ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5

Analysis

max time kernel
151s
max time network
194s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
Size

176KB
MD5

da322a471ad1833c168ceb738a781b29
SHA1

8ab09c58f7b301ccf2d679f1c415b2bde3e22a25
SHA256

ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5
SHA512

9e9a9616788cb16e3b011889e77e24d2f6f976ebe9925a8fde50c9b68207ba26b6a3052dac862a8bb068117e35e5bdf82d5123461c48c019169b718671c96f2b
SSDEEP

3072:MlRn2s7yyhnlhxi80WgYgD6KGaD48/xFw4k6Kr8SbEX:K7yyp/el7z

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\L:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\S:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\U:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\V:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\W:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\B:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\F:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\H:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\M:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\P:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\E:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\J:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\K:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\N:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\Q:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\Y:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\Z:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\G:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\O:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\R:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\T:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\X:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
File opened (read-only)	\??\A:	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A72A9B30-7102-11ED-85E0-FE41811C61F5} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bdfd0d989f0a0a46924ddabb055f5d6300000000020000000000106600000001000020000000a4959ac7574207e64598c6f4bed049d40ed53cdbb8ae9b641af4c40d9a44a3dd000000000e8000000002000020000000eeae55d4c269e32c27e1fb98e25774dfafbd8d79ca7ad69e0384846ede700f2390000000f70131081e484b927292646613afdb1a7055008f73c110e4c8743b22f8cd20d8ccb577ddae55bda8e1e45acfa60b608928f1ab31086912ae9688ff3388b961ca95d3f2674087bcdf4103585772cbd833702fbd84930cd78f9722f8020536870b2969898bae2d0e90a8aa8d2ddea132c4eeb02b0abc7db63a8c79c2bd6995073cefd39460389236d6f49054335b86cded400000001f21b67fa9b7ee2e17ee635c95eb050b6ee1c7d7931e8eb0a4aeb8c863bb1ea7947609a38f06a91baeff50645090555f2949fdb8be123e3586b3b7add862aa17	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\facebook.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bdfd0d989f0a0a46924ddabb055f5d6300000000020000000000106600000001000020000000dda4c9c770075fdaae0a26eefb577473f273e64a95d9edbc4ac91e7d07218313000000000e80000000020000200000009086fcc56a87d8e1aecd654ebda11b6447c34d48bc5719d399016d25590b8d7c200000002077621229f292d5488e37397aacf982f5432057b85cbcb05f7ae67fee6a24474000000063fe2a25d9a34f3252528ed304ac6da474d749f227b1287f9179ffc9368388c33e18765cf77f2d2b4de0fd202956860f9394474ac807b8243ee6fcc876460219	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\facebook.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A72AC240-7102-11ED-85E0-FE41811C61F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376614153"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b7ec940f05d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1512	iexplore.exe
1172	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
1172	iexplore.exe
1512	iexplore.exe
1172	iexplore.exe
1512	iexplore.exe
584	IEXPLORE.EXE
584	IEXPLORE.EXE
1400	IEXPLORE.EXE
1400	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1172	1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe	27
PID 1120 wrote to memory of 1172	1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe	27
PID 1120 wrote to memory of 1172	1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe	27
PID 1120 wrote to memory of 1172	1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe	27
PID 1120 wrote to memory of 1512	1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe	28
PID 1120 wrote to memory of 1512	1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe	28
PID 1120 wrote to memory of 1512	1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe	28
PID 1120 wrote to memory of 1512	1120	ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe	28
PID 1512 wrote to memory of 584	1512	iexplore.exe	31
PID 1512 wrote to memory of 584	1512	iexplore.exe	31
PID 1512 wrote to memory of 584	1512	iexplore.exe	31
PID 1512 wrote to memory of 584	1512	iexplore.exe	31
PID 1172 wrote to memory of 1400	1172	iexplore.exe	30
PID 1172 wrote to memory of 1400	1172	iexplore.exe	30
PID 1172 wrote to memory of 1400	1172	iexplore.exe	30
PID 1172 wrote to memory of 1400	1172	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe
"C:\Users\Admin\AppData\Local\Temp\ad75e159d457c87bfab91ac01a80c7dec051c1b27b10109fc024f4b0444cafd5.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://zamzamcyber.blogspot.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1400
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.facebook.com/profile.php?id=100002541393938
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8409e35164a9927dec54b5be023f59f0

