203653a75d1f8f6061e180a4117b77175899135f35cba8207f2be2910b3290c6

Analysis

max time kernel
146s
max time network
48s
platform
windows7_x64
resource
win7v200430
submitted
02/06/2020, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fun.bin.exe
Size

258KB
MD5

748b61626e0015845bd7434ca03f27fa
SHA1

f4a54594ff0789f2ba8670f19c1f4dfd6759aa08
SHA256

ede55d924a00a0d21f2253f6b0ce2be5fefac6262fd9a736f347e2467500725b
SHA512

4392e13d57a9f7624644515f6daf016e151fabe9ec2aa2cff1d7a979d313aabb24ea6b952eaba69400b35acd383d7ef13e2e60fd9c22657dfeda0a9bac4f9432

Score

7^/10

spyware

Malware Config

Signatures

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1084	1292	fun.bin.exe	24
PID 1292 wrote to memory of 1084	1292	fun.bin.exe	24
PID 1292 wrote to memory of 1084	1292	fun.bin.exe	24
PID 1292 wrote to memory of 1084	1292	fun.bin.exe	24

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\fun.bin.exe
"C:\Users\Admin\AppData\Local\Temp\fun.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9339.tmp\933A.tmp\933B.bat C:\Users\Admin\AppData\Local\Temp\fun.bin.exe"
  2⤵
  PID:1084
- - C:\Windows\system32\certutil.exe
    certutil -encode "vcredist2010_x64.log-MSI_vc_red.msi.txt.Sister" "vcredist2010_x64.log-MSI_vc_red.msi.txt.Cruel"
    3⤵
    PID:1444
- - C:\Windows\system32\certutil.exe
    certutil -encode "vcredist2010_x64.log.html.Sister" "vcredist2010_x64.log.html.Cruel"
    3⤵
    PID:1472
- - C:\Windows\system32\certutil.exe
    certutil -encode "vcredist2012_x64_0_vcRuntimeMinimum_x64.log.Sister" "vcredist2012_x64_0_vcRuntimeMinimum_x64.log.Cruel"
    3⤵
    PID:1504
- - C:\Windows\system32\certutil.exe
    certutil -encode "vcredist2012_x64_1_vcRuntimeAdditional_x64.log.Sister" "vcredist2012_x64_1_vcRuntimeAdditional_x64.log.Cruel"
    3⤵
    PID:680
- - C:\Windows\system32\certutil.exe
    certutil -encode "vcredist2013_x64_000_vcRuntimeMinimum_x64.log.Sister" "vcredist2013_x64_000_vcRuntimeMinimum_x64.log.Cruel"
    3⤵
    PID:1600
- - C:\Windows\system32\certutil.exe
    certutil -encode "vcredist2013_x64_001_vcRuntimeAdditional_x64.log.Sister" "vcredist2013_x64_001_vcRuntimeAdditional_x64.log.Cruel"
    3⤵
    PID:740
- - C:\Windows\system32\certutil.exe
    certutil -encode "vcredist2019_x64_001_vcRuntimeMinimum_x64.log.Sister" "vcredist2019_x64_001_vcRuntimeMinimum_x64.log.Cruel"
    3⤵
    PID:900
- - C:\Windows\system32\certutil.exe
    certutil -encode "vcredist2019_x64_002_vcRuntimeAdditional_x64.log.Sister" "vcredist2019_x64_002_vcRuntimeAdditional_x64.log.Cruel"
    3⤵
    PID:376
- - C:\Windows\system32\certutil.exe
    certutil -encode "AssertUse.bmp.Sister" "AssertUse.bmp.Cruel"
    3⤵
    PID:784
- - C:\Windows\system32\certutil.exe
    certutil -encode "BackupMount.M2TS.Sister" "BackupMount.M2TS.Cruel"
    3⤵
    PID:112
- - C:\Windows\system32\certutil.exe
