.exe

pid process

808 Tue1931cb6307cc71e4.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Tue19167b39532817c6.exeTue19519844d595cb.exepowershell.exeTue1911a97ae09.exe

description	pid	process
Token: SeDebugPrivilege	2904	Tue19167b39532817c6.exe
Token: SeDebugPrivilege	2696	Tue19519844d595cb.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2764	Tue1911a97ae09.exe
Token: SeShutdownPrivilege	1204

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Volevo.exe.comVolevo.exe.com

pid	process
688	Volevo.exe.com
688	Volevo.exe.com
688	Volevo.exe.com
2416	Volevo.exe.com
2416	Volevo.exe.com
2416	Volevo.exe.com
2416	Volevo.exe.com
2416	Volevo.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Volevo.exe.comVolevo.exe.com

pid process

688 Volevo.exe.com
688 Volevo.exe.com
688 Volevo.exe.com
2416 Volevo.exe.com
2416 Volevo.exe.com
2416 Volevo.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_installer.exesetup_install.execmd.exe

description	pid	process	target process
PID 2792 wrote to memory of 2656	2792	setup_installer.exe	setup_install.exe
PID 2792 wrote to memory of 2656	2792	setup_installer.exe	setup_install.exe
PID 2792 wrote to memory of 2656	2792	setup_installer.exe	setup_install.exe
PID 2792 wrote to memory of 2656	2792	setup_installer.exe	setup_install.exe
PID 2792 wrote to memory of 2656	2792	setup_installer.exe	setup_install.exe
PID 2792 wrote to memory of 2656	2792	setup_installer.exe	setup_install.exe
PID 2792 wrote to memory of 2656	2792	setup_installer.exe	setup_install.exe
PID 2656 wrote to memory of 2448	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2448	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2448	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2448	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2448	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2448	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2448	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2456	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2456	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2456	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2456	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2456	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2456	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2456	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2476	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2476	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2476	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2476	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2476	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2476	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2476	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2512	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2512	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2512	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2512	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2512	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2512	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2512	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2572	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2572	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2572	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2572	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2572	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2572	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2572	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2892	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2892	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2892	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2892	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2892	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2892	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2892	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2888	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2888	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2888	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2888	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2888	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2888	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2888	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2032	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2032	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2032	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2032	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2032	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2032	2656	setup_install.exe	cmd.exe
PID 2656 wrote to memory of 2032	2656	setup_install.exe	cmd.exe
PID 2456 wrote to memory of 2896	2456	cmd.exe	Tue19301d0ee47f9.exe

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
3⤵
PID:2448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19301d0ee47f9.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19301d0ee47f9.exe
Tue19301d0ee47f9.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19301d0ee47f9.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19301d0ee47f9.exe" -a
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1931cb6307cc71e4.exe
3⤵
- Loads dropped DLL
PID:2476

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue1931cb6307cc71e4.exe
Tue1931cb6307cc71e4.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1928d87039b3a61.exe
3⤵
- Loads dropped DLL
PID:2512

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue1928d87039b3a61.exe
Tue1928d87039b3a61.exe
4⤵
- Executes dropped EXE
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19638bb08519f.exe
3⤵
- Loads dropped DLL
PID:2572

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19638bb08519f.exe
Tue19638bb08519f.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 948
5⤵
- Loads dropped DLL
- Program crash
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1911a97ae09.exe
3⤵
- Loads dropped DLL
PID:2892

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue1911a97ae09.exe
Tue1911a97ae09.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue195f40779b28e9814.exe
3⤵
- Loads dropped DLL
PID:2888

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue195f40779b28e9814.exe
Tue195f40779b28e9814.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19519844d595cb.exe
3⤵
- Loads dropped DLL
PID:2032

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19519844d595cb.exe
Tue19519844d595cb.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue190a6b23f5160050.exe
3⤵
- Loads dropped DLL
PID:1904

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue190a6b23f5160050.exe
Tue190a6b23f5160050.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1504

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
5⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Vai.pdf
5⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
- Loads dropped DLL
PID:1920

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mtHoKMPFYDHibgXoaLvAaWsXCpDWIDAtGvzDsjSTgLhRLduwJPppYNJDMJFBoSWxeCBqVxQuTCkHIAkke$" Dal.pdf
7⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
Volevo.exe.com H
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:688

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com H
8⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2416

C:\Windows\SysWOW64\PING.EXE
ping QGTQZTRE -n 30
7⤵
- Runs ping.exe
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue19167b39532817c6.exe
3⤵
- Loads dropped DLL
PID:2508

