cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e

Analysis

max time kernel
151s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe
Size

338KB
MD5

277ada55027e622cb40e0073f3bf1455
SHA1

6afe2ecf96f343a309ae3862666a348008f64767
SHA256

cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e
SHA512

ab67089fed2cce855b5b4f4cd7a2315966568fb5a1e6607f3d09173c04e685c0a3cbe8d7e3245aa484b73368c5d66826dc52e51eea81f39b1048a23a9b323a3a
SSDEEP

6144:Rwv2GhNrav9aCHQiRgkktkAvgyFvatu6REs9TBaM5O5vWNUc43:Rw2iNzCwkgkktkAI8yY6Rpw5yu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2632 Client.exe

pid	process
2632	Client.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Client.exe

Drops startup file 4 IoCs

Processes:

Client.exevbc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Plugin = "C:\\Users\\Admin\\Documents\\Client.exe"	Client.exe

Drops file in System32 directory 2 IoCs

Processes:

mmc.exemmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 6 IoCs

Processes:

cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exeClient.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\mscfile\shell\open\command	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\mscfile	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\mscfile\shell	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\mscfile\shell\open	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\mscfile\shell\open\command\ = "1.exe"	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\mscfile\shell\open\command\ = "1.exe"	Client.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

mmc.exe

pid process

924 mmc.exe

pid	process
924	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exemmc.exeClient.exemmc.exe

description	pid	process
Token: SeDebugPrivilege	2440	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe
Token: SeSecurityPrivilege	1300	mmc.exe
Token: SeDebugPrivilege	2632	Client.exe
Token: SeSecurityPrivilege	924	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe
Token: 33	1300	mmc.exe
Token: SeIncBasePriorityPrivilege	1300	mmc.exe
Token: 33	924	mmc.exe
Token: SeIncBasePriorityPrivilege	924	mmc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

