fcf6fae434aae5cfb10d8f2385278803332370348a5a0fa9809a7484341ee566

General

Target

Game Dev Simulator.exe
Size

638KB
MD5

1f1927f6eeca7c7159e7b5f9c97ab410
SHA1

cd506eba2f53f2c2aed5d075c7a4030a339f2265
SHA256

fcf6fae434aae5cfb10d8f2385278803332370348a5a0fa9809a7484341ee566
SHA512

db0f1dfe12c2c237f2bedf50cb289f146d94b99720656009da442e5f86a91fd5a5e4dfa7c67d1558dd90c2ca42d03dac7bd1d80c36183808780b695756baa69d
SSDEEP

6144:zEbaWnBUCGydM+Q94jZ8luJeNrJoRREhawVfW9IUxFmop16VwK0ZO9bR/rO:zoCCvdM+Q94gRyLGRWeUnmGA9bR/rO

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings firefox.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

3084 vlc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

3084 vlc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskmgr.exefirefox.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4488	taskmgr.exe
Token: SeSystemProfilePrivilege	4488	taskmgr.exe
Token: SeCreateGlobalPrivilege	4488	taskmgr.exe
Token: 33	4488	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4488	taskmgr.exe
Token: SeDebugPrivilege	2708	firefox.exe
Token: SeDebugPrivilege	2708	firefox.exe
Token: SeDebugPrivilege	5032	taskmgr.exe
Token: SeSystemProfilePrivilege	5032	taskmgr.exe
Token: SeCreateGlobalPrivilege	5032	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

vlc.exetaskmgr.exefirefox.exetaskmgr.exe

pid	process
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
2708	firefox.exe
2708	firefox.exe
2708	firefox.exe
2708	firefox.exe
2708	firefox.exe
2708	firefox.exe
2708	firefox.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

vlc.exetaskmgr.exefirefox.exetaskmgr.exe

pid	process
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
3084	vlc.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
2708	firefox.exe
2708	firefox.exe
2708	firefox.exe
2708	firefox.exe
2708	firefox.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe
5032	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vlc.exefirefox.exe

pid process

3084 vlc.exe
2708 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 4820 wrote to memory of 2708	4820	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4964	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4964	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 4760	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 944	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 944	2708	firefox.exe	firefox.exe
PID 2708 wrote to memory of 944	2708	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Game Dev Simulator.exe
"C:\Users\Admin\AppData\Local\Temp\Game Dev Simulator.exe"
1⤵
PID:1692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4928

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WaitGrant.M2V"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.0.1660343027\489059734" -parentBuildID 20221007134813 -prefsHandle 1624 -prefMapHandle 1620 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8a0243d-e28d-48ab-8e2c-123984ba26b0} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 1716 120ffff5c58 gpu
3⤵
PID:4964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.1.936716404\1703750181" -parentBuildID 20221007134813 -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab13e17-048a-4a08-ae90-cf04a312d368} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 2072 12083f17258 socket
3⤵
PID:4760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.2.18599066\1453849654" -childID 1 -isForBrowser -prefsHandle 2700 -prefMapHandle 2788 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06b2d139-497b-49b3-9063-2a96f998b83e} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 2784 12086950258 tab
3⤵
PID:944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.3.1080612170\823196678" -childID 2 -isForBrowser -prefsHandle 2772 -prefMapHandle 3504 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93e3bf95-9db4-46b7-958b-e095e2cea741} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 3516 12087733658 tab
3⤵
PID:828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.4.430252413\1577495477" -childID 3 -isForBrowser -prefsHandle 3796 -prefMapHandle 3792 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8748538-f9c7-45ce-9aa2-8a5e0c848f13} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 3808 12087c0c858 tab
3⤵
PID:1256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.5.1463088179\930943981" -childID 4 -isForBrowser -prefsHandle 4784 -prefMapHandle 4788 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {402ae73c-6280-460a-ab8b-bb75831b8e3a} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 4764 1208677d258 tab
3⤵
PID:2680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.7.1378098153\1652904122" -childID 6 -isForBrowser -prefsHandle 4628 -prefMapHandle 5164 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {439ddcef-3448-422e-8dcb-77bec5fb1469} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 5156 12089060e58 tab
3⤵
PID:4168

