78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
Size

1012KB
MD5

c18d50f8c2cb8ac2c9e3453feddf1082
SHA1

9753a6819f7c61efb1af932dc9ee56cfb584b48a
SHA256

78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1
SHA512

40f0f2348c005210971bfdf9b1660780b95522a269d592a891914a83446dfec248f8ecad00959381e37367af3d502fc62f243fe3739afd98ced509b955001615
SSDEEP

24576:fiBl5ESRiGfh3e5Eoobsbu0cipLKl6OuKtquG6:fiBfXR9eEoCsbu0ciRU6OxtJv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1660	aria2c.exe

Loads dropped DLL 5 IoCs

pid	Process
2392	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
1740	Process not Found
2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2392-0-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-3-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-4-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-5-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-6-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-7-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-8-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-10-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-14-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-13-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-12-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-11-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-15-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-9-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-16-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-18-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-19-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-28-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-31-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-30-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-29-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-27-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-26-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-25-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-24-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-23-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-22-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-21-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-20-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-32-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-17-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-136-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-167-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-166-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-168-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-170-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-169-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-171-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-172-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2392-163-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-173-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-174-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-213-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-231-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-232-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-233-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-237-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-238-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-240-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-242-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-244-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-246-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-248-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-250-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-252-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-254-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-256-0x0000000000400000-0x0000000000791000-memory.dmp	upx
behavioral1/memory/2276-258-0x0000000000400000-0x0000000000791000-memory.dmp	upx

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2392	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
2392	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
2392	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2276	2392	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe	29
PID 2392 wrote to memory of 2276	2392	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe	29
PID 2392 wrote to memory of 2276	2392	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe	29
PID 2392 wrote to memory of 2276	2392	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe	29
PID 2276 wrote to memory of 1660	2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe	31
PID 2276 wrote to memory of 1660	2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe	31
PID 2276 wrote to memory of 1660	2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe	31
PID 2276 wrote to memory of 1660	2276	78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe	31

C:\Users\Admin\AppData\Local\Temp\78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
"C:\Users\Admin\AppData\Local\Temp\78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
  78a874d6b3bc84cf2dd6b0abed0c8cb4855762ab07cac7ae5c7702ba3114fab1.exe
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\aria2c.exe
    C:\Users\Admin\AppData\Local\Temp\aria2c.exe -q --enable-rpc=true --rpc-allow-origin-all=true --rpc-listen-port=36510 --file-allocation=falloc --rpc-listen-all=true --continue=true --rpc-secret=g2iJJOk786gZYJujOfbp1RhsqPrGe0vooD80ILo1x9GI7Hz7y4d89yX839l3t4Mn8H8B9NaSYKLrR9HCHhx7EiQI6e2J2wuPoDhQz0yd735kN3BSO0XVA0Sm
    3⤵
    - Executes dropped EXE
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
cb7ac62247e4d34d168f8947eb8bc7d2

SHA1
a639cb0d4b63724acc15396c676d51b542567fe9

SHA256
8da910b00f25c82f3550e7213da7d597e825117a02fe3deb145fff003c490fcd

SHA512
f7689638de236626a56433910f3db18388b5fdb2844070493c3a777cb4dacca66439939ca2b3558f76ed6cc09de1a44cf5faad27d8e8895e531e131bcd50f70a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
5babe44fd5f6c5fe25485b142a8b3af9

SHA1
109f30724b7da79fbed89f66eed752573407303f

SHA256
896a054f8870c4c4a416f184acb4a6d877d9baada18160f8c22d05479d79da49

SHA512
bbbe6bfce0a19c44ec8fa5acc0eab45fc84860a34ab187407f748eaaaa5bce19da7ac4b1f358f0831c2caa7868b2b6647ba7d600d55acdc49046f416d4913174

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b7b8ca75b0b9cffae22309c45affbf9

SHA1
7cca1a14a6d6ad7dbe163dec5002c115b99fab85

SHA256
d355578770c0af5f879c447547c61f0dd4b8804f58e04e9901e463616423e03f

SHA512
4c7a67897b10d37adbbdc7f3f3fe933fe782f147cc6d56a6badc12d3f85170b1ce3b279af28033d14375544d5d0e70fd497ad5da614437b020e8712fcae9c52d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bdc99ec264d78dadbd6ee02fd2098859

SHA1
558cca377d86e5e1b52ebe8eb6e7ab246d76e3f4

SHA256
10dcc25c622cbf1281f5d3bedc011964ac41565474218151eadb0b440b3fe0ff

SHA512
3f9bf7f2ae47484efa85f4aef36cb78d74a94c548089d1501b74640b30c1c08a05493bb4dcbfe299c62f3249269aa6f5c2427397badc4c40ef1c6d280d29614c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8PP1MZVT\jsonrpc[1]

Filesize
159B

MD5
3c4566f815a7f96f5ba67174e0a76a0b

SHA1
0b21abba449cfdbf90c849ed1c0d8ec2a82bd944

SHA256
5c11755c25c63f83e1790e4b5bace23b400857b4fabced6c52dea96ba0f37938

SHA512
b3697a2596609f3c97544964b0843b20f7bab242fb08e3501685cd94da082a1cdc5a2a35b4a002e31085ec96c3a52646748ba6c3c384024d01d2143d0c5fdcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiveM\launcher_cache\cookies.dat

Filesize
352B

MD5
52f72edeb7e4e5f5d88ab188d1ce085f

SHA1
bc5ed8ba7769e70bff70e7ef9bbc23bfef5cffcc

SHA256
5c4440eea56a78d9f175e9e3301e5cd3d7c8fd68192a808d77ed94596b63b685

SHA512
7096554c5f17cb2931b8774c948866799653ae6aa2130ee3e064a075f1d06aac58b4d20f469d3c235b1d9cb80b35a69a988c7d04bb53ab3055778ba1323c03fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiveM\launcher_cache\cookies.dat

Filesize
425B

MD5
977565947657e7324fc37d5f0147fbe7

SHA1
cfda6f5a8096ac7a81f784a239ebb665b48d1acf

SHA256
5d636369051b4843f36a4ffea272c309c9e8d0402cb903ac473a4ed3c6fe80fa

SHA512
3397ebc1b3f6d904908d015951dc9e8c41ca027e3ff988cb2ae462a038dfb74a7f56661df442da7dacffe340a79f6db1ff18f659b584c6821fda901b9df07936

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiveM\launcher_cache\header.jpg

Filesize
337KB

MD5
abbcb7e2d5b3f90e69794bf0e3eab1c0

SHA1
35f3da99942490fb5a4da78c52d9077cb22323c0

SHA256
c9cc2323f06402f7b09a3b8b8359f0bdaecd0d0e2e07c949ac03701636d122eb

SHA512
fb2caa5a245a6b3ab7e3a5c7468150ea76058c28d794e5ea025de790e31cce4d66b2f218d6254bf769b2869a84d743d3728716fcc1639e016c566a3cd9770354

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar347D.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher_config.ini

Filesize
193B

MD5
172470d8d9549228eb372eb02bd013ed

SHA1
a8dff708548ba78370da66065b9f9b55d99bd6ca

SHA256
d1be48e98260f699f405f6e3702508d4b1e761abcf354f272798c3aeaf007f58

SHA512
7650c4a01091318affa46dc719ebf3f987d8224102e9998182ed68381281b67ca3198dce93024ca02d5361f0d15e5274eeb46c7189db5fd03930e15396b8ac4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\node.dll

Filesize
27.5MB

MD5
3a7ae63e30ca56dc164d6af3f8240037

SHA1
3b646b0bd2e5c4ce6aee2a8ef8c0ec524a6e87ff

SHA256
58a527c1271621db700c51a30f8d2c9059a54b619c549ad63796edc75a5d4041

SHA512
18984c7c272f9512c0b445ef8819657c51d93184aa9ec2d4ebf3b2ae2f65285b661d09b1a912153c4d6600a4df820db7657ed49285bcdbab4b01402a78232a2c

Download Submit
\Users\Admin\AppData\Local\Temp\aria2c.exe

Filesize
4.9MB

MD5
cd5b35b875ccc348646ed90e8e7986dc

SHA1
ac57b142616a843e390115d3b8363a5c641c4b60

SHA256
c1a5326be6c7f05c94f3efe041010ab6b57f2f69fa1024b7b4e96f052393f61d

SHA512
37ce02ca06caf4de76964d65ee71701a4a4cde81fcfb7b20edb174a967c6ca9dea6822bf7edd8eda00d58744dced1ea727c51902867ea45d9ed9a9981e3fbf3f

Download Submit
\Users\Admin\AppData\Local\Temp\zip.dll

Filesize
453KB

MD5
6df0ed0afe162198116be68aba60e0c4

SHA1
bd0ca25ff4e495717be7345933aaa90755e5a6ca

SHA256
14172cccc2b24d7b490b6038c9493e64d5cab4afeee62014710dfad546eec9dc

SHA512
6696ec1e2261e44e1259609f74e95c205165048d94e581f44b09b87fc70e89b2eaeecd09b7de9cb9735dab0b9d90dd4ff7b5ac07e4b5bd8e5f502e71bbfdb757

Download Submit
memory/1660-219-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/2276-237-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-169-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-254-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-252-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-250-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-248-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-246-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-244-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-242-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-240-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-238-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-166-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-256-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-233-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-174-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-258-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-213-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-212-0x0000000014600000-0x0000000014601000-memory.dmp

Filesize
4KB

Download
memory/2276-231-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-173-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-172-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-171-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-232-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-170-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-168-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2276-167-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-32-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-9-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-165-0x00000000002F0000-0x000000000030E000-memory.dmp

Filesize
120KB

Download
memory/2392-0-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-136-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-14-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-13-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-163-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-12-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-11-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-10-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-8-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-7-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-6-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-5-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-4-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-3-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-15-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-17-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-164-0x0000000005D40000-0x00000000060D1000-memory.dmp

Filesize
3.6MB

Download
memory/2392-1-0x00000000002F0000-0x000000000030E000-memory.dmp

Filesize
120KB

Download
memory/2392-2-0x00000000004B5000-0x00000000004B6000-memory.dmp

Filesize
4KB

Download
memory/2392-20-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-21-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-22-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-23-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-24-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-25-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-26-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-27-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-29-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-30-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-31-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-28-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-19-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-18-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/2392-16-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download