c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
Size

14KB
MD5

37f4d7b41c89ae41feb357a4cfbcd110
SHA1

681aae8925ae73d648dd6db2fae3c8bf5c61a114
SHA256

c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1
SHA512

305392e65fa34c10ec58b91deaa7a665adbffc660a8b063542c549177733fe59d5df0f12f59158250685db2e8df8bad30dcbfbef12ec9c8367c558d3b84e6c96
SSDEEP

384:AQinGlV5lRwaM9IV3wag7YjIRV4mn29xMyj:Ad2gab2V4mnA2u

Score

8^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
636	fL0a6jX.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3016-132-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3016-135-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/files/0x000300000001e2c1-138.dat	upx
behavioral2/files/0x000300000001e2c1-137.dat	upx
behavioral2/memory/636-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateService = "C:\\Windows\\system32\\wservice.exe"	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateService = "C:\\Windows\\system32\\wservice.exe"	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\k:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\e:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\r:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\p:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\n:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\m:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\l:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\y:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\w:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\j:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\g:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\f:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\o:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\h:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\z:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\x:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\u:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\t:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\s:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\v:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\q:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened (read-only)	\??\i:	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wservice.exe	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
File opened for modification	C:\Windows\SysWOW64\wservice.exe	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\792ba6af-5328-49f9-94e2-c6aaaae89be6.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221203160533.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4176	msedge.exe
4176	msedge.exe
4976	msedge.exe
4976	msedge.exe
2692	identity_helper.exe
2692	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4976	3016	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe	81
PID 3016 wrote to memory of 4976	3016	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe	81
PID 4976 wrote to memory of 3516	4976	msedge.exe	82
PID 4976 wrote to memory of 3516	4976	msedge.exe	82
PID 3016 wrote to memory of 636	3016	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe	83
PID 3016 wrote to memory of 636	3016	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe	83
PID 3016 wrote to memory of 636	3016	c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe	83
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 3468	4976	msedge.exe	88
PID 4976 wrote to memory of 4176	4976	msedge.exe	89
PID 4976 wrote to memory of 4176	4976	msedge.exe	89
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91
PID 4976 wrote to memory of 800	4976	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe
"C:\Users\Admin\AppData\Local\Temp\c586d1deea211fcbdcfc54634cbd8b473ac0d42975872d858b22b300031aa3b1.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.cnn.com/
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffb63c246f8,0x7ffb63c24708,0x7ffb63c24718
    3⤵
    PID:3516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
    3⤵
    PID:800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
    3⤵
    PID:3384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
    3⤵
    PID:4572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
    3⤵
    PID:444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5408 /prefetch:8
    3⤵
    PID:4676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
    3⤵
    PID:680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
    3⤵
    PID:1892
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6844 /prefetch:8
    3⤵
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6844 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:2188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6da065460,0x7ff6da065470,0x7ff6da065480
      4⤵
      PID:4092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,2744807727883474475,130569965291482177,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6404 /prefetch:8
    3⤵
    PID:4272
- C:\Users\Admin\AppData\Local\Temp\fL0a6jX.exe
  fL0a6jX.exe
  2⤵
  - Executes dropped EXE
  PID:636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_A373FEC5204D779A8604E28CC627A508

Filesize
1KB

MD5
811f81dcc1ed1b28f1b942e319aaa1e6

SHA1
6e22e6f7db2857ab9197ff0101870d37cb0f90d9

SHA256
3efef31b1775ae0e5ad835da3dd2eed0d36298d56f189b4e869ba202f803b4cf

SHA512
f9d4acdafdbeba1b00d28707cad059ff0dc32578d78eca895942f6c088dfda53cd548fdd8de7e41b5a903687363dfffddd1e4eb6eb42edf3ff04c552f02b59c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_A373FEC5204D779A8604E28CC627A508

Filesize
518B

MD5
0515583c18625babe6c9ad0cdedac4dd

SHA1
e3f4e4af9874317430f0dd4f72e56b074ae8a8ca

SHA256
0eb4c083c55fcb8f47af12ed04bc24c14d5b803c0c747dca93482a3b36f3281f

SHA512
104ee48ec97035a7909030e3ce25cfa520ae1c9da5c835897b9770931e2c4ed67a108de8e85a37014e0428f612b706c2b15af25fa182ddf988934649e0229f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fL0a6jX.exe

Filesize
5KB

MD5
9da57bda8b9aa4990197efddad6b3f10

SHA1
c5d88013b330c2e56397c450a14c09e406e273a1

SHA256
9b653059ae82c751862f133d97024bb2a5f23bd50f6ad02338aab5fd6bcfc407

SHA512
2a8e749cbf0fc1db03b7299f8f10be995f4aed1d54c20e8cd5028a8c2997fa6a9f1f24d188bdc5392b24baf292bfa1ec6f5a0ad25da6e06eb48f0811c6046880

Download Submit
C:\Users\Admin\AppData\Local\Temp\fL0a6jX.exe

Filesize
5KB

MD5
9da57bda8b9aa4990197efddad6b3f10

SHA1
c5d88013b330c2e56397c450a14c09e406e273a1

SHA256
9b653059ae82c751862f133d97024bb2a5f23bd50f6ad02338aab5fd6bcfc407

SHA512
2a8e749cbf0fc1db03b7299f8f10be995f4aed1d54c20e8cd5028a8c2997fa6a9f1f24d188bdc5392b24baf292bfa1ec6f5a0ad25da6e06eb48f0811c6046880

Download Submit
memory/636-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3016-135-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3016-132-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download