6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d

Analysis

max time kernel
130s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-10-2022 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Size

1.3MB
MD5

9452b43c872f4faee376be781cc806ac
SHA1

9c4cd526673d65da48b338254a7026a705e54bee
SHA256

6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d
SHA512

4a4ef2cc77a4915c76f002050b0c54ca5494d0e972e95c912cc7a59c47a5861069a1b933ba862fc315bd1e185fea66dee04475157d7b16e421d156889c7d751e
SSDEEP

24576:Z2cJ+//0wDXIxwbDbNyGYb8hDymv6+zQ6ZbpzN0OUQmCRkRuRD:Z2cJqPLV/F9v65UaOUQmCuRuR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
904	~~4651351452857323937.tmp.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Chaos Group	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\plugins	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\更多精华资源下载.url	~~4651351452857323937.tmp.exe
File created	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\www.lx7d.com.txt	~~4651351452857323937.tmp.exe
File created	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\更多精华资源下载.url	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\更多精华资源下载.url	~~4651351452857323937.tmp.exe
File created	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\cgauth.dll	~~4651351452857323937.tmp.exe
File created	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\plugins\vray_BRDFScanned.dll	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\www.lx7d.com.txt	~~4651351452857323937.tmp.exe
File created	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\更多精华资源下载.url	~~4651351452857323937.tmp.exe
File created	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\書山有路勤爲徑，學海無涯苦作舟。.txt	~~4651351452857323937.tmp.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_7105361	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\cgauth.dll	~~4651351452857323937.tmp.exe
File created	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\書山有路勤爲徑，學海無涯苦作舟。.txt	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\書山有路勤爲徑，學海無涯苦作舟。.txt	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\書山有路勤爲徑，學海無涯苦作舟。.txt	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\plugins\vray_BRDFScanned.dll	~~4651351452857323937.tmp.exe
File created	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\vrayappsdk\bin\www.lx7d.com.txt	~~4651351452857323937.tmp.exe
File opened for modification	C:\Program Files\Chaos Group\V-Ray\V-Ray for SketchUp\extension\www.lx7d.com.txt	~~4651351452857323937.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000b473e6c3547e395751c04b6379ae5681ee3b46b5e63bebd0689ed90767e7f70c000000000e800000000200002000000015f606f6b3bd8e125d93f6e740566677f50655c0f4eb5b99e45b09a6208a6c9520000000bbfa018c99083de81e0a6519ba76876bf84834646998cbe0a74d00a655afd3c240000000e7513c41c21aadf903f96629223ea99db157dd10760d54f2d8e4a4f84990b2e5b18014d5cfaddaa1040f75e978900b65e4508ce9994f9a384304858b1b5071dc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000032c7b4e87ceffcd1f19a4129941dff9c7fcbe3adfdaff7111dcdc1e3d95b1e43000000000e80000000020000200000009f28c0dc9815d89491107b7b8b2f7a8a6aca8d042cb6cf83f37092a080d77ec290000000a4464417a43af38af26f18190edfdd1d526013c9f191ca9dc13430a3ede048c13af3da06a09d97efec336522c7123fd66b8b0359405d1ae68035a550957ea925e2ac18dd891d9b2628da7a2b8b0f2f8e8c8704169c0a5a41b5a989b8b19b800e11418c5faa306a792ff2127b0119317ed3b405ac22fcaab93d1deec4b2c6e41b557bbfc83d4e9aca6c339929f8498bef40000000b85eee22278306ca60b8dfda58587e13e3a3f3ae0231287d33d2f44806e2ce52cea4219b44e53c5bc4fbc03a4e80a824f8664549b1e96fc67a4cd3880cfa1eb3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303f95dc5adad801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371918596"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED269BF1-464D-11ED-9843-7ADD0904B6AC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeRestorePrivilege	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: 33	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeIncBasePriorityPrivilege	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: 33	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeIncBasePriorityPrivilege	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeBackupPrivilege	608	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeRestorePrivilege	608	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: 33	608	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeIncBasePriorityPrivilege	608	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: 33	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeIncBasePriorityPrivilege	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: 33	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeIncBasePriorityPrivilege	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeBackupPrivilege	1768	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeRestorePrivilege	1768	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: 33	1768	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
Token: SeIncBasePriorityPrivilege	1768	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
748	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
748	iexplore.exe
748	iexplore.exe
564	IEXPLORE.EXE
564	IEXPLORE.EXE
564	IEXPLORE.EXE
564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 608	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	26
PID 1348 wrote to memory of 608	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	26
PID 1348 wrote to memory of 608	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	26
PID 1348 wrote to memory of 904	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	27
PID 1348 wrote to memory of 904	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	27
PID 1348 wrote to memory of 904	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	27
PID 1348 wrote to memory of 904	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	27
PID 904 wrote to memory of 748	904	~~4651351452857323937.tmp.exe	28
PID 904 wrote to memory of 748	904	~~4651351452857323937.tmp.exe	28
PID 904 wrote to memory of 748	904	~~4651351452857323937.tmp.exe	28
PID 904 wrote to memory of 748	904	~~4651351452857323937.tmp.exe	28
PID 1348 wrote to memory of 1768	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	30
PID 1348 wrote to memory of 1768	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	30
PID 1348 wrote to memory of 1768	1348	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	30
PID 1768 wrote to memory of 900	1768	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	31
PID 1768 wrote to memory of 900	1768	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	31
PID 1768 wrote to memory of 900	1768	6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe	31
PID 748 wrote to memory of 564	748	iexplore.exe	33
PID 748 wrote to memory of 564	748	iexplore.exe	33
PID 748 wrote to memory of 564	748	iexplore.exe	33
PID 748 wrote to memory of 564	748	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
"C:\Users\Admin\AppData\Local\Temp\6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
  PECMD**pecmd-cmd* PUTF "C:\Users\Admin\AppData\Local\Temp\~~4651351452857323937.tmp.exe",,"C:\Users\Admin\AppData\Local\Temp\6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe""#102|SCRIPT"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Users\Admin\AppData\Local\Temp\~~4651351452857323937.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\~~4651351452857323937.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.lx7d.com/forum.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:564
- C:\Users\Admin\AppData\Local\Temp\6db62dd8dd030ef514337fb3c7f147c0665efbcc37b1ff97707ed74094a8835d.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~8046474813312264262.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~8046474813312264262.cmd"
    3⤵
    PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
5KB