C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19167b39532817c6.exe
Tue19167b39532817c6.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 432
3⤵
- Loads dropped DLL
- Program crash
PID:380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a3030cd1c851bfc97d7b2199ab0aaeb3

SHA1
0e3b9f5dd780417cce3abb1541a9ab66a2c03b3a

SHA256
508c928b5586b74ba4ff52201506d1d38cae6744f69a972226dc668b7eeab667

SHA512
80eb5f975b559cc0f31afee5af115902011b8f38f134b5504d244ea93b50ac6291fc677a0db0647c7043dd57706d810ed405e37c3fdaa5ec59735362e7ac35ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue190a6b23f5160050.exe
Filesize
1.4MB

MD5
0191b0583174ce0d1d8dc75601e4d056

SHA1
ec3cbf979a5df64903cb7a825aa640d82075d839

SHA256
01d11314c2c047a01b4159aa32b9afa3f3b7e3fc3b3ea46476c85346f3887949

SHA512
d24f647615a63291854de256e210c6e02f12619f85e694a9027e1969d708c415cf6234a43fae9376bf5788a5f27973ccf159e89b32fc54ab313ba0d720740e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue1911a97ae09.exe
Filesize
279KB

MD5
af23965c3e2673940b70f436bb45f766

SHA1
ccc8b03ea8c568f1b333458cff3f156898fc29f7

SHA256
e6271d738fc78602abc8916fb4742638b2b4c4205882f6db24eb361694c67503

SHA512
f0202e3ed32b9e69785bb50551b5143fe69298dead3c9a3d539cc6c6768f70f8263f074f912d1de5decb122bc365b7645428c0d10040f6f15a41f3a5ac0a4611

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19167b39532817c6.exe
Filesize
8KB

MD5
45a47d815f2291bc7fc0112d36aaad83

SHA1
db1dc02b2d64c4c3db89b5df3124dd87d43059d5

SHA256
416e63fb614101d5644592d5f589f358f8d5a41dd6812a717cbf05470864ac6f

SHA512
a7d98145cf949a42ace2da725a22847ad814a28137d32b0b220430b91c89aabed7144b85f20c2fd9a1a02f5b92520bf5f0afbe8202028f9832cbc29c2a9e776e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue1928d87039b3a61.exe
Filesize
241KB

MD5
5866ab1fae31526ed81bfbdf95220190

SHA1
75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

SHA256
9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

SHA512
8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue195f40779b28e9814.exe
Filesize
627KB

MD5
d06aa46e65c291cbf7d4c8ae047c18c5

SHA1
d7ef87b50307c40ffb46460b737ac5157f5829f0

SHA256
1cd9a6908f8a5d58487e6cfea76a388a927f1569ba2b2459f25fffaf8180230f

SHA512
8d5f6605a38e7c45a44127438bf7d6bf6a54aacb0b67b3669eb9609fc1084145f827a8341ce6b1a544198b5633d9f92561bd9f9cc82b52473db0926787a06ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19638bb08519f.exe
Filesize
557KB

MD5
e8dd2c2b42ddc701b1e2c34cc1fe99b1

SHA1
c3751581986d6cada60747843792d286fd671657

SHA256
835443a1038ad5e0a4dde2451baa95b529f049362955d57daf0b5921729a4f17

SHA512
e179b3b4c2f24d089566630c6ee0421418fe17aa4195dc9b04f471665094ce3a4b3ed29da7b6829b7484fa3e785abd343a1cf7abc556f6f5b5403a92b16a970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21DA.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\_Files\_Information.txt
Filesize
1KB

MD5
c7eed51a148fa8863c0d7c9df1d13caf

SHA1
51540e25ccbb25f36ca05e4d41d50220b938f5c0

SHA256
421e94ba4581ebf329b60eabd887d159bb4d2736f602efe7be461ea6928f2f90

SHA512
e28062fecacfb926876315c22d5bd8ac5882fbef20a23ab48310d861dcf2cb7cd67d9e2a0238ed5544b6f7bf0000980a9f7ed7f0e695a042a46b853a4cb840a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\_Files\_Information.txt
Filesize
3KB

MD5
53646c350355d6fc84e4c4b20b57ad53

SHA1
c59d7458d64493e579c0a9765feb87207386d5ad

SHA256
6d30c53b074c7b4344920fd9c737b74075f8073cc758be096e8ca390d7461926

SHA512
8bc9876bb3c0506d8170f9c8ae7479e0391150800cafe0afb721c438edd0dcc5da87cdf7f398d770f5393c5fb8f7ec695df489c7b3c02786a1527f6de42e89ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\_Files\_Information.txt
Filesize
3KB

MD5
f22cf8a9c38b8aeec6f0122865dc894e

SHA1
822ba426eaae8149ea54756c650fefc23d421c95

SHA256
d08bd3c6c9aa96536965a07771c77e79dfcc3254a2abaad8020019856bf07486

SHA512
7e083bda48ec9da7785e2c5195bfde6316e7cdf82aaabdf61a29d47ecef5b4591f958825ad78f07c5c64090f14f51a9185d7d078fee5d2d175e12bdf449eb5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\_Files\_Information.txt
Filesize
4KB

MD5
34fbc3a07ba98ea74b1e582e1dd66373

SHA1
9aec0107f97f3964dbba33406450447f33093c13

SHA256
e40ee119d3256b9e049762648d0de2e0198bc88d60e91269069836019defdf6a

SHA512
85fac2628dec9545889ea48648e68486327385529f7c3a7c96046064a19589c454eb49370f741f41d27b9c7f8bd11cd5453792794b15452059832bd73be9da48

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\_Files\_Screen_Desktop.jpeg
Filesize
52KB

MD5
70ab53f5001e65380d7798ea4c175e25

SHA1
7b2348e8366671bae3c2ee0fbe9e966291028397

SHA256
cbe50e61f0d6afa085ee6393ec5ad7a1ec9cf42f40de37185a5b2b274beee87f

SHA512
26cdedea47561e718fab520c2b893428c610b38384ff2ef13edadee85156ec18f985fca5cfa7ef76bad8c56813d8a64aaa8a8a292dcea70c15d4673369e7c078

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\files_\system_info.txt
Filesize
1KB

MD5
a440b0175d2d57ab0970a659efa9f249

SHA1
a37b585d633a499192faafdf6d591a80de50111a

SHA256
f6a3e6fdb0186f6d779b911f6379b96da773fc56492e6d3ff26f524515e704a7

SHA512
1b0a6619cd214c06ac73960a904ce3a180a30cb82a8397c31572121b84e4fc73b8468a338ddde136b1fb8b872d5892d0852292e735e2335f1a53d960510b3951

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\files_\system_info.txt
Filesize
3KB

MD5
4abfc6db14c3fd0320137bb2a951e5c0

SHA1
d24b7f7dc1b50158488ad64a49bc6359f714a2e6

SHA256
f3e2990459f45885178af1af8f3db79531dee38596c00aaf4806d57a143beef4

SHA512
4ea5d8df2c218f6a8ce253c1127348bd42a2013b62001828aad811f133ca8dbf5ee2adf8a6dedbfa7cba0ce4c93f241599a47a98ad309947121006c5c15434e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\files_\system_info.txt
Filesize
3KB

MD5
a2aa6a6d42c73b996425665dcff9ab65

SHA1
a080bd39948d154751c671a9f88bf94fc5b8ed93

SHA256
cd6fcee1a07c9dc4f00b52f437c897c77dc8f427218ead84d01f09098ce34d6a

SHA512
4ad7c0df124f656abbfd91f96d42d113d17f13a9b131a6676fc1276864110a6871d91cb0ee3e7133e2244a4459f8f38f8afed4cc98d0acccc861d5e42afda9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\files_\system_info.txt
Filesize
4KB

MD5
02cdec8ee6601f7931786bd1a0486f6f

SHA1
8a4aba0e6c4f02e2bbe56aca1eb1bc124d2f3cd4

SHA256
57360fb6cafef1a4c063a2260edf67f8d9240e0cd6c481449e51a522118d0651

SHA512
ea3383605e2c7c3249d4df5b78fb469b1f3f4ddbf58b29cfc98c80159b6ee3b13472a45e77d8abb3d6641484000c3f02100a0e6ae7f2f9e07c63bb6713745eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\eybUKEdD15\oP4jufGfbZG.zip
Filesize
43KB

MD5
95fc49f626277f2b3329230f1d7d81cf

SHA1
c1d0a8214ea0a86bded72d020018733e13800dbf

SHA256
23d73a311918dcc9e9436e028a21703b2f4ea2f180cdb8ef04a2f0acc9c72699

SHA512
b808b4b837de2c52776b09df23e3542e0d1614f995a8cc248115372315f56e4f6549899f668f24df72f027d1900af56e4a43f7ca5741fcce117f9b1b9e2dfdb2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19301d0ee47f9.exe
Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue1931cb6307cc71e4.exe
Filesize
263KB

MD5
52ef6f18788d94f657a2fb0616772897

SHA1
e7f2ff804f52e832ab3fb191f6c747be8334396e

SHA256
1cc598746610d27a557ab0d1abd9286b7f85fb4249f817eb49b8ba8ffbd0273f

SHA512
be264cb76f728396694197883aa8bbb43674601977e595a7cfe9ad9de53e0e328a022e5f67869498f913b4eafeaa3c4c416aa3c0c132bca180455928fb026e3a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\Tue19519844d595cb.exe
Filesize
109KB

MD5
34aa457fed673b5c3cec68d05df16473

SHA1
f31f729d3bb5e0e205e0fb80abc33800d4d92d96

SHA256
e764cf9d6834ab39436de3fffb0c3b023e3f05051b84b35689ab61a6705e0bdd

SHA512
7ce8aa80dabd75ddf45a72c5c178bdc9346c31fc7bd4a12fc9b72674ae98a6b02d9d37a61dc2bbffd6966470c8af9af4342f0fcce4e33e6dfae3ad01e5642684

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8EA4BC06\setup_install.exe
Filesize
2.1MB

MD5
edb875a62ee893ddcff68ab842b06889

SHA1
1db014be7d248bfad1b791e2b5799b146c51491a

SHA256
e7070a58f07b641bd9927b68b21364e9ba8fb2836564636ebca265f430e8e050

SHA512
2629e3a4012ad7cc4249f78c454aeb77ac4b386015e461c6d4c7aafd192b7849348d3cdfd9b5cf806780cd8ec9766b467a01e190cb95d8ddf8a4a1e777b98632

Download Submit
memory/808-150-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/808-335-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/808-149-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/808-148-0x00000000002E0000-0x00000000003E0000-memory.dmp

Filesize
1024KB

Download
memory/1204-334-0x0000000002E40000-0x0000000002E56000-memory.dmp

Filesize
88KB

Download
memory/2220-147-0x0000000002D20000-0x0000000002DBD000-memory.dmp

Filesize
628KB

Download
memory/2220-399-0x0000000002E60000-0x0000000002F60000-memory.dmp

Filesize
1024KB

Download
memory/2220-379-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/2220-152-0x0000000000400000-0x0000000002D1A000-memory.dmp

Filesize
41.1MB

Download
memory/2220-142-0x0000000002E60000-0x0000000002F60000-memory.dmp

Filesize
1024KB

Download
memory/2416-386-0x0000000003FE0000-0x0000000004083000-memory.dmp

Filesize
652KB

Download
memory/2416-387-0x0000000003FE0000-0x0000000004083000-memory.dmp

Filesize
652KB

Download
memory/2416-646-0x0000000003FE0000-0x0000000004083000-memory.dmp

Filesize
652KB

Download
memory/2416-411-0x0000000003FE0000-0x0000000004083000-memory.dmp

Filesize
652KB

Download
memory/2416-392-0x0000000003FE0000-0x0000000004083000-memory.dmp

Filesize
652KB

Download
memory/2416-391-0x0000000003FE0000-0x0000000004083000-memory.dmp

Filesize
652KB

Download
memory/2416-390-0x0000000003FE0000-0x0000000004083000-memory.dmp

Filesize
652KB

Download
memory/2416-389-0x0000000003FE0000-0x0000000004083000-memory.dmp

Filesize
652KB

Download
memory/2416-388-0x0000000003FE0000-0x0000000004083000-memory.dmp

Filesize
652KB

Download
memory/2632-146-0x0000000073540000-0x0000000073AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-153-0x0000000073540000-0x0000000073AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2656-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2656-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2656-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2656-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2656-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2656-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2656-372-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2656-373-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2656-374-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2656-375-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2656-376-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2656-377-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2656-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2656-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2656-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2656-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2656-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2656-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2656-64-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2696-155-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2696-107-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2696-356-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-136-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-135-0x00000000002C0000-0x00000000002DA000-memory.dmp

Filesize
104KB

Download
memory/2764-401-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/2764-402-0x0000000007640000-0x0000000007680000-memory.dmp

Filesize
256KB

Download
memory/2764-151-0x0000000000400000-0x0000000002CD3000-memory.dmp

Filesize
40.8MB

Download
memory/2764-156-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/2764-157-0x0000000007640000-0x0000000007680000-memory.dmp

Filesize
256KB

Download
memory/2764-145-0x0000000004DC0000-0x0000000004DE0000-memory.dmp

Filesize
128KB

Download
memory/2764-141-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2764-133-0x0000000003310000-0x0000000003332000-memory.dmp

Filesize
136KB

Download
memory/2904-140-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2904-400-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2904-154-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2904-398-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2904-106-0x0000000001010000-0x0000000001018000-memory.dmp

Filesize
32KB

Download