0b2f88a609b82dbad98a8b6624552e9c2e5db2173c148d7dbc2f0ea6133d9cb3

Analysis

max time kernel
71s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2023 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dropper.exe
Size

35KB
MD5

f69e703666a6a41005501bc65645916c
SHA1

c44215f3fe477505b7288a261aff28dce6d5aa32
SHA256

0b2f88a609b82dbad98a8b6624552e9c2e5db2173c148d7dbc2f0ea6133d9cb3
SHA512

6e775cb3cf9ac61da431ac05b07dc26483887d385ed214ba11cb557cdc54c198e79698f44dd82c3fcd974a4f70524388a023f1e955459913cf8199c5e4695dc5
SSDEEP

384:bxiHABz9q3FxmHu+JjOdb932NOHu469aMgMcpMQiW4zmkZXOfq1eK2ZkLCh4fdu1:bCIFqb932NOO7BXbOfq1QkmOnI66N

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	dropper.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\appdata\roaming\microsoft\windows\start menu\programs\startup\miner.exe	dropper.exe

Executes dropped EXE 1 IoCs

pid	Process
1168	miner.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	whatismyip.com
60	whatismyip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = 2d352275f64bd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\whatismyip.com\Total = "210630"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "213614"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.whatismyip.com\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "49"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.whatismyip.com\ = "210598"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\whatismyip.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.whatismyip.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.whatismyip.com\ = "212521"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\whatismyip.com\Total = "213614"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\whatismyip.com\Total = "212521"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\whatismyip.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000f10e5f3094b36cdd09ac570054849e3a0eeaa49725b80f06ae7b368f7e47e271000000000e8000000002000020000000901dfb03de9d10c89743c946107e1dd125b299a812d235dc39d4442ea4f2fd302000000024ced5bef51cc943218df6b93a1c372209581a0525499035e98601e51fc67707400000007cb3dc1b9d71182f013b3bef2e79c5e7406833a4d3a39aa5ad8e4eeccd07ff823351063c11128e46d9d1251db9db1aca8c557818e9ad785c95663ae8a8f505f6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "212521"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2165617843"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://whatismyip.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\whatismyip.com\Total = "49"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b0000000002000000000010660000000100002000000026accd751f7fd58b8d7328e14529052ded430d1c9166a49b78d9fa12d92fc538000000000e800000000200002000000099aee10ce5995a3be56622c72d4580fdf7de13838b5820a9f355a59f814423ba20000000117b1e2948f7f26bf5e530f94b19ea5ef8c8431baa0595ce60f6d8142f10bd6f400000003b7650ed7f1b3310c1ce6bf0739ebbf485fc44ceaf32f5028429e150a18974fd9f4c1ea3982fac088b00b689f0a692653c0debdd1407c5adee189164e51fdb64	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.whatismyip.com\ = "210573"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\whatismyip.com\Total = "210573"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\whatismyip.com\Total = "210598"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8016fc81f64bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2165460457"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\whatismyip.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.whatismyip.com\ = "49"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403ddf76f64bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "210598"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.whatismyip.com\ = "213614"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1860	dropper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	dropper.exe
Token: SeIncreaseQuotaPrivilege	1860	dropper.exe
Token: SeSecurityPrivilege	1860	dropper.exe
Token: SeTakeOwnershipPrivilege	1860	dropper.exe
Token: SeLoadDriverPrivilege	1860	dropper.exe
Token: SeSystemProfilePrivilege	1860	dropper.exe
Token: SeSystemtimePrivilege	1860	dropper.exe
Token: SeProfSingleProcessPrivilege	1860	dropper.exe
Token: SeIncBasePriorityPrivilege	1860	dropper.exe
Token: SeCreatePagefilePrivilege	1860	dropper.exe
Token: SeBackupPrivilege	1860	dropper.exe
Token: SeRestorePrivilege	1860	dropper.exe
Token: SeShutdownPrivilege	1860	dropper.exe
Token: SeDebugPrivilege	1860	dropper.exe
Token: SeSystemEnvironmentPrivilege	1860	dropper.exe
Token: SeRemoteShutdownPrivilege	1860	dropper.exe
Token: SeUndockPrivilege	1860	dropper.exe
Token: SeManageVolumePrivilege	1860	dropper.exe
Token: 33	1860	dropper.exe
Token: 34	1860	dropper.exe
Token: 35	1860	dropper.exe
Token: 36	1860	dropper.exe
Token: SeIncreaseQuotaPrivilege	1860	dropper.exe
Token: SeSecurityPrivilege	1860	dropper.exe
Token: SeTakeOwnershipPrivilege	1860	dropper.exe
Token: SeLoadDriverPrivilege	1860	dropper.exe
Token: SeSystemProfilePrivilege	1860	dropper.exe
Token: SeSystemtimePrivilege	1860	dropper.exe
Token: SeProfSingleProcessPrivilege	1860	dropper.exe
Token: SeIncBasePriorityPrivilege	1860	dropper.exe
Token: SeCreatePagefilePrivilege	1860	dropper.exe
Token: SeBackupPrivilege	1860	dropper.exe
Token: SeRestorePrivilege	1860	dropper.exe
Token: SeShutdownPrivilege	1860	dropper.exe
Token: SeDebugPrivilege	1860	dropper.exe
Token: SeSystemEnvironmentPrivilege	1860	dropper.exe
Token: SeRemoteShutdownPrivilege	1860	dropper.exe
Token: SeUndockPrivilege	1860	dropper.exe
Token: SeManageVolumePrivilege	1860	dropper.exe
Token: 33	1860	dropper.exe
Token: 34	1860	dropper.exe
Token: 35	1860	dropper.exe
Token: 36	1860	dropper.exe
Token: SeIncreaseQuotaPrivilege	1860	dropper.exe
Token: SeSecurityPrivilege	1860	dropper.exe
Token: SeTakeOwnershipPrivilege	1860	dropper.exe
Token: SeLoadDriverPrivilege	1860	dropper.exe
Token: SeSystemProfilePrivilege	1860	dropper.exe
Token: SeSystemtimePrivilege	1860	dropper.exe
Token: SeProfSingleProcessPrivilege	1860	dropper.exe
Token: SeIncBasePriorityPrivilege	1860	dropper.exe
Token: SeCreatePagefilePrivilege	1860	dropper.exe
Token: SeBackupPrivilege	1860	dropper.exe
Token: SeRestorePrivilege	1860	dropper.exe
Token: SeShutdownPrivilege	1860	dropper.exe
Token: SeDebugPrivilege	1860	dropper.exe
Token: SeSystemEnvironmentPrivilege	1860	dropper.exe
Token: SeRemoteShutdownPrivilege	1860	dropper.exe
Token: SeUndockPrivilege	1860	dropper.exe
Token: SeManageVolumePrivilege	1860	dropper.exe
Token: 33	1860	dropper.exe
Token: 34	1860	dropper.exe
Token: 35	1860	dropper.exe
Token: 36	1860	dropper.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1404	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1404	iexplore.exe
1404	iexplore.exe
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1404	iexplore.exe
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1168	1860	dropper.exe	92
PID 1860 wrote to memory of 1168	1860	dropper.exe	92
PID 1404 wrote to memory of 1952	1404	iexplore.exe	97
PID 1404 wrote to memory of 1952	1404	iexplore.exe	97
PID 1404 wrote to memory of 1952	1404	iexplore.exe	97

C:\Users\Admin\AppData\Local\Temp\dropper.exe
"C:\Users\Admin\AppData\Local\Temp\dropper.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\appdata\roaming\microsoft\windows\start menu\programs\startup\miner.exe
  "C:\Users\Admin\appdata\roaming\microsoft\windows\start menu\programs\startup\miner.exe"
  2⤵
  - Executes dropped EXE
  PID:1168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ExportStart.xhtml
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0b0caf6246f48cc36f080dfbbdb3ad9f

SHA1
cf3989e69118d95ce7c0007e6326502100fd0a4c

SHA256
5c852e4ec611f504ff804ce41981e0bedc5b90f9b9e8dd9b3ab2ef4582bcfabf

SHA512
479e42a058ed3da2d64bad6a6ed971dd40e1071b2d2b69be9533f2a3e377c82e5dd4b7760299a4e457a57eaac8afe03fba995a28d12549ed7c90a1f433aebd27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
626f8f3fb207e8d17825c77238af3594

SHA1
f78e1abc58df3f376868299eea0ab62410b4fb01

SHA256
f4c16c2a3ba3e53fb2ba948db7c61faa0f2d1e8f7d8057df9d6f2e51bd3f3cf9

SHA512
8411f99f6c3a74b94188b608ff343cda8e71384a98bab3047e63bbd24c78505aa5a460089d5960d86f6b89f2a4c1d57d8c61d431cd12c5e596b80f06203c2a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0UT6RKSV\www.whatismyip[1].xml

Filesize
103B

MD5
8b41744109373974e6238f1be4552b88

SHA1
458690c72fca523ddf5c93600e8c1388a031f75e

SHA256
235341d6962be85bbaf28121970b4e76ea339e97f5120b25acd8df5a67fa8d10

SHA512
5571f6591f6a443f012aec36858ce039f95255bd3083d370504f28da12eb560104ceaf376cc003a0eca996aac7e8f70b7455925297bead79675f2557f5f8466b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0UT6RKSV\www.whatismyip[1].xml

Filesize
275KB

MD5
4c03020e038813e18b5fdb5b86702e83

SHA1
322030915e94c6db24d34843fd562f05a53f3d4f

SHA256
9192ac009f1b9bbb901b0b62077d1f7cb006489a56bc30fa568424353ccbc3c8

SHA512
43294afd70e18bd8a0a3b7f5ddde7f68524bdbd81a18e7e4de460d17616c0ec8232406cebcd167229f86beeaaf52e1eb1bf6bf01b50f6f11b456a937fc1fd87e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\phzg4yt\imagestore.dat

Filesize
1KB

MD5
998999ed86dcd56c76dfeaf29669bef9

SHA1
720e59c3a5f3cc08febf3323c3f0c117271e1488

SHA256
358323b40fc6c093f1be25795b1ac17ed0a2a79d19eba0f2fe7ee5850c3e9c85

SHA512
10893d3452848066c2d003f469cebe942f1f91fbf4a7b6c7bf37fe3db9dc50829a1940050901ff2d19d098bf8ae6ff9c1d1e2757024c42c2bd095d42691fb351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\favicon-32x32[1].png

Filesize
1KB

MD5
8922f3da4e2bc8e70e0f0222b7b11c42

SHA1
feb8b73f426a0461097d496f751f2ec8232c327d

SHA256
a880414f11953797bd5bb74b5b3c2d71507157ae7db453dc4b630e22a552a2f7

SHA512
bc731fe08b3b314d55575961f712c7671ae691c2d7b127c59a6b9d42ee38b825158d15d757ace2e5076256524d4a62bbbbb365b6f6b9b1cf0c841a513051da64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\qsml[1].xml

Filesize
550B

MD5
fc354c7e7ac8a71a1ce29adbfab6076f

SHA1
9791879f69ffe440101b1add7aa465e6c672f600

SHA256
82f1f046db8b91eb488eb02e41d5d6c96626570188b18b254b49588beca4a61e

SHA512
0c9020e8d4ea47edffbb16e05921b2c4f453ab284139d683dd4417b45b8801be5ddf403b414e2665d61b36f61bee129a467345f817b2470680ba8bcbc61a004c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\new-user[1].txt

Filesize
2B

MD5
e0aa021e21dddbd6d8cecec71e9cf564

SHA1
9ce3bd4224c8c1780db56b4125ecf3f24bf748b7

SHA256
565339bc4d33d72817b583024112eb7f5cdf3e5eef0252d6ec1b9c9a94e12bb3

SHA512
900110c951560eff857b440e89cc29f529416e0e3b3d7f0ad51651bfdbd8025b91768c5ed7db5352d1a5523354ce06ced2c42047e33a3e958a1bba5f742db874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\qsml[1].xml

Filesize
536B

MD5
a82a3d688be4a3006e620964710cadac

SHA1
b1d23e84206ed8573f8e31c1288aff7dc3d31a96

SHA256
37e986dbbcb1fe2cd47f41a3a41d4394c20d616142e9d1796099fd1294eba275

SHA512
0092b116ac1e61ed97527bec4b3fed0b02f94cc14e5ef03d5c085b5bfb196bae2cf60cde069dae362b60e91f9375aed45ba4c08db16777261dce619c291deaae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\qsml[1].xml

Filesize
521B

MD5
a467b03c0d77103741a34ca471980e11

SHA1
740853abbc83c148221bc13b1d0d18a1a3d6b00a

SHA256
8c7f29bdcf74a6c3c31c6c1da7546ff87b81cd5c70ee21fafcac368f2a8f0e3b

SHA512
000b72a2bb985c10643add7e211f025917e3d56edb784ffb561c6e718be28d783e454b28c80391866fb47626e6acb5836cb0334a40668fa91bd56417480bc516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\qsml[2].xml

Filesize
541B

MD5
f7af76b3ab5d1edc5553b1d04d9ac757

SHA1
d2d3f61678971c7c9b66c2cb3ed49b8570ce5473

SHA256
08078aba02b6bf836ba297d92dc1040c529589453445db1c9da85b6ededf42d1

SHA512
a07ab5271b78a7ab57ec901dbdc3b30f2682505ff9a593641c94fa75d902bd4356df3f1e63c9165a75eb76f0b7e48a10698d9461ffb53ac16c6082c312b4c5c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\qsml[3].xml

Filesize
563B

MD5
e0071405eecbae03a761044e0b024eee

SHA1
7ef37c6ff8dc2d217655538712edf54c510e2621

SHA256
b01c41288f9f4bb5ffa70210ddb648eda09a6ed6e988dea849fde4b089fbb551

SHA512
a602a5c7f54510624b2d95a0ef3434cf814a78f41b17398bc9b0c5185e2de41b91670912d6f2d5a56a199a976ad3725d47d65d2b5fcb08610488a02ec7bf6c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4nodmjp.dfl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\miner.exe

Filesize
52.9MB

MD5
c5f5a0e235c7899da16652273e312d39

SHA1
fa724249aaa946789a9ac4080265d36b23c12fe6

SHA256
c0c765bbecf98ee6f92d1a560b84e74c69aa8e1d05ebc79cf54d5e6e574f439e

SHA512
30734b66d950c0a9d022c05ffdf0aafef3b4559974522ec8a1c68e1e7c937f6f4b5c98c25a11610ea2ed0448a67d8bdbb452b0747d64b50102b1ec3c17966f52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\miner.exe

Filesize
52.9MB

MD5
c5f5a0e235c7899da16652273e312d39

SHA1
fa724249aaa946789a9ac4080265d36b23c12fe6

SHA256
c0c765bbecf98ee6f92d1a560b84e74c69aa8e1d05ebc79cf54d5e6e574f439e

SHA512
30734b66d950c0a9d022c05ffdf0aafef3b4559974522ec8a1c68e1e7c937f6f4b5c98c25a11610ea2ed0448a67d8bdbb452b0747d64b50102b1ec3c17966f52

Download Submit
memory/1168-157-0x00007FF6DA760000-0x00007FF6DDC58000-memory.dmp

Filesize
53.0MB

Download
memory/1860-147-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/1860-148-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/1860-133-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1860-145-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/1860-144-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/1860-143-0x0000000002420000-0x0000000002442000-memory.dmp

Filesize
136KB

Download
memory/1952-313-0x0000000009600000-0x0000000009700000-memory.dmp

Filesize
1024KB

Download