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.6.465169869\1202203221" -childID 5 -isForBrowser -prefsHandle 5196 -prefMapHandle 5100 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2aa4559-583a-4ca7-b348-99e83ee3cc69} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 2452 12089060b58 tab
3⤵
PID:4224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2708.8.1798904140\481512026" -childID 7 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43ce96a3-5ec1-4ad1-b26a-81ee9997be27} 2708 "\\.\pipe\gecko-crash-server-pipe.2708" 5424 120850ba358 tab
3⤵
PID:1512

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri
Filesize
162KB

MD5
0d02b03a068d671348931cc20c048422

SHA1
67b6deacf1303acfcbab0b158157fdc03a02c8d5

SHA256
44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0

SHA512
805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri
Filesize
2KB

MD5
a2942665b12ed000cd2ac95adef8e0cc

SHA1
ac194f8d30f659131d1c73af8d44e81eccab7fde

SHA256
bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374

SHA512
4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp
Filesize
148KB

MD5
fc40c9a53386f1e98740a0d06264bf6b

SHA1
112617ba47af05b67b3a1ebaddef1020a30cf2f5

SHA256
5627faa7c7be38b03cb4fbff991784007d6e158e2a89150ee92c96f047b2e62d

SHA512
3d859b23d581a8111f83a8ca91483bf93315d08c2b31ce904380189d456a6503d490a3a80a54ea4fc58bb637bab637aee65e79367e00fae8938b8d163075e431

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js
Filesize
6KB

MD5
f843fc3b858888d342076c7199266348

SHA1
97dea7b7d8486f03cc085ef488fda80fe53515a0

SHA256
19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

SHA512
9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
f5c911a2b2685a93a0f043555ea428b6

SHA1
2ee20065d1a5c548193dfba708d19b51fd4d2d9c

SHA256
d2f4917fb93ff61feeaabf953e5e399d1e71397584bcb51219ac2b5459babfd0

SHA512
c3a1a5d954a0690a448735a7ff11e394d475f259966af36708ca82c3873d3d35177855653a0e8e220aae7314f5948f223972f06464a7307736a10bbcd81789df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
0ce94a10c149ab6f9dd9f01f1ff88889

SHA1
c37b34060bdc51217029410a1665b716305f9959

SHA256
8d41578d85032b6b06e4a2b08737efc23f57b16f7da86458ed9199f4738b5111

SHA512
a9470186afdcda8f328c3036f8bcc8cb93655e64f847ef4f639e6d4d55e5df96f2d2b60fb8e128058b0cbb90b15dc155a917a9a29a69ea696ca9a07e97aec572

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
a5c110e4b98fdabdbd12a91a7b28d510

SHA1
b031bf2a4454b63bf9a131d38c7a5cfb6a412d5a

SHA256
0ff07ef9ac03c7a9fd71c5043b1af4beaed6b1849c2ad1edca0b5c727d478123

SHA512
338d1e97b5362388de87f7030dfe2347a045f1aace5f70ef3a33cc720ccb3f040aa2832d0db7afcc875d8b737dbc5029c9e50b4dfdc271cce3d4bbeda700617a

Download Submit
memory/3084-128-0x00007FF7D46E0000-0x00007FF7D47D8000-memory.dmp

Filesize
992KB

Download
memory/3084-129-0x00007FFDB0370000-0x00007FFDB03A4000-memory.dmp

Filesize
208KB

Download
memory/3084-130-0x00007FFDA3090000-0x00007FFDA3344000-memory.dmp

Filesize
2.7MB

Download
memory/3084-131-0x00007FFDA0FF0000-0x00007FFDA209B000-memory.dmp

Filesize
16.7MB

Download
memory/3084-132-0x00007FFDA0740000-0x00007FFDA0852000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads