c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Size

615KB
MD5

0cccb7731df5885d0405e9243cc27186
SHA1

b4d00aac110acfbb3da657a57f3ba43c968f4c22
SHA256

c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b
SHA512

ff6c364decbd3ec6d9c291e670839ff2537e7914fbd7dd8e85a363270c6a8609f3c1b72edac482d11f8749a17b4c5c007cd4f5917c7ada66cbb0f2f36fbf3099
SSDEEP

12288:YXvoWzJMd1MOqctASMZ6upAbyXjARtxldrK7mfk:W5zGYTwuebeIHk

Score

7^/10

defense_evasion discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 1 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeDebugPrivilege	2344	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeDebugPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeDebugPrivilege	2488	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2344	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	31
PID 2684 wrote to memory of 2344	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	31
PID 2684 wrote to memory of 2344	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	31
PID 2684 wrote to memory of 2192	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	32
PID 2684 wrote to memory of 2192	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	32
PID 2684 wrote to memory of 2192	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	32
PID 2684 wrote to memory of 2488	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	33
PID 2684 wrote to memory of 2488	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	33
PID 2684 wrote to memory of 2488	2684	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	33

C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
"C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
  "C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe" -group=user -outputfile=C:\Windows\Temp\all_212.102.63.147_user.txt
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
  "C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe" -group=misc -outputfile=C:\Windows\Temp\all_212.102.63.147_misc.txt
  2⤵
  - Enumerates connected drives
  - Drops file in Windows directory
  - Event Triggered Execution: Netsh Helper DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
  "C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe" -group=system -outputfile=C:\Windows\Temp\all_212.102.63.147_system.txt
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\all_212.102.63.147_misc.txt

Filesize
40KB

MD5
11f432954ed735a68f4d26ff1cc02102

SHA1
805982fe48937a6aa68aad81c9fa1da90f350436

SHA256
b4cfe048093e04457f562d4d9e2e734ed00c18e1a8504d1385b1561dffdf9c88

SHA512
6ffe19da226696500d09d1ab48683080b4222e2e0a3af2dd9b729af443e383545b6d696873e070e5ff4335a11273efe593941ea7982d87a2d1d9df2bf743524b

Download Submit
C:\Windows\Temp\all_212.102.63.147_system.txt

Filesize
47KB

MD5
422650b6a714aae5b593fc3274bd2e9b

SHA1
c73a2e3dcb1dc701b9985190d7818e15bde13d04

SHA256
98b5ece5d11b003b830d61444e6963b55be3107767e5ca85049ede8aeac71cea

SHA512
c9ce5d271c17e7389d433794671bca77b0952681f7551a50e0dee20a702bc195e7c46d87afd6ee27018cde743ceba2db5a63ccac05c62321ad41d9388f46570e

Download Submit
C:\Windows\Temp\all_212.102.63.147_user.txt

Filesize
16KB

MD5
cd18c2aab7960c14a2a478ffd1b3ef57

SHA1
f7fa882d6fa588ad7df8484aa1009a7a88735eb5

SHA256
920af0ef933f2325a83676c22d7dfcadae80b52904d78f99a90f0a5c95a8a0db

SHA512
a2f796e9cb0e04a8c8ff74c33345861807bc644d33b572702c06997594d5b3959c1d30016bed1866918a0939a83dfc6c46f58f55888e8074d94fa5ff78df38a0

Download Submit
memory/2192-7-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2192-12-0x000000001A870000-0x000000001A895000-memory.dmp

Filesize
148KB

Download
memory/2192-5-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2344-10-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-3-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-4-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-16-0x000007FEF10A0000-0x000007FEF1132000-memory.dmp

Filesize
584KB

Download
memory/2488-15-0x000007FEF1F50000-0x000007FEF1FE2000-memory.dmp

Filesize
584KB

Download
memory/2684-8-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-6-0x000007FEF6263000-0x000007FEF6264000-memory.dmp

Filesize
4KB

Download
memory/2684-0-0x000007FEF6263000-0x000007FEF6264000-memory.dmp

Filesize
4KB

Download
memory/2684-2-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-1-0x0000000000360000-0x0000000000400000-memory.dmp

Filesize
640KB

Download
memory/2684-20-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download