cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f

Analysis

max time kernel
141s
max time network
173s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe
Size

69KB
MD5

0d19f273b161ddac5e37002296625540
SHA1

d413b01f7f9c280286e28a84543476a7941119b9
SHA256

cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f
SHA512

be414568bdb088911434a36a5a3980e68a579c6cda7cdf9f91a4a408a349a87b1645bbc501788e464adc2bbca3dd41b4903a8403df811d2829efac04a761a68e
SSDEEP

1536:dOplpgYQmvKfP9dqzMLon9/zFxhbISz5VffMOZS9da2m:dOp/gYlvK6zMLo9/zF9zPfBSjS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1240	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{A60F0417-DEA2-4C4B-A94C-9A5D12552C10}.lnk	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe

Loads dropped DLL 1 IoCs

pid	Process
1400	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	rundll32.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D53FE81-5F45-11ED-8C74-D6AAFEFD221A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374663554"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InformationBar\FirstTime = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InformationBar	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000089cba3482c7447b6095f153bf64f07f4d1e5a041f2a8388fe119c68066ecd445000000000e800000000200002000000044e221a7b4e0307be2b2ef2c524f5f2c3dd5c8ccc253ab66a46e3a8b8ffed46790000000fe42dc827e2f659cc8a5307bae2583999f7cd0a42b47813608f674addf3c580912261313c0889df242121e1704974d68fd4f58db50b94842cb0102c3109ec4a32870ff5b561a51fe0b9f747fd8854d01dc9c20f5db3cb1d2f162d3fa082e9ab5ecb722678084bef2877e2621fa3d4f152019c90db6bf419f6346d8c9a650d6055ccffcd9341e4839d253f356c6bf702040000000e3262e1744718505b27f8df00a979adc06c170000b23d146c474248e22c80f7a46ac4918fb64eb4c9ff36ed7f62d7f078deb0b4710a90263e99bdfb1c9b1a0ec	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnClose = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\NoReopenLastSession = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000037fc73ddc81f9e9f2c76ab8773eb9da047c5e92b532809528474f66ca368e713000000000e8000000002000020000000c63f79333076d9cf63fd82b5d62f98eb69a697bd9b98a6af2de2741adb0259b22000000082c4db435a674b9654458ae7e9600b8b3d241bb92fe1da3eae2b32a4793ade9b40000000efc33e53944a5c3076c11c5d94f0e7fc369edc070436a6a91f1c8cb873b3cfa35c7816833616fb26c95093fbb8a675084fd03a8c2ed63e8bc90396bb10584f93	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4E71BBA1-5F45-11ED-8C74-D6AAFEFD221A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnCloseAdvanced = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ccb50f52f3d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1204	PING.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
636	iexplore.exe
1216	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
636	iexplore.exe
636	iexplore.exe
908	IEXPLORE.EXE
908	IEXPLORE.EXE
1216	iexplore.exe
1216	iexplore.exe
964	IEXPLORE.EXE
964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1400	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	27
PID 996 wrote to memory of 1400	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	27
PID 996 wrote to memory of 1400	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	27
PID 996 wrote to memory of 1400	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	27
PID 996 wrote to memory of 1400	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	27
PID 996 wrote to memory of 1400	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	27
PID 996 wrote to memory of 1400	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	27
PID 996 wrote to memory of 1240	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	28
PID 996 wrote to memory of 1240	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	28
PID 996 wrote to memory of 1240	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	28
PID 996 wrote to memory of 1240	996	cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe	28
PID 1240 wrote to memory of 1204	1240	cmd.exe	30
PID 1240 wrote to memory of 1204	1240	cmd.exe	30
PID 1240 wrote to memory of 1204	1240	cmd.exe	30
PID 1240 wrote to memory of 1204	1240	cmd.exe	30
PID 636 wrote to memory of 908	636	iexplore.exe	33
PID 636 wrote to memory of 908	636	iexplore.exe	33
PID 636 wrote to memory of 908	636	iexplore.exe	33
PID 636 wrote to memory of 908	636	iexplore.exe	33
PID 636 wrote to memory of 1956	636	iexplore.exe	35
PID 636 wrote to memory of 1956	636	iexplore.exe	35
PID 636 wrote to memory of 1956	636	iexplore.exe	35
PID 636 wrote to memory of 1076	636	iexplore.exe	36
PID 636 wrote to memory of 1076	636	iexplore.exe	36
PID 636 wrote to memory of 1076	636	iexplore.exe	36
PID 636 wrote to memory of 1416	636	iexplore.exe	37
PID 636 wrote to memory of 1416	636	iexplore.exe	37
PID 636 wrote to memory of 1416	636	iexplore.exe	37
PID 1216 wrote to memory of 964	1216	iexplore.exe	39
PID 1216 wrote to memory of 964	1216	iexplore.exe	39
PID 1216 wrote to memory of 964	1216	iexplore.exe	39
PID 1216 wrote to memory of 964	1216	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe
"C:\Users\Admin\AppData\Local\Temp\cdc6e717cb9f46e729594feb91200b3cd90a53e91c09790229c16b8cd06b3a1f.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\FONTCACHE.DAT",#1
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  PID:1400
- C:\Windows\SysWOW64\cmd.exe
  /s /c "for /L %i in (1,1,100) do (del /F "C:\Users\Admin\AppData\Local\Temp\CDC6E7~1.EXE" & ping localhost -n 2 & if not exist "C:\Users\Admin\AppData\Local\Temp\CDC6E7~1.EXE" Exit 1)"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:1204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:636 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:908
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Modifies Internet Explorer settings
  PID:1956
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Modifies Internet Explorer settings
  PID:1076
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Modifies Internet Explorer settings
  PID:1416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FONTCACHE.DAT

Filesize
54KB

MD5
cdfb4cda9144d01fb26b5449f9d189ff

SHA1
315863c696603ac442b2600e9ecc1819b7ed1b54

SHA256
f5785842682bc49a69b2cbc3fded56b8b4a73c8fd93e35860ecd1b9a88b9d3d8

SHA512
41d6ec0c66c51873cdba8bcd0e35f6237b8dddab843a9d7ae4e2639282596c1f0a18a932bc0a8ab3f60972e4ef1636d590b4e25cb213e66bb20c396192f7d4e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P7DP9CBO.txt

Filesize
608B

MD5
e53b7697f5b20a236b9c5db73e7198cc

SHA1
0fc2aa693893b0714da44b4183798391db8638d8

SHA256
2513674adfae75cdf7da463a898c2ff46e8291aad1b10c4f7981aa80c0cfae94

SHA512
53676d700f4fd3de51d70e12d94c0539beb66b3eb546fc0ab178b0913b7318a30595ab82b5ee4eeb647933ae3c6d75b4110d4163f2710eefdc40b0d686fd1d54

Download Submit
\Users\Admin\AppData\Local\FONTCACHE.DAT

Filesize
54KB

MD5
cdfb4cda9144d01fb26b5449f9d189ff

SHA1
315863c696603ac442b2600e9ecc1819b7ed1b54

SHA256
f5785842682bc49a69b2cbc3fded56b8b4a73c8fd93e35860ecd1b9a88b9d3d8

SHA512
41d6ec0c66c51873cdba8bcd0e35f6237b8dddab843a9d7ae4e2639282596c1f0a18a932bc0a8ab3f60972e4ef1636d590b4e25cb213e66bb20c396192f7d4e0

Download Submit
memory/996-54-0x0000000001E30000-0x0000000001E40000-memory.dmp

Filesize
64KB

Download
memory/1400-57-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1400-62-0x0000000010010000-0x000000001001B000-memory.dmp

Filesize
44KB

Download
memory/1400-63-0x0000000010010000-0x000000001001B000-memory.dmp

Filesize
44KB

Download
memory/1400-61-0x0000000010010000-0x000000001001B000-memory.dmp

Filesize
44KB

Download
memory/1416-68-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads