Analysis
-
max time kernel
113s -
max time network
121s -
resource
win7v191014
Task
task1
Sample
crypted[1].bin.exe
Resource
win7v191014
General
-
Target
crypted[1].bin
-
Sample
191129-bykghah8ge
-
SHA256
9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57
Score
N/A
Malware Config
Signatures
-
Reads Secure browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ 1304 crypted[1].bin.exe -
Reads Waterfox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ 1304 crypted[1].bin.exe -
Reads Uran user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ 1304 crypted[1].bin.exe -
Reads Tor Browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\TorBro\Profile\ 1304 crypted[1].bin.exe -
Reads Nichrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Nichrome\User Data\ 1304 crypted[1].bin.exe -
Reads Qip surf user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\QIP Surf\User Data\ 1304 crypted[1].bin.exe -
Reads 7star user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ 1304 crypted[1].bin.exe -
Reads Torch user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Torch\User Data\ 1304 crypted[1].bin.exe -
Reads Pale Moon browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ 1304 crypted[1].bin.exe -
Suspicious use of SetWindowsHookEx ⋅ 1 IoCs
Processes:
crypted[1].bin.exepid process 1304 crypted[1].bin.exe -
⋅ 4 IoCs
Processes:
crypted[1].bin.exeioc drive.google.com File opened for modification C:\Users\Admin\AppData\Local\Temp\machineinfo.txt 1304 crypted[1].bin.exe HTTP URL http://34.76.145.229/gate/log.php HTTP URL http://34.76.145.229/file_handler/file.php?hash=d3a547a5fa34fecef563a4e0d65825c4539a5386&js=8eb1309d3b4163e746e3f66ce26ccf5f269dd5e5&callback=http://34.76.145.229/gate -
Reads Sputnik user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ 1304 crypted[1].bin.exe -
Reads user profile for Thunderbird email client, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ 1304 crypted[1].bin.exe -
Reads Rockmelt user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\RockMelt\User Data\ 1304 crypted[1].bin.exe -
Reads Vivaldi user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Vivaldi\User Data\ 1304 crypted[1].bin.exe -
Reads Amigo user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Amigo\User Data\ 1304 crypted[1].bin.exe -
Reads Orbitum user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Orbitum\User Data\ 1304 crypted[1].bin.exe -
Reads Suhba user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Suhba\User Data\ 1304 crypted[1].bin.exe -
Checks for installed software on the system ⋅ 1 TTPs 1 IoCs
TTPs:
Processes:
crypted[1].bin.exedescription ioc pid process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 1304 crypted[1].bin.exe -
Reads Chromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Chromium\User Data\ 1304 crypted[1].bin.exe -
Reads Dragon user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ 1304 crypted[1].bin.exe -
Reads Kometa user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Kometa\User Data\ 1304 crypted[1].bin.exe -
Reads Superbird user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Superbird\User Data\ 1304 crypted[1].bin.exe -
Processes:
crypted[1].bin.exedescription ioc pid process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e 1304 crypted[1].bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d03003000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d00520032000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e 1304 crypted[1].bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0302000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e 1304 crypted[1].bin.exe -
Reads Chrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ 1304 crypted[1].bin.exe -
Reads Epic privacy browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ 1304 crypted[1].bin.exe -
Reads Centbrowser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\CentBrowser\User Data\ 1304 crypted[1].bin.exe -
Reads Elements browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Elements Browser\User Data\ 1304 crypted[1].bin.exe -
Reads Mustang user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ 1304 crypted[1].bin.exe -
Deletes itself ⋅ 1 IoCs
Processes:
cmd.exepid process 1800 cmd.exe -
Reads Chrome SxS user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ 1304 crypted[1].bin.exe -
Reads Bromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Bromium\User Data\ 1304 crypted[1].bin.exe -
Reads Chedot user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Chedot\User Data\ 1304 crypted[1].bin.exe -
Reads Firefox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ 1304 crypted[1].bin.exe -
Accesses Bither wallet, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exedescription ioc pid process File opened (read-only) C:\Users\Admin\AppData\Roaming\Bither\address.db 1304 crypted[1].bin.exe -
Suspicious use of WriteProcessMemory ⋅ 2 IoCs
Processes:
crypted[1].bin.execmd.exedescription pid process target process PID 1304 wrote to memory of 1800 1304 crypted[1].bin.exe cmd.exe PID 1800 wrote to memory of 1232 1800 cmd.exe PING.EXE -
Loads dropped DLL ⋅ 1 IoCs
Processes:
crypted[1].bin.exepid process 1304 crypted[1].bin.exe -
Reads Go! user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Go!\User Data\ 1304 crypted[1].bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"Reads Secure browser user data, possible credential harvestingReads Waterfox user profile, possible credential harvestingReads Uran user data, possible credential harvestingReads Tor Browser user profile, possible credential harvestingReads Nichrome user data, possible credential harvestingReads Qip surf user data, possible credential harvestingReads 7star user data, possible credential harvestingReads Torch user data, possible credential harvestingReads Pale Moon browser user profile, possible credential harvestingSuspicious use of SetWindowsHookExReads Sputnik user data, possible credential harvestingReads user profile for Thunderbird email client, possible credential harvestingReads Rockmelt user data, possible credential harvestingReads Vivaldi user data, possible credential harvestingReads Amigo user data, possible credential harvestingReads Orbitum user data, possible credential harvestingReads Suhba user data, possible credential harvestingChecks for installed software on the systemReads Chromium user data, possible credential harvestingReads Dragon user data, possible credential harvestingReads Kometa user data, possible credential harvestingReads Superbird user data, possible credential harvestingModifies system certificate storeReads Chrome user data, possible credential harvestingReads Epic privacy browser user data, possible credential harvestingReads Centbrowser user data, possible credential harvestingReads Elements browser user data, possible credential harvestingReads Mustang user data, possible credential harvestingReads Chrome SxS user data, possible credential harvestingReads Bromium user data, possible credential harvestingReads Chedot user data, possible credential harvestingReads Firefox user profile, possible credential harvestingAccesses Bither wallet, possible credential harvestingSuspicious use of WriteProcessMemoryLoads dropped DLLReads Go! user data, possible credential harvesting
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"Deletes itselfSuspicious use of WriteProcessMemory
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1333835286-1054468390-1472936826-787043865-20918172221881988614-2562341841526789034"
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 3000Runs ping.exe
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
\Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\AdLibs\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll
-
\Users\Admin\AppData\Local\Temp\AdLibs\vcruntime140.dll
-
\Users\Admin\AppData\Local\Temp\sqlite3.dll