mmc.exemmc.exemmc.exemmc.exe

pid process

2664 mmc.exe
1300 mmc.exe
1300 mmc.exe
2356 mmc.exe
924 mmc.exe
924 mmc.exe

pid	process
2664	mmc.exe
1300	mmc.exe
1300	mmc.exe
2356	mmc.exe
924	mmc.exe
924	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exeeventvwr.exemmc.exeClient.exeeventvwr.exemmc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 2440 wrote to memory of 840	2440	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe	eventvwr.exe
PID 2440 wrote to memory of 840	2440	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe	eventvwr.exe
PID 2440 wrote to memory of 840	2440	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe	eventvwr.exe
PID 840 wrote to memory of 2664	840	eventvwr.exe	mmc.exe
PID 840 wrote to memory of 2664	840	eventvwr.exe	mmc.exe
PID 840 wrote to memory of 2664	840	eventvwr.exe	mmc.exe
PID 2664 wrote to memory of 1300	2664	mmc.exe	mmc.exe
PID 2664 wrote to memory of 1300	2664	mmc.exe	mmc.exe
PID 2440 wrote to memory of 2632	2440	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe	Client.exe
PID 2440 wrote to memory of 2632	2440	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe	Client.exe
PID 2440 wrote to memory of 2632	2440	cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe	Client.exe
PID 2632 wrote to memory of 2336	2632	Client.exe	eventvwr.exe
PID 2632 wrote to memory of 2336	2632	Client.exe	eventvwr.exe
PID 2632 wrote to memory of 2336	2632	Client.exe	eventvwr.exe
PID 2336 wrote to memory of 2356	2336	eventvwr.exe	mmc.exe
PID 2336 wrote to memory of 2356	2336	eventvwr.exe	mmc.exe
PID 2336 wrote to memory of 2356	2336	eventvwr.exe	mmc.exe
PID 2356 wrote to memory of 924	2356	mmc.exe	mmc.exe
PID 2356 wrote to memory of 924	2356	mmc.exe	mmc.exe
PID 2632 wrote to memory of 2972	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 2972	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 2972	2632	Client.exe	vbc.exe
PID 2972 wrote to memory of 2288	2972	vbc.exe	cvtres.exe
PID 2972 wrote to memory of 2288	2972	vbc.exe	cvtres.exe
PID 2972 wrote to memory of 2288	2972	vbc.exe	cvtres.exe
PID 2632 wrote to memory of 3272	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 3272	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 3272	2632	Client.exe	vbc.exe
PID 3272 wrote to memory of 5036	3272	vbc.exe	cvtres.exe
PID 3272 wrote to memory of 5036	3272	vbc.exe	cvtres.exe
PID 3272 wrote to memory of 5036	3272	vbc.exe	cvtres.exe
PID 2632 wrote to memory of 4992	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 4992	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 4992	2632	Client.exe	vbc.exe
PID 4992 wrote to memory of 3104	4992	vbc.exe	cvtres.exe
PID 4992 wrote to memory of 3104	4992	vbc.exe	cvtres.exe
PID 4992 wrote to memory of 3104	4992	vbc.exe	cvtres.exe
PID 2632 wrote to memory of 4076	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 4076	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 4076	2632	Client.exe	vbc.exe
PID 4076 wrote to memory of 4212	4076	vbc.exe	cvtres.exe
PID 4076 wrote to memory of 4212	4076	vbc.exe	cvtres.exe
PID 4076 wrote to memory of 4212	4076	vbc.exe	cvtres.exe
PID 2632 wrote to memory of 816	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 816	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 816	2632	Client.exe	vbc.exe
PID 816 wrote to memory of 4348	816	vbc.exe	cvtres.exe
PID 816 wrote to memory of 4348	816	vbc.exe	cvtres.exe
PID 816 wrote to memory of 4348	816	vbc.exe	cvtres.exe
PID 2632 wrote to memory of 1444	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 1444	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 1444	2632	Client.exe	vbc.exe
PID 1444 wrote to memory of 1240	1444	vbc.exe	cvtres.exe
PID 1444 wrote to memory of 1240	1444	vbc.exe	cvtres.exe
PID 1444 wrote to memory of 1240	1444	vbc.exe	cvtres.exe
PID 2632 wrote to memory of 4712	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 4712	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 4712	2632	Client.exe	vbc.exe
PID 4712 wrote to memory of 3300	4712	vbc.exe	cvtres.exe
PID 4712 wrote to memory of 3300	4712	vbc.exe	cvtres.exe
PID 4712 wrote to memory of 3300	4712	vbc.exe	cvtres.exe
PID 2632 wrote to memory of 3708	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 3708	2632	Client.exe	vbc.exe
PID 2632 wrote to memory of 3708	2632	Client.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe
"C:\Users\Admin\AppData\Local\Temp\cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\mmc.exe
"C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
4⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Users\Admin\Documents\Client.exe
"C:\Users\Admin\Documents\Client.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\system32\mmc.exe
"C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
5⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n3uwwhy3\n3uwwhy3.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F3DC580F3FA4344AD8E241460EA742.TMP"
4⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4fcznbi\p4fcznbi.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES753B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5697069E100547FD845F61A0C52249B6.TMP"
4⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ye3e3t2k\ye3e3t2k.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES772F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8BDBA12B3EC04AB0BE2FBAFCE4B27E9F.TMP"
4⤵
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bk32yawh\bk32yawh.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5371CB39FFB4675A16324B549E47E.TMP"
4⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ruvqsggk\ruvqsggk.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D9E19CA1A4747EBBC665E50B064EDBD.TMP"
4⤵
PID:4348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iyiphy2d\iyiphy2d.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EA1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED583F5EA2984D249DC7455F90FED645.TMP"
4⤵
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3y4qa22o\3y4qa22o.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3103134691134DFDA3DDFEF4C0198646.TMP"
4⤵
PID:3300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lvzjfjzg\lvzjfjzg.cmdline"
3⤵
PID:3708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED1A0768ECE2458893B07349F7747C19.TMP"
4⤵
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3y4qa22o\3y4qa22o.0.vb
Filesize
286B

MD5
94754b77cc54cd9d3b5d72d59125921d

SHA1
8150666495927144805f03554fd33b926f5c8b97

SHA256
d706e2c7fc2c298c545659fd02167f66d1765766bbdb0d05cfaa2131640de819

SHA512
ba8b61690b829e1799e7299efd6d5318c1b7637942b45124f8b417078ff521e9b105807f552c2501ba489c6a562b5b5d1eb393f5d5c1c0f2ed70185f46cca2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\3y4qa22o\3y4qa22o.cmdline
Filesize
185B

MD5
961384dbed2d339ee693c8956501d595

SHA1
ff5f8af2cd98f98d8d7ee89bb5dcd953516922d0

SHA256
daeed58c91b581486540d6c08b537e199a50bc9b2902056cdf63b360c0e710d1

SHA512
ebbbbed6e38093f879868b91d91c8acedb19c5921f1d8bb170ea15fbd158655d3600fa57b6793d8d11d54b1db42b01c06889be6cfa5c5b17d6f63512d4f8f56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES70E5.tmp
Filesize
1KB

MD5
45ec40a6b046bce84c69e05da31e990f

SHA1
1181920135ada0d35c94d1ef4b64657f70611bab

SHA256
82f36db376cdfd854ef3078b6e7b698ca4323cbfbe83bb8a60728a685ba65d2e

SHA512
4890d24a1abcb8ea0d4805dbbcd44958e6365e71e0abea62afbb767a61e88bd930aaa31ed41b3cb9e51bd8396b2b4880e8c6c0701e15a44dd38133f9a4e97854

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES753B.tmp
Filesize
1KB

MD5
d6fc4aabab7b545202d8dfa332aa9a33

SHA1
d42abe26e5e65d42ecab8043ba535cbe0ce815fb

SHA256
9cf545e0680782986b34e7a405a3516b5411405af52e8cb5c861397210130e80

SHA512
742ef23a3c996cb24d5e9805411894710e68084313d6e08c3c8e5d608aa9b9453287b5d53e6f1477834fda8f36ad75868ca80dc697f61c02e0d05e15d6d0b79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES772F.tmp
Filesize
1KB

MD5
625ce120079682fd868d3699fdf2f763

SHA1
f80f48589c1e377131bdaf65681ea9689c179d53

SHA256
219b31a7f21aeec5a4f1971d2dd0be7c43c82e0e514809895f4c02e6f7979ef0

SHA512
bc10f6801c66f1d875a5e5e51a767eee3280ebb3f4d8f2ead997b7c23887bd77cf4649c6732a097c63792473810e1153bb4cb1ef482f13b6fa1bca5768263d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A9A.tmp
Filesize
1KB

MD5
8c540074c8a4769579fa840c14665852

SHA1
290e533d3ba6984e0b8bcdccae25b0b85ed3e96a

SHA256
ac30d938c4f79fa07680e4232a9f704ce063ee2e6df9804c43197e1b03d4ccdc

SHA512
7a66c131d80b2e907e7e86892381325f73e6bb89140b14006c6bf228b7587d108f1c023cdbfcdd70e4a89e61e5b24172321afa477f13c2169dad6f2ddf742c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7CDC.tmp
Filesize
1KB

MD5
c6f855ee69ff435335da729dac63b96c

SHA1
173507f5d71834b248711f709bd137b14757927e

SHA256
ccf5fa0ed075ca31730c46b5f8053cae48b04995ff043321798b82f2e1b10060

SHA512
e2fe9fb38894b23eb765e60baff9d249e4aafd5998ea7b9b3d27ff0c48516fe036a8d7c024a300b7996511fe117f1c39e191701db0dbe7228fc2f5888390b9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7EA1.tmp
Filesize
1KB

MD5
f38962b7cf40367ff27328267d15103d

SHA1
79b18d3ebc476567c611240cb826dd414d6606bf

SHA256
c25b3fb38c61e47e8e66fa07fd20c9ce72c36023afd95f395a8d608e11ac7704

SHA512
9230469d27a191acb744965833899f4fb6ce53bc7a1f9b43c7c3852aa5bbdc5c2d31f4d4bb1910e229f7ed40700947af4b415b594878c1c3eb431147fe9a436e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES83D1.tmp
Filesize
1KB

MD5
7c97de352a66a6ea8832aa322f3a35df

SHA1
1d2582a526a3f48e04a17f2951f1ddf9012cdd89

SHA256
33c0af8d0b63569b0ede14a6046c83ffde0dd67f63c75c9a423790ac846ab5ed

SHA512
cf5f1897638fc17de6b519f5c124bdb629ae45e1300689aa03d618109ae6a4cfec3b7d706edd72fa24bc3fe66af6ffef9e5935e86920dc5bcacc9f4ff346d347

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES87B9.tmp
Filesize
1KB

MD5
c7ca934791243dd7150cbe284b2365ac

SHA1
5ca2fb2696a7f0ec45e7199199ef96aeb41d230d

SHA256
9034398c8f0737ffbbc1515d9daa7b8b1e5301a6894dd7b14882f5e022e41f2a

SHA512
d9ae4c518e587385b58e02c4540f5d023ebe8a53ca8469d9cb2a966a520396dd8df14d0e4bb3004151d67c74d5a48926897884b7ccba007b5aa6468c0390c17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bk32yawh\bk32yawh.0.vb
Filesize
287B

MD5
446000b2d5b86c061cb7dd858aa26170

SHA1
f70791509faca9cac2b4054f9e2202e46625e036

SHA256
eeba28ce662bc9eeb7e36be3e678548efc188bf6c9f9ab1e7cb0471767fe7482

SHA512
696395b13955cb2b67d067c5b966bbf3d80337e6e7ef2db43b3ad9b63036e03c08240b72701753685c3a1dafc888be472ffcd552c52ea95ece0591ea8dda8025

Download Submit
C:\Users\Admin\AppData\Local\Temp\bk32yawh\bk32yawh.cmdline
Filesize
186B

MD5
77167eabfcc23e264ba9949613fc9c89

SHA1
62dc71bbe663199b5dc379ce8bdda1c24da5092b

SHA256
53cab2a7176c2d6e7e61ddf516836a9d589ae43c47fe229cb48ac05fb5610d0d

SHA512
e60747ff48989bddbc55c7c848e91de7620e11c19f461cee03fd4d966b549f93379248977a43861e72154f6f799008157aa2ebb06241d42228635e0072794cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyiphy2d\iyiphy2d.0.vb
Filesize
280B

MD5
59be267593d27f2e4e00c2d89787861f

SHA1
356eaa2e28a2b894bd3bb785240e86e70b487707

SHA256
82a97001375fa8b450bd47c915112533061345c113d96e34f08edc2d83192d5a

SHA512
9019ab34b8636fdf4ccc0ef007d02870337bf45ade511885b9f2edb06d382241e8e974c9aeaf206b8b6a56bc032b680bcd727d61994c86bb8dea7ada6cc83e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyiphy2d\iyiphy2d.cmdline
Filesize
179B

MD5
10554ad1471ecf3afab5b790410e9c6e

SHA1
0413fe92b3c1266af7aa836d504827b938839997

SHA256
61ddc6236c5fde7c2d561b6cf80d8798ac0cd6d44ffe7fb85a1bd9feda5f3529

SHA512
3094544a3a6bba0495b201deda8fb382a2266cfc00a77fbb323bef9e06d7f105b4624f6e47bb21f9cca9a7c90211d402cd90c5878fb0dca9ebc7f94f40b14dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvzjfjzg\lvzjfjzg.0.vb
Filesize
289B

MD5
956fdc95bdca3de2ed6cc80606048f9f

SHA1
6c8e5de2c9de74f8fb278ca453d3354f4d342f35

SHA256
0e23c8f93c74005d1e04d0de0e20d004fd22dc646f0891a52a897cf8337f3144

SHA512
22c79880ada88ebca041e5badc87dffa44ffd90b8a56f1d4d1dc430b0d6c81d36ad542cb20addfdea431a4c47413a5c8955b97224fc9632307b97d005d3ce83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvzjfjzg\lvzjfjzg.cmdline
Filesize
188B

MD5
b20b69a6eebd165d423ce68f2adad22b

SHA1
45b7f46b37205ecc0eba7d172c06f0780271dfa4

SHA256
e72a1447b692844101a8785570e4f1654931f11e5873158d6845fa2400674902

SHA512
3ddfe212291133f04becc81992bd6417820f1af45761282cdacff336081a708c98c49f00ac9b6a04ed802589ba55992263c08745edd8d5045bf8d786427b294d

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3uwwhy3\n3uwwhy3.0.vb
Filesize
145B

MD5
2efc398081e9dac508a418b532fdf22d

SHA1
8ff7bf728efc7926a18bc6d6068ab6a8320d9ed5

SHA256
22e5770a963de78edc5fb2d895266195264d1d5cf73c470fd5d292617cae68d9

SHA512
593b580814861ec94dd314871a6f3f13d31f972042c744b49ca21597ff726e6ccd3070fd6faa01a4bd374317b24e784a08c990793989e9e07531d8f598a8d8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3uwwhy3\n3uwwhy3.cmdline
Filesize
203B

MD5
2c737c725b34f39f32621738ab0f9981

SHA1
20f9b211c200c317c07484e509ef288080538c7f

SHA256
9a5d42b94c08bc18ce5ea600a3f79c017e949a68f739875d379c75d1f84fae0b

SHA512
9ebff4e5dd1a4917d445918171dd92c639e54142578e8e331a04cc0fe89454acf763bdfe5ef597f2e3418db5d52dd330283d7f20716a87d6ab4eb98f62d01dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4fcznbi\p4fcznbi.0.vb
Filesize
287B

MD5
8a2dac246dd9e9093ee68aaf51c9c3f7

SHA1
27d2bfc9c43f476cb6c29da331b13856ed7245d0

SHA256
0bfc4fb2ac8b9be3783367f93f1cd0cf81d85187139e1baf7d155c6c313e12b3

SHA512
f5b8d32caf9cd783489700b970634b494b123ace0a6e79341f05c4b5ee3c866b1990514604b7d1b486316424a083cc92209699265bf30bf555560ae0846742a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4fcznbi\p4fcznbi.cmdline
Filesize
186B

MD5
649e91c1a7f6211f7d0c57e5d6f0886e

SHA1
2bf5b97c5324d6ffbaaa0edad5d26eaaae4f50da

SHA256
f243ee101bd4fcc3f45f03a0a3d8cdab5af7a361e7cc63c1772e29e8a72d1821

SHA512
26fb98a9e0f9436a8d751e21394eb43c3926e1e12779384143d2908a98ce848a7af584f7de4eda813a8c73da1319a60ae29b83a053119fb4c57e52822e415d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruvqsggk\ruvqsggk.0.vb
Filesize
290B

MD5
80ab6c592ef5a7d914082beb04afaf79

SHA1
1fd3f79448784eaebfc653ead21b773e3f9d28e9

SHA256
89f1ff73fd1198aec014f23b7b92dbdb65fd9d2a572452b4dfae05938666c2c8

SHA512
9bfa9a84f7517cb1df518692f030315bcfb868181cd8dc507eac77a01aca45623af746f839df581866bc2ffdbe3eb48bd0b3e9392f60b99e0b9bd6fcb9a5d4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruvqsggk\ruvqsggk.cmdline
Filesize
189B

MD5
93d038a9e8a6c254e421870a2216c8ee

SHA1
a65db6d45c03c648c758f782575560702903c7fd

SHA256
7052fdb0a0bad1e082fb96d9acd07d130e644a83afe36049ea6f27be0cbd203d

SHA512
1efb519f8d1016aa57b6539f064c4b3f797b6531beec6c4024235876f1dbc8c5644bd61dc3060c51713e271ae4eb39d574ae028f06e506e4478a40c563860b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3103134691134DFDA3DDFEF4C0198646.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3D9E19CA1A4747EBBC665E50B064EDBD.TMP
Filesize
1KB

MD5
24218d2d116d5c470e34a5da0f5ee7c3

SHA1
b6546a2bdb8ce0b664100214b63371cc75187132

SHA256
0604323dfcee505a3199d0029fbbd0ae4768a59dc14ca8fc75b6ea3b3c850063

SHA512
7c08cd603e78c633c8e9eba12094d92d32238b565caa15b96f7d554eae67e4556aba9aaad544e0eb5803519428c8987a404b4a680917be4e00ae82a9d8e7cc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5697069E100547FD845F61A0C52249B6.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5F3DC580F3FA4344AD8E241460EA742.TMP
Filesize
1KB

MD5
f79d4f009ed12db358d8ac93f0804345

SHA1
163b7cfe02be73d9602f5a9387dc7dbe7e9000eb

SHA256
0b353fcca887a01a42a8d5348301f6fbce2519850676b8e8cbbd5a710975848b

SHA512
beda88dc76f7fe331e5a6d0b10a8dbf1c389300e405f6bd6ccef81067d2bb260b9ba993675562a7ea1d274960ffb9cbf26aa695576524eff07143c828ae2edac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8BDBA12B3EC04AB0BE2FBAFCE4B27E9F.TMP
Filesize
1KB

MD5
369b17d06cfd628bfe04b3f677d21526

SHA1
b9d23c0dc5467f73fe2331eb584bd0c40b129d0e

SHA256
e95b4b80f5fad8e923641d423ecb96b591a208f2f898846cd9ef107e2cd7c2e7

SHA512
00826786585653c66a434589d0e231c9f37f055b642867faa2ca8cd735a138b5d38eeddf985d268b822cbdc29916f5993fde5bb1b7ef9395710d75f1d49230bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC5371CB39FFB4675A16324B549E47E.TMP
Filesize
1KB

MD5
369b17d06cfd628bfe04b3f677d21526

SHA1
b9d23c0dc5467f73fe2331eb584bd0c40b129d0e

SHA256
e95b4b80f5fad8e923641d423ecb96b591a208f2f898846cd9ef107e2cd7c2e7

SHA512
00826786585653c66a434589d0e231c9f37f055b642867faa2ca8cd735a138b5d38eeddf985d268b822cbdc29916f5993fde5bb1b7ef9395710d75f1d49230bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED1A0768ECE2458893B07349F7747C19.TMP
Filesize
1KB

MD5
d7d9f8d1ac18d21666caab1c2340838a

SHA1
a33791468a096f2ecd0b9d46a3550879ddb20b6b

SHA256
5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce

SHA512
2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED583F5EA2984D249DC7455F90FED645.TMP
Filesize
1KB

MD5
32060b25f1b853322f55b00e646349eb

SHA1
3f48939a11387738bbdaaecf03302bf210653b11

SHA256
49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c

SHA512
db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ye3e3t2k\ye3e3t2k.0.vb
Filesize
288B

MD5
61ba4aefeee838d2b3a8ef0921c69e5c

SHA1
f85d7d5b8c2ffc0c456305faf17691ada8b29940

SHA256
eded585391461033f4f6b73b037a7e042cd07db6e4f504fb8da36161cc926a09

SHA512
86f738c53cdba2d6dec2c64e6384de71108ba5e8cade8e28861286798190c7870d55b93ef69c29ad1a2c6d6e57e1b6c65ff4f3f40fec1a6203e4956114e7506d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ye3e3t2k\ye3e3t2k.cmdline
Filesize
187B

MD5
d9c39f86828cebc59a779c8f9c13c668

SHA1
a7882a75bfb34f78fd5c8c416a62bac54d9d4b1e

SHA256
c479e1b72389dfaa3f5bb3d589d32d6b92482dbdbe19c891dc0a60d3ac418398

SHA512
8604b25d43134cc10587b340a4821da713a169553a239b21600820d8619b648e52c3a1846cfaadbb0cc5f0368439a57455b6f17d2322528b26bbeb3ec2850f9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
Filesize
338KB

MD5
277ada55027e622cb40e0073f3bf1455

SHA1
6afe2ecf96f343a309ae3862666a348008f64767

SHA256
cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e

SHA512
ab67089fed2cce855b5b4f4cd7a2315966568fb5a1e6607f3d09173c04e685c0a3cbe8d7e3245aa484b73368c5d66826dc52e51eea81f39b1048a23a9b323a3a

Download Submit
C:\Users\Admin\Documents\Client.exe
Filesize
338KB

MD5
277ada55027e622cb40e0073f3bf1455

SHA1
6afe2ecf96f343a309ae3862666a348008f64767

SHA256
cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e

SHA512
ab67089fed2cce855b5b4f4cd7a2315966568fb5a1e6607f3d09173c04e685c0a3cbe8d7e3245aa484b73368c5d66826dc52e51eea81f39b1048a23a9b323a3a

Download Submit
C:\Users\Admin\Documents\Client.exe
Filesize
338KB

MD5
277ada55027e622cb40e0073f3bf1455

SHA1
6afe2ecf96f343a309ae3862666a348008f64767

SHA256
cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e

SHA512
ab67089fed2cce855b5b4f4cd7a2315966568fb5a1e6607f3d09173c04e685c0a3cbe8d7e3245aa484b73368c5d66826dc52e51eea81f39b1048a23a9b323a3a

Download Submit
memory/816-174-0x0000000000000000-mapping.dmp

Download
memory/840-136-0x0000000000000000-mapping.dmp

Download
memory/924-146-0x0000000000000000-mapping.dmp

Download
memory/924-147-0x00007FFA67160000-0x00007FFA67C21000-memory.dmp

Filesize
10.8MB

Download
memory/924-148-0x00007FFA67160000-0x00007FFA67C21000-memory.dmp

Filesize
10.8MB

Download
memory/1240-183-0x0000000000000000-mapping.dmp

Download
memory/1300-139-0x00007FFA67160000-0x00007FFA67C21000-memory.dmp

Filesize
10.8MB

Download
memory/1300-140-0x00007FFA67160000-0x00007FFA67C21000-memory.dmp

Filesize
10.8MB

Download
memory/1300-138-0x0000000000000000-mapping.dmp

Download
memory/1444-180-0x0000000000000000-mapping.dmp

Download
memory/2288-153-0x0000000000000000-mapping.dmp

Download
memory/2336-144-0x0000000000000000-mapping.dmp

Download
memory/2356-145-0x0000000000000000-mapping.dmp

Download
memory/2440-134-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/2440-132-0x00000000004B0000-0x0000000000504000-memory.dmp

Filesize
336KB

Download
memory/2440-135-0x0000000004FA0000-0x0000000005006000-memory.dmp

Filesize
408KB

Download
memory/2440-133-0x0000000004E90000-0x0000000004F2C000-memory.dmp

Filesize
624KB

Download
memory/2632-141-0x0000000000000000-mapping.dmp

Download
memory/2664-137-0x0000000000000000-mapping.dmp

Download
memory/2972-149-0x0000000000000000-mapping.dmp

Download
memory/3104-165-0x0000000000000000-mapping.dmp

Download
memory/3272-156-0x0000000000000000-mapping.dmp

Download
memory/3300-189-0x0000000000000000-mapping.dmp

Download
memory/3648-195-0x0000000000000000-mapping.dmp

Download
memory/3708-192-0x0000000000000000-mapping.dmp

Download
memory/4076-168-0x0000000000000000-mapping.dmp

Download
memory/4212-171-0x0000000000000000-mapping.dmp

Download
memory/4348-177-0x0000000000000000-mapping.dmp

Download
memory/4712-186-0x0000000000000000-mapping.dmp

Download
memory/4992-162-0x0000000000000000-mapping.dmp

Download
memory/5036-159-0x0000000000000000-mapping.dmp

Download