    certutil -encode "CheckpointOptimize.css.Sister" "CheckpointOptimize.css.Cruel"
    3⤵
    PID:756
- - C:\Windows\system32\certutil.exe
    certutil -encode "CloseUnregister.i64.Sister" "CloseUnregister.i64.Cruel"
    3⤵
    PID:1056
- - C:\Windows\system32\certutil.exe
    certutil -encode "ConnectRedo.ico.Sister" "ConnectRedo.ico.Cruel"
    3⤵
    PID:1072
- - C:\Windows\system32\certutil.exe
    certutil -encode "ConvertToNew.htm.Sister" "ConvertToNew.htm.Cruel"
    3⤵
    PID:1064
- - C:\Windows\system32\certutil.exe
    certutil -encode "ExitUninstall.vstx.Sister" "ExitUninstall.vstx.Cruel"
    3⤵
    PID:1044
- - C:\Windows\system32\certutil.exe
    certutil -encode "GetUse.ADT.Sister" "GetUse.ADT.Cruel"
    3⤵
    PID:1032
- - C:\Windows\system32\certutil.exe
    certutil -encode "InitializeExpand.cab.Sister" "InitializeExpand.cab.Cruel"
    3⤵
    PID:1528
- - C:\Windows\system32\certutil.exe
    certutil -encode "NewInitialize.pot.Sister" "NewInitialize.pot.Cruel"
    3⤵
    PID:1516
- - C:\Windows\system32\certutil.exe
    certutil -encode "OptimizeInitialize.dib.Sister" "OptimizeInitialize.dib.Cruel"
    3⤵
    PID:1492
- - C:\Windows\system32\certutil.exe
    certutil -encode "PopRestore.bmp.Sister" "PopRestore.bmp.Cruel"
    3⤵
    PID:1684
- - C:\Windows\system32\certutil.exe
    certutil -encode "PopUnpublish.ico.Sister" "PopUnpublish.ico.Cruel"
    3⤵
    PID:1356
- - C:\Windows\system32\certutil.exe
    certutil -encode "RegisterUnpublish.docm.Sister" "RegisterUnpublish.docm.Cruel"
    3⤵
    PID:1368
- - C:\Windows\system32\certutil.exe
    certutil -encode "RequestPublish.ttf.Sister" "RequestPublish.ttf.Cruel"
    3⤵
    PID:1228
- - C:\Windows\system32\certutil.exe
    certutil -encode "ResizeCompare.raw.Sister" "ResizeCompare.raw.Cruel"
    3⤵
    PID:1784
- - C:\Windows\system32\certutil.exe
    certutil -encode "ResolveInvoke.ADTS.Sister" "ResolveInvoke.ADTS.Cruel"
    3⤵
    PID:1808
- - C:\Windows\system32\certutil.exe
    certutil -encode "RevokeEnable.xsl.Sister" "RevokeEnable.xsl.Cruel"
    3⤵
    PID:1800
- - C:\Windows\system32\certutil.exe
    certutil -encode "SendMount.raw.Sister" "SendMount.raw.Cruel"
    3⤵
    PID:1736
- - C:\Windows\system32\certutil.exe
    certutil -encode "SubmitConnect.WTV.Sister" "SubmitConnect.WTV.Cruel"
    3⤵
    PID:1780
- - C:\Windows\system32\certutil.exe
    certutil -encode "UnlockFind.png.Sister" "UnlockFind.png.Cruel"
    3⤵
    PID:1776
- - C:\Windows\system32\certutil.exe
    certutil -encode "UpdateSubmit.raw.Sister" "UpdateSubmit.raw.Cruel"
    3⤵
    PID:1768
- - C:\Windows\system32\certutil.exe
    certutil -encode "UpdateUninstall.mp3.Sister" "UpdateUninstall.mp3.Cruel"
    3⤵
    PID:1812
- - C:\Windows\system32\certutil.exe
    certutil -encode "WriteBlock.ini.Sister" "WriteBlock.ini.Cruel"
    3⤵
    PID:1756
- - C:\Windows\system32\certutil.exe
    certutil -encode "ApproveExport.xlsb.Sister" "ApproveExport.xlsb.Cruel"
    3⤵
    PID:524
- - C:\Windows\system32\certutil.exe
    certutil -encode "CompleteConvertFrom.rmi.Sister" "CompleteConvertFrom.rmi.Cruel"
    3⤵
    PID:320
- - C:\Windows\system32\certutil.exe
    certutil -encode "ConnectClose.txt.Sister" "ConnectClose.txt.Cruel"
    3⤵
    PID:768
- - C:\Windows\system32\certutil.exe
    certutil -encode "ConvertWatch.edrwx.Sister" "ConvertWatch.edrwx.Cruel"
    3⤵
    PID:860
- - C:\Windows\system32\certutil.exe
    certutil -encode "CopyRequest.bin.Sister" "CopyRequest.bin.Cruel"
    3⤵
    PID:1156
- - C:\Windows\system32\certutil.exe
    certutil -encode "DisableDisconnect.ini.Sister" "DisableDisconnect.ini.Cruel"
    3⤵
    PID:1352
- - C:\Windows\system32\certutil.exe
    certutil -encode "DismountSave.search-ms.Sister" "DismountSave.search-ms.Cruel"
    3⤵
    PID:620
- - C:\Windows\system32\certutil.exe
    certutil -encode "DismountUse.crw.Sister" "DismountUse.crw.Cruel"
    3⤵
    PID:568
- - C:\Windows\system32\certutil.exe
    certutil -encode "EditLock.7z.Sister" "EditLock.7z.Cruel"
    3⤵
    PID:1160
- - C:\Windows\system32\certutil.exe
    certutil -encode "EditReceive.rmi.Sister" "EditReceive.rmi.Cruel"
    3⤵
    PID:1728
- - C:\Windows\system32\certutil.exe
    certutil -encode "EditUninstall.mpg.Sister" "EditUninstall.mpg.Cruel"
    3⤵
    PID:1844
- - C:\Windows\system32\certutil.exe
    certutil -encode "GrantMove.jtx.Sister" "GrantMove.jtx.Cruel"
    3⤵
    PID:1580
- - C:\Windows\system32\certutil.exe
    certutil -encode "GrantStop.DVR.Sister" "GrantStop.DVR.Cruel"
    3⤵
    PID:1592
- - C:\Windows\system32\certutil.exe
    certutil -encode "ImportStart.raw.Sister" "ImportStart.raw.Cruel"
    3⤵
    PID:1584
- - C:\Windows\system32\certutil.exe
    certutil -encode "InvokeMeasure.mhtml.Sister" "InvokeMeasure.mhtml.Cruel"
    3⤵
    PID:1636
- - C:\Windows\system32\certutil.exe
    certutil -encode "MeasureDisconnect.tiff.Sister" "MeasureDisconnect.tiff.Cruel"
    3⤵
    PID:1644
- - C:\Windows\system32\certutil.exe
    certutil -encode "NewResize.ttf.Sister" "NewResize.ttf.Cruel"
    3⤵
    PID:1620
- - C:\Windows\system32\certutil.exe
    certutil -encode "PopConvertFrom.midi.Sister" "PopConvertFrom.midi.Cruel"
    3⤵
    PID:1556
- - C:\Windows\system32\certutil.exe
    certutil -encode "ProtectSave.vsx.Sister" "ProtectSave.vsx.Cruel"
    3⤵
    PID:1540
- - C:\Windows\system32\certutil.exe
    certutil -encode "ReadClear.vsx.Sister" "ReadClear.vsx.Cruel"
    3⤵
    PID:1576
- - C:\Windows\system32\certutil.exe
    certutil -encode "RegisterConvertTo.TTS.Sister" "RegisterConvertTo.TTS.Cruel"
    3⤵
    PID:1892
- - C:\Windows\system32\certutil.exe
    certutil -encode "RegisterResolve.sys.Sister" "RegisterResolve.sys.Cruel"
    3⤵
    PID:1896
- - C:\Windows\system32\certutil.exe
    certutil -encode "RenameEnter.xml.Sister" "RenameEnter.xml.Cruel"
    3⤵
    PID:1872
- - C:\Windows\system32\certutil.exe
    certutil -encode "ResizeExit.lnk.Sister" "ResizeExit.lnk.Cruel"
    3⤵
    PID:1852
- - C:\Windows\system32\certutil.exe
    certutil -encode "SelectGroup.ram.Sister" "SelectGroup.ram.Cruel"
    3⤵
    PID:1856
- - C:\Windows\system32\certutil.exe
    certutil -encode "StepClear.css.Sister" "StepClear.css.Cruel"
    3⤵
    PID:1928
- - C:\Windows\system32\certutil.exe
    certutil -encode "StopConfirm.gif.Sister" "StopConfirm.gif.Cruel"
    3⤵
    PID:1908
- - C:\Windows\system32\certutil.exe
    certutil -encode "TestUse.clr.Sister" "TestUse.clr.Cruel"
    3⤵
    PID:1956
- - C:\Windows\system32\certutil.exe
    certutil -encode "UnpublishSave.cab.Sister" "UnpublishSave.cab.Cruel"
    3⤵
    PID:1948
- - C:\Windows\system32\certutil.exe
    certutil -encode "UnpublishSave.cfg.Sister" "UnpublishSave.cfg.Cruel"
    3⤵
    PID:1936
- - C:\Windows\system32\certutil.exe
    certutil -encode "UpdateConvert.vdw.Sister" "UpdateConvert.vdw.Cruel"
    3⤵
    PID:1944
- - C:\Windows\system32\certutil.exe
    certutil -encode "CompareBackup.wmf.Sister" "CompareBackup.wmf.Cruel"
    3⤵
    PID:1932
- - C:\Windows\system32\certutil.exe
    certutil -encode "CompleteJoin.jpeg.Sister" "CompleteJoin.jpeg.Cruel"
    3⤵
    PID:1916
- - C:\Windows\system32\certutil.exe
    certutil -encode "CompletePublish.emf.Sister" "CompletePublish.emf.Cruel"
    3⤵
    PID:2012
- - C:\Windows\system32\certutil.exe
    certutil -encode "ConnectComplete.emf.Sister" "ConnectComplete.emf.Cruel"
    3⤵
    PID:1088
- - C:\Windows\system32\certutil.exe
    certutil -encode "ConvertToLimit.gif.Sister" "ConvertToLimit.gif.Cruel"
    3⤵
    PID:1080
- - C:\Windows\system32\certutil.exe
    certutil -encode "DismountComplete.bmp.Sister" "DismountComplete.bmp.Cruel"
    3⤵
    PID:2044
- - C:\Windows\system32\certutil.exe
    certutil -encode "DismountInstall.gif.Sister" "DismountInstall.gif.Cruel"
    3⤵
    PID:856
- - C:\Windows\system32\certutil.exe
    certutil -encode "ExportWatch.ico.Sister" "ExportWatch.ico.Cruel"
    3⤵
    PID:1996
- - C:\Windows\system32\certutil.exe
    certutil -encode "FindRestore.gif.Sister" "FindRestore.gif.Cruel"
    3⤵
    PID:2032
- - C:\Windows\system32\certutil.exe
    certutil -encode "LimitDebug.bmp.Sister" "LimitDebug.bmp.Cruel"
    3⤵
    PID:2028
- - C:\Windows\system32\certutil.exe
    certutil -encode "LockWatch.tif.Sister" "LockWatch.tif.Cruel"
    3⤵
    PID:2036
- - C:\Windows\system32\certutil.exe
    certutil -encode "RegisterConnect.jpg.Sister" "RegisterConnect.jpg.Cruel"
    3⤵
    PID:1476
- - C:\Windows\system32\certutil.exe
    certutil -encode "RequestSkip.dwg.Sister" "RequestSkip.dwg.Cruel"
    3⤵
    PID:1480
- - C:\Windows\system32\certutil.exe
    certutil -encode "ResizeResolve.ico.Sister" "ResizeResolve.ico.Cruel"
    3⤵
    PID:1548
- - C:\Windows\system32\certutil.exe
    certutil -encode "ResumeExpand.emz.Sister" "ResumeExpand.emz.Cruel"
    3⤵
    PID:852
- - C:\Windows\system32\certutil.exe
    certutil -encode "SelectUnprotect.bmp.Sister" "SelectUnprotect.bmp.Cruel"
    3⤵
    PID:1416
- - C:\Windows\system32\certutil.exe
    certutil -encode "SelectUse.crw.Sister" "SelectUse.crw.Cruel"
    3⤵
    PID:1444
- - C:\Windows\system32\certutil.exe
    certutil -encode "SetClear.emf.Sister" "SetClear.emf.Cruel"
    3⤵
    PID:1472
- - C:\Windows\system32\certutil.exe
    certutil -encode "ShowSet.cr2.Sister" "ShowSet.cr2.Cruel"
    3⤵
    PID:1504
- - C:\Windows\system32\certutil.exe
    certutil -encode "SkipSet.pcx.Sister" "SkipSet.pcx.Cruel"
    3⤵
    PID:680
- - C:\Windows\system32\certutil.exe
    certutil -encode "TestWrite.tiff.Sister" "TestWrite.tiff.Cruel"
    3⤵
    PID:1600
- - C:\Windows\system32\certutil.exe
    certutil -encode "UninstallDisable.jpeg.Sister" "UninstallDisable.jpeg.Cruel"
    3⤵
    PID:740
- - C:\Windows\system32\certutil.exe
    certutil -encode "UninstallJoin.svgz.Sister" "UninstallJoin.svgz.Cruel"
    3⤵
    PID:900
- - C:\Windows\system32\certutil.exe
    certutil -encode "UnpublishUnregister.tif.Sister" "UnpublishUnregister.tif.Cruel"
    3⤵
    PID:376
- - C:\Windows\system32\certutil.exe
    certutil -encode "AddRedo.pot.Sister" "AddRedo.pot.Cruel"
    3⤵
    PID:784
- - C:\Windows\system32\certutil.exe
    certutil -encode "Are.docx.Sister" "Are.docx.Cruel"
    3⤵
    PID:112
- - C:\Windows\system32\certutil.exe
    certutil -encode "AssertClear.xls.Sister" "AssertClear.xls.Cruel"
    3⤵
    PID:756
- - C:\Windows\system32\certutil.exe
    certutil -encode "DebugCompress.xlsb.Sister" "DebugCompress.xlsb.Cruel"
    3⤵
    PID:1056
- - C:\Windows\system32\certutil.exe
    certutil -encode "DebugDisconnect.vsdx.Sister" "DebugDisconnect.vsdx.Cruel"
    3⤵
    PID:1072
- - C:\Windows\system32\certutil.exe
    certutil -encode "DisconnectRestore.pub.Sister" "DisconnectRestore.pub.Cruel"
    3⤵
    PID:1064
- - C:\Windows\system32\certutil.exe
    certutil -encode "Files.docx.Sister" "Files.docx.Cruel"
    3⤵
    PID:1044
- - C:\Windows\system32\certutil.exe
    certutil -encode "FormatReceive.xltm.Sister" "FormatReceive.xltm.Cruel"
    3⤵
    PID:1032
- - C:\Windows\system32\certutil.exe
    certutil -encode "FormatReset.dot.Sister" "FormatReset.dot.Cruel"
    3⤵
    PID:1528
- - C:\Windows\system32\certutil.exe
    certutil -encode "FormatSkip.vsdm.Sister" "FormatSkip.vsdm.Cruel"
    3⤵
    PID:1516
- - C:\Windows\system32\certutil.exe
    certutil -encode "GetClear.docm.Sister" "GetClear.docm.Cruel"
    3⤵
    PID:1492
- - C:\Windows\system32\certutil.exe
    certutil -encode "GrantUnpublish.xltx.Sister" "GrantUnpublish.xltx.Cruel"
    3⤵
    PID:1684
- - C:\Windows\system32\certutil.exe
    certutil -encode "MoveOut.pptx.Sister" "MoveOut.pptx.Cruel"
    3⤵
    PID:1356
- - C:\Windows\system32\certutil.exe
    certutil -encode "Opened.docx.Sister" "Opened.docx.Cruel"
    3⤵
    PID:1368
- - C:\Windows\system32\certutil.exe
    certutil -encode "OpenGroup.xltm.Sister" "OpenGroup.xltm.Cruel"
    3⤵
    PID:1228
- - C:\Windows\system32\certutil.exe
    certutil -encode "OptimizeDebug.dotx.Sister" "OptimizeDebug.dotx.Cruel"
    3⤵
    PID:1784
- - C:\Windows\system32\certutil.exe
    certutil -encode "OptimizePop.doc.Sister" "OptimizePop.doc.Cruel"
    3⤵
    PID:1808
- - C:\Windows\system32\certutil.exe
    certutil -encode "PushResume.dot.Sister" "PushResume.dot.Cruel"
    3⤵
    PID:1800
- - C:\Windows\system32\certutil.exe
    certutil -encode "ReadInvoke.xlt.Sister" "ReadInvoke.xlt.Cruel"
    3⤵
    PID:1736
- - C:\Windows\system32\certutil.exe
    certutil -encode "Recently.docx.Sister" "Recently.docx.Cruel"
    3⤵
    PID:1780
- - C:\Windows\system32\certutil.exe
    certutil -encode "RegisterGet.xlsx.Sister" "RegisterGet.xlsx.Cruel"
    3⤵
    PID:1776
- - C:\Windows\system32\certutil.exe
    certutil -encode "RequestImport.ppt.Sister" "RequestImport.ppt.Cruel"
    3⤵
    PID:1768
- - C:\Windows\system32\certutil.exe
    certutil -encode "RestartEnter.ppsm.Sister" "RestartEnter.ppsm.Cruel"
    3⤵
    PID:1812
- - C:\Windows\system32\certutil.exe
    certutil -encode "RestartFormat.xls.Sister" "RestartFormat.xls.Cruel"
    3⤵
    PID:1756
- - C:\Windows\system32\certutil.exe
    certutil -encode "RestartProtect.dot.Sister" "RestartProtect.dot.Cruel"
    3⤵
    PID:524
- - C:\Windows\system32\certutil.exe
    certutil -encode "ResumeReceive.vsd.Sister" "ResumeReceive.vsd.Cruel"
    3⤵
    PID:320
- - C:\Windows\system32\certutil.exe
    certutil -encode "SaveUnlock.pps.Sister" "SaveUnlock.pps.Cruel"
    3⤵
    PID:768
- - C:\Windows\system32\certutil.exe
    certutil -encode "SkipTest.vst.Sister" "SkipTest.vst.Cruel"
    3⤵
    PID:860
- - C:\Windows\system32\certutil.exe
    certutil -encode "StepCopy.xlt.Sister" "StepCopy.xlt.Cruel"
    3⤵
    PID:1156
- - C:\Windows\system32\certutil.exe
    certutil -encode "SwitchDebug.potx.Sister" "SwitchDebug.potx.Cruel"
    3⤵
    PID:1352
- - C:\Windows\system32\certutil.exe
    certutil -encode "SyncRedo.html.Sister" "SyncRedo.html.Cruel"
    3⤵
    PID:1144
- - C:\Windows\system32\certutil.exe
    certutil -encode "TestConnect.mht.Sister" "TestConnect.mht.Cruel"
    3⤵
    PID:1452
- - C:\Windows\system32\certutil.exe
    certutil -encode "These.docx.Sister" "These.docx.Cruel"
    3⤵
    PID:824
- - C:\Windows\system32\certutil.exe
    certutil -encode "TraceGroup.vst.Sister" "TraceGroup.vst.Cruel"
    3⤵
    PID:1624
- - C:\Windows\system32\certutil.exe
    certutil -encode "UnlockMount.htm.Sister" "UnlockMount.htm.Cruel"
    3⤵
    PID:1640
- - C:\Windows\system32\certutil.exe
    certutil -encode "UpdateImport.html.Sister" "UpdateImport.html.Cruel"
    3⤵
    PID:1588
- - C:\Windows\system32\certutil.exe
    certutil -encode "UseSplit.vsdx.Sister" "UseSplit.vsdx.Cruel"
    3⤵
    PID:1596
- - C:\Windows\system32\certutil.exe
    certutil -encode "WaitOpen.htm.Sister" "WaitOpen.htm.Cruel"
    3⤵
    PID:1632
- - C:\Windows\system32\certutil.exe
    certutil -encode "ApproveExport.raw.Sister" "ApproveExport.raw.Cruel"
    3⤵
    PID:1568
- - C:\Windows\system32\certutil.exe
    certutil -encode "CheckpointClose.pps.Sister" "CheckpointClose.pps.Cruel"
    3⤵
    PID:1648
- - C:\Windows\system32\certutil.exe
    certutil -encode "ConvertSave.jpeg.Sister" "ConvertSave.jpeg.Cruel"
    3⤵
    PID:1564
- - C:\Windows\system32\certutil.exe
    certutil -encode "DenyShow.xlsb.Sister" "DenyShow.xlsb.Cruel"
    3⤵
    PID:1544
- - C:\Windows\system32\certutil.exe
    certutil -encode "ExitWait.zip.Sister" "ExitWait.zip.Cruel"
    3⤵
    PID:1860
- - C:\Windows\system32\certutil.exe
    certutil -encode "ExportExpand.aifc.Sister" "ExportExpand.aifc.Cruel"
    3⤵
    PID:1900
- - C:\Windows\system32\certutil.exe
    certutil -encode "ExportSplit.wma.Sister" "ExportSplit.wma.Cruel"
    3⤵
    PID:1912
- - C:\Windows\system32\certutil.exe
    certutil -encode "ExportTest.dib.Sister" "ExportTest.dib.Cruel"
    3⤵
    PID:1864
- - C:\Windows\system32\certutil.exe
    certutil -encode "GrantPush.mp4.Sister" "GrantPush.mp4.Cruel"
    3⤵
    PID:1888
- - C:\Windows\system32\certutil.exe
    certutil -encode "LockTest.xhtml.Sister" "LockTest.xhtml.Cruel"
    3⤵
    PID:1868
- - C:\Windows\system32\certutil.exe
    certutil -encode "PublishCompress.clr.Sister" "PublishCompress.clr.Cruel"
    3⤵
    PID:1848
- - C:\Windows\system32\certutil.exe
    certutil -encode "RedoLimit.vsw.Sister" "RedoLimit.vsw.Cruel"
    3⤵
    PID:636
- - C:\Windows\system32\certutil.exe
    certutil -encode "SaveRequest.dwfx.Sister" "SaveRequest.dwfx.Cruel"
    3⤵
    PID:1964
- - C:\Windows\system32\certutil.exe
    certutil -encode "SwitchAssert.mpeg.Sister" "SwitchAssert.mpeg.Cruel"
    3⤵
    PID:1980
- - C:\Windows\system32\certutil.exe
    certutil -encode "TestSave.DVR.Sister" "TestSave.DVR.Cruel"
    3⤵
    PID:1952
- - C:\Windows\system32\certutil.exe
    certutil -encode "UnregisterConvert.mp3.Sister" "UnregisterConvert.mp3.Cruel"
    3⤵
    PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads