4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6

Analysis

max time kernel
184s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe
Size

401KB
MD5

1e2d8a6d5bedd11e058b18d2ec2a8fbc
SHA1

baa9c95f346e8d563a9e4a76b17e6f7aa0c2226d
SHA256

4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6
SHA512

3d02c33bec003272bbc0734f6e879c4c40a385057be1e243eee6534193eac976b5e3c2fe45ae8675f94e9321d8db1c8fae796b4341cbe7ec09cb9126d856687b
SSDEEP

6144:550gUCc5IQ5FMvhefYIeLX+ULIO3m95twAuZ+cL0udOIjWM8AvA7KGbN9cfjUiWq:r0gIV56SYIczVmjuldONAvA7KGbNuw+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1220	7za.exe
4540	rundll32.exe
4396	starer.exe

Loads dropped DLL 1 IoCs

pid	Process
5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0580aa91-bc90-45c2-ad6b-82bd6dd1416f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221129063505.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3656	msedge.exe
3656	msedge.exe
4236	msedge.exe
4236	msedge.exe
1092	identity_helper.exe
1092	identity_helper.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4396	starer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 1220	5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	81
PID 5000 wrote to memory of 1220	5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	81
PID 5000 wrote to memory of 1220	5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	81
PID 5000 wrote to memory of 4540	5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	83
PID 5000 wrote to memory of 4540	5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	83
PID 5000 wrote to memory of 4540	5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	83
PID 5000 wrote to memory of 4396	5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	84
PID 5000 wrote to memory of 4396	5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	84
PID 5000 wrote to memory of 4396	5000	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	84
PID 4396 wrote to memory of 4236	4396	starer.exe	85
PID 4396 wrote to memory of 4236	4396	starer.exe	85
PID 4236 wrote to memory of 3392	4236	msedge.exe	86
PID 4236 wrote to memory of 3392	4236	msedge.exe	86
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3692	4236	msedge.exe	89
PID 4236 wrote to memory of 3656	4236	msedge.exe	90
PID 4236 wrote to memory of 3656	4236	msedge.exe	90
PID 4236 wrote to memory of 3492	4236	msedge.exe	91
PID 4236 wrote to memory of 3492	4236	msedge.exe	91
PID 4236 wrote to memory of 3492	4236	msedge.exe	91
PID 4236 wrote to memory of 3492	4236	msedge.exe	91
PID 4236 wrote to memory of 3492	4236	msedge.exe	91
PID 4236 wrote to memory of 3492	4236	msedge.exe	91
PID 4236 wrote to memory of 3492	4236	msedge.exe	91
PID 4236 wrote to memory of 3492	4236	msedge.exe	91
PID 4236 wrote to memory of 3492	4236	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe
"C:\Users\Admin\AppData\Local\Temp\4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\a.7z" -pBTI7u8A66Q -o"C:\Users\Admin\AppData\Local\Temp\" -aoa
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\rundll32.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Users\Admin\AppData\Local\Temp\starer.exe
  C:\Users\Admin\AppData\Local\Temp\starer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ilikeua.com/1.php
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf63246f8,0x7ffdf6324708,0x7ffdf6324718
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
      4⤵
      PID:3692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
      4⤵
      PID:3492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
      4⤵
      PID:3740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5152 /prefetch:8
      4⤵
      PID:372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5352 /prefetch:8
      4⤵
      PID:4216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
      4⤵
      PID:4184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
      4⤵
      PID:4864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
      4⤵
      PID:5032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:1
      4⤵
      PID:3344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
      4⤵
      PID:792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ff76c6e5460,0x7ff76c6e5470,0x7ff76c6e5480
        5⤵
        
        PID:3948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
      4⤵
      PID:1944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6880 /prefetch:8
      4⤵
      PID:3648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16978463998710556632,4100223782421062321,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6880 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.7z

Filesize
5KB

MD5
609a586468e2a2fb2c7e8f9c3984813f

SHA1
ce308a9b51bffc8b9504870ec8ab23cceb507be7

SHA256
a84107a114f465db4466708ccc898ee62f70d1648779248bc7d89e7a611f927e

SHA512
5371d4f23921bba3d2e576c1740e7b73823fc545c207c3f320a7cf118adab850d30a5ee77d0247f669ac96d64b0d8686ef535ee22cb2c51aa6837c9a8f7e0761

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw23D5.tmp\execDos.dll

Filesize
5KB

MD5
0deb397ca1e716bb7b15e1754e52b2ac

SHA1
fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5

SHA256
720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f

SHA512
507db0bee0897660750007e7ce674406acf9e8bf942cf26ded5654c07682757b07c9eb767bead0966478abc554dc9a6461c4288dc35d12cacfadad4c128f1bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\starer.exe

Filesize
20KB

MD5
e16edd984b5963e3dabbddd7d6737a0f

SHA1
a835149425c257712d44b0dc1e02476bb4dfbb5a

SHA256
978489c7490b696cd3c3aa683b73755b2ea743602271c4450417802915a67f89

SHA512
355cc8573413793e5b1f360b302003d22859aa9f3d32128e6d99035e58d8099e4b69e3bf061457f7dbb7712f77932991021cf9a08e632a081f134935fe428f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\starer.exe

Filesize
20KB

MD5
e16edd984b5963e3dabbddd7d6737a0f

SHA1
a835149425c257712d44b0dc1e02476bb4dfbb5a

SHA256
978489c7490b696cd3c3aa683b73755b2ea743602271c4450417802915a67f89

SHA512
355cc8573413793e5b1f360b302003d22859aa9f3d32128e6d99035e58d8099e4b69e3bf061457f7dbb7712f77932991021cf9a08e632a081f134935fe428f46

Download Submit