SHA1
7bc366e3eb60570b99c8663efa7002cc8f6f5954

SHA256
014c81ae2cb9b019a14f9a5719cddd2541b62dcac2c81f05efe51932245f2b4d

SHA512
89c7f3da58579c1c9bd0cb0827349da9686feb19f293c959ddc73c6772f1c0d2ba3adecf5d9afdc2552d581efba852f2a0e11c82cfb32b1e713eef0f605e2acd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a044069e745fcd1752a766bb087816f4

SHA1
cede1e042fabfa3dcb3092dda9930a234aa630ba

SHA256
34e7fed27a5c899061eb3e5ff695585038d0565be36b4e9b6aa86ad657f78f99

SHA512
a6f350817dcad588ff7a3424e325bcdf1a28f102e6d207f83eedf5088768c5baae241057f5966b70fcc39a88e0594d0a8d2995c30b2158c126872c5336171e8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7291189996474bd028a0d5a603aa602

SHA1
693ebd4408a0ae3d717ffe450820fa7020c1fc22

SHA256
08aa54e3469d34a1fb6513c6ca6bb10bbb0e1b41078f8c88cd5a45690ce9ca7a

SHA512
cc54cf52c75d3e2068d60f42046270a49f30671e078a3df3f4aec405b5443244b58359f42222fc9a9e82e1370ec4d2b63013fe772b1d6b59bf7ba1fb5c969975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A72A9B30-7102-11ED-85E0-FE41811C61F5}.dat

Filesize
3KB

MD5
8230ad5a558c80d647e0998bb3a62aae

SHA1
97eb9dea58f682635d070cf98237319abc8d897d

SHA256
bfce2fc6d2810bd4aaf094b256b00119e0d67d8ee325d7b00c764ba01b9ba74d

SHA512
354fa2afc34b08b983e7d69959dfdfffdce570010a263a274edd58452cb8921da78e256291f36a41cdcced804827da9c5e2a0ff2e2377dc47bf53b52660ab19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A72AC240-7102-11ED-85E0-FE41811C61F5}.dat

Filesize
5KB

MD5
384d93768314d02c559495c63f118542

SHA1
9206485afd6ec06a23f4474cc368c1cdb9de0117

SHA256
825c909db79157f2fcc0ce76bd639bf7736991cce5853e632929873b84fdce7c

SHA512
a7c8ca0bf8732424dd6c5ee3825f06e9462212b6ea12f6f5c5448c2e9e8c0b2d36f0422b3aefdf297ecc1464b3138a0afa7293eed3591789d543705366549674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
8KB

MD5
33a12fcf8b292ece8777789562866b91

SHA1
10bb3a61986c6f5957ca1495662ebc35ae0a8dc0

SHA256
2d6ec22579712526788b7a2bb2c89f955d05c06f34917f317aba25372e2badf1

SHA512
2578a6f7e62ba67ff8d50fdaa33f2f757cd4b91b2092cd7d7293d9977af714d7c9ee8021852683c21f8bae87068559529c5c32f8ffde9c5c05bfe1e883c74b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
14KB

MD5
4f53f7066c0a73041294c34cb467a040

SHA1
e53b33282ac21950310f49874a0f2d298fe4487d

SHA256
749fcb513f37b29881f0bc4b32b924e3cfc09a0fa9220d4ebc9a3965bb39be5f

SHA512
2a3c6da10ef8f1346154b5c7daa10c8d87106de7d3c50743fe75e2bfc8bb41f75d9fd1d4f22e756e866679e8ace57a4be7ada7bc85e8572e4b36915b606f0086

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7UJLTXXY.txt

Filesize
539B

MD5
b57757a37d2b2cb289ec176a62be9839

SHA1
6624e52da7617f69382de74a45dff77ba20cab1e

SHA256
f88ed6257690940ee325f9590b3ffdc47ad289e7d988cbc005a75a4a7291a488

SHA512
2d8d5169cad03f50b9e3910933ab44929d5405d86dfa47e5d25a823ccfa0606be48515f00b58b75674ce5ed1c6b44b33994a15b5a32e7bfd0aaac86a4b32bd58

Download Submit
memory/1120-60-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/1120-59-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/1120-57-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1120-58-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download