MD5
b313d210eff71dc2221e7f55dcc63a89

SHA1
553db0ca500ec440b1ba1c6c83d28c411a76a7fc

SHA256
a6257c5046b839ee73c05a8e9f12ab69fd8d40b28fd87dc17b3f414791ed0912

SHA512
868ea0597995ca79fb975676f4c07e94d9fd8523d1531dc78afbb14c2f96b49c897f18a5279bcab0bc8b9f339f3401d3273eaa497a36a38e65967e87aa9e7e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8046474813312264262.cmd

Filesize
404B

MD5
23579ac1e4c43fcb2c04f6d1f8a794fd

SHA1
5be44aa7755e4d958c495c041f8dd00cf83a4f30

SHA256
d2249035ccee86f89043af846bd969d02226e0de569ecdebf81d0da55b944118

SHA512
da272e81cb905bc709b6098082e7290f7ef2e50affd6fbdfc66c21030d3865327914923f8ec5381715cfde85b7532e67186b2d71e34174dd2dd1b13cc56c0e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~4651351452857323937.tmp.exe

Filesize
780KB

MD5
626903ee8e09561cf1874db9aea14a2a

SHA1
bb712ab8f0e3439f6cc8a0ac69529c2317a20bba

SHA256
ac0afc4ab33420118d4f4f0f4141c81cf4fab1f39bb0b2b2b9fc831fd7fd07e1

SHA512
e9cfd3b1656db3acf90f00777bd105264fcc0f9a4edbb7b630d509255d4a52111e0b79c18e64c2fa72aad8e77aeaa2d173ac407aed968b2c1f202977ed14fc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~4651351452857323937.tmp.exe

Filesize
780KB

MD5
626903ee8e09561cf1874db9aea14a2a

SHA1
bb712ab8f0e3439f6cc8a0ac69529c2317a20bba

SHA256
ac0afc4ab33420118d4f4f0f4141c81cf4fab1f39bb0b2b2b9fc831fd7fd07e1

SHA512
e9cfd3b1656db3acf90f00777bd105264fcc0f9a4edbb7b630d509255d4a52111e0b79c18e64c2fa72aad8e77aeaa2d173ac407aed968b2c1f202977ed14fc78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5GK1Z530.txt

Filesize
606B

MD5
38385b6eb4fc6c9154fae6523293a959

SHA1
04c5c70c31605b00716048518b0c395cb26c052d

SHA256
8a610e9a9dfb130eac8b10720d7372841be38b09ce5598e344ba94698419cf4d

SHA512
474173199466105a739e8ff60e761dc40868be99e2fbcde6643fa2b18ae0b89dd896648b030a80b448752dc9a63d2058022d7f0486ac80c4ab16dd5de2737fea

Download Submit
memory/608-55-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/904-61-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1348-59-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/1348-60-0x0000000002060000-0x0000000002256000-memory.dmp

Filesize
2.0MB

Download
memory/1348-62-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1348-67-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/1768-65-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download