c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b

Analysis

max time kernel
104s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Size

615KB
MD5

0cccb7731df5885d0405e9243cc27186
SHA1

b4d00aac110acfbb3da657a57f3ba43c968f4c22
SHA256

c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b
SHA512

ff6c364decbd3ec6d9c291e670839ff2537e7914fbd7dd8e85a363270c6a8609f3c1b72edac482d11f8749a17b4c5c007cd4f5917c7ada66cbb0f2f36fbf3099
SSDEEP

12288:YXvoWzJMd1MOqctASMZ6upAbyXjARtxldrK7mfk:W5zGYTwuebeIHk

Score

7^/10

defense_evasion discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 1 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeDebugPrivilege	5200	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeDebugPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeDebugPrivilege	4364	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
Token: SeSecurityPrivilege	452	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 5200	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	87
PID 2192 wrote to memory of 5200	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	87
PID 2192 wrote to memory of 452	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	88
PID 2192 wrote to memory of 452	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	88
PID 2192 wrote to memory of 4364	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	89
PID 2192 wrote to memory of 4364	2192	c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe	89

C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
"C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
  "C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe" -group=system -outputfile=C:\Windows\Temp\all_212.102.63.147_system.txt
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5200
- C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
  "C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe" -group=misc -outputfile=C:\Windows\Temp\all_212.102.63.147_misc.txt
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Netsh Helper DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe
  "C:\Users\Admin\AppData\Local\Temp\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe" -group=user -outputfile=C:\Windows\Temp\all_212.102.63.147_user.txt
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c44dc08a38e574bfba2e8ff7e0c95d6f4d26d0b041ad60df24cbf95d1be4e85b.exe.log

Filesize
1KB

MD5
cfc339ab6de0b795879e0d55dea196cb

SHA1
c125d0942fd82e706d6476b941645571d2c60551

SHA256
fb6f357781154a93faa82fab60c3eb1d87b8dc2c97435e512a6c55ee8af2fb06

SHA512
bf9c952d4048b716c63572109ec75f6be265f4a703adca81dbde9e26269798bc2b990bad3abb0ef899bfe4096015c6135bf600d3be0f4751b9b73b0a88f56efb

Download Submit
C:\Windows\Temp\all_212.102.63.147_misc.txt

Filesize
56KB

MD5
07f3df5ab30a95ee3b179c30819f16ec

SHA1
c70c34e62684251efb9b46ecd6804fc99dbd7657

SHA256
0921db60f8cdd0cfab8307390cbff92ba2ff2b34712ffa30a91f587c94832112

SHA512
d30b5f0e8cc56c78f333db95650ec850c5b9d47162694683bfcb263fdc26d86f1dc017be2fbf7081052c961430175ed1b9e282c6e92057ea7dde0c23850c5fbc

Download Submit
C:\Windows\Temp\all_212.102.63.147_system.txt

Filesize
666KB

MD5
92df557d72e52f7dd0ca7bf36f7a0d9e

SHA1
43e55765dcb09fb1182598a305d9d017bfb1ae89

SHA256
e9f0205c4dcc4f3507c1bee0d2eb2edf33f3be8bdcde72a2f3f4afb0f986c9fd

SHA512
c1be02cb15f66b72cc5848bfc05b80d30cb15615cf07f32df296157665302e7e86de692aced2d418876492b44b15e7926511b8e367adc6c408da5bab1e165d17

Download Submit
C:\Windows\Temp\all_212.102.63.147_user.txt

Filesize
23KB

MD5
327003abbeb288b3ccd285808e3be696

SHA1
7508c4cd892fc094fdb0037a4a188049f078db06

SHA256
5e16215c8c50ea1bd8173c6f5d7a24d88fdcf23e56548f00436bd29127655138

SHA512
9f313d474ef8aaf77f08f528cacbe47048d5caca17ccffb098b75addeda2ad645b714f37b784b7b9cfbeb6ff432ad2516e760e31728280e09d0e449741a22083

Download Submit
memory/452-17-0x00007FF8E2B30000-0x00007FF8E35F1000-memory.dmp

Filesize
10.8MB

Download
memory/452-10-0x000000001AF00000-0x000000001AF3A000-memory.dmp

Filesize
232KB

Download
memory/452-6-0x00007FF8E2B30000-0x00007FF8E35F1000-memory.dmp

Filesize
10.8MB

Download
memory/452-11-0x000000001AEC0000-0x000000001AEE6000-memory.dmp

Filesize
152KB

Download
memory/2192-19-0x000000001C500000-0x000000001CA28000-memory.dmp

Filesize
5.2MB

Download
memory/2192-3-0x000000001BA00000-0x000000001BBC2000-memory.dmp

Filesize
1.8MB

Download
memory/2192-0-0x00007FF8E2B33000-0x00007FF8E2B35000-memory.dmp

Filesize
8KB

Download
memory/2192-2-0x00007FF8E2B30000-0x00007FF8E35F1000-memory.dmp

Filesize
10.8MB

Download
memory/2192-1-0x00000000001B0000-0x0000000000250000-memory.dmp

Filesize
640KB

Download
memory/2192-21-0x00007FF8E2B33000-0x00007FF8E2B35000-memory.dmp

Filesize
8KB

Download
memory/2192-22-0x00007FF8E2B30000-0x00007FF8E35F1000-memory.dmp

Filesize
10.8MB

Download
memory/2192-23-0x00007FF8E2B30000-0x00007FF8E35F1000-memory.dmp

Filesize
10.8MB

Download
memory/5200-4-0x00007FF8E2B30000-0x00007FF8E35F1000-memory.dmp

Filesize
10.8MB

Download
memory/5200-15-0x00007FF8E2B30000-0x00007FF8E35F1000-memory.dmp

Filesize
10.8MB

Download
memory/5200-5-0x00007FF8E2B30000-0x00007FF8E35F1000-memory.dmp

Filesize
10.8MB

Download