6c0f82832ffa17f3427d3967eace8041e52475003f4ba52f17ef18e17f49e6ce

Analysis

max time kernel
117s
max time network
130s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14/07/2023, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

166375a14c4253exe_JC.exe
Size

145KB
MD5

166375a14c4253977087f9c592573f1c
SHA1

348676344378749ffd9296aec66c0e5d51913e51
SHA256

6c0f82832ffa17f3427d3967eace8041e52475003f4ba52f17ef18e17f49e6ce
SHA512

de4fb4c3614beef3f245885f89794d5d9d2c9b01ec00195056b2d8f6f79da2695052bd4778fca2eda9e58c0bd241f78a1026e004c8d5ee16aa439ff6802e268f
SSDEEP

3072:p6glyuxE4GsUPnliByocWepvSLH1wPGx:p6gDBGpvEByocWeFSLVwPO

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (7808) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1492	91D4.tmp

Executes dropped EXE 1 IoCs

pid	Process
1492	91D4.tmp

Loads dropped DLL 1 IoCs

pid	Process
2348	166375a14c4253exe_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\desktop.ini	166375a14c4253exe_JC.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1014134971-2480516131-292343513-1000\desktop.ini	166375a14c4253exe_JC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
1492	91D4.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\SalesReport.xltx	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHED98.POC.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14711_.GIF	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Events.accdt	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Name.accft.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\PREVIEW.GIF	166375a14c4253exe_JC.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\xUtJ4zKuU.README.txt	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099178.WMF.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.INF	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\gadget.xml	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6F.GIF	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json	166375a14c4253exe_JC.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\xUtJ4zKuU.README.txt	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB02229_.GIF.xUtJ4zKuU	166375a14c4253exe_JC.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\xUtJ4zKuU.README.txt	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\content-types.properties.xUtJ4zKuU	166375a14c4253exe_JC.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\xUtJ4zKuU.README.txt	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\PREVIEW.GIF.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM.xUtJ4zKuU	166375a14c4253exe_JC.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\xUtJ4zKuU.README.txt	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_ON.GIF	166375a14c4253exe_JC.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\xUtJ4zKuU.README.txt	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105710.WMF	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00720_.WMF.xUtJ4zKuU	166375a14c4253exe_JC.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\xUtJ4zKuU.README.txt	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.XML.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2String.XSL.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman.xUtJ4zKuU	166375a14c4253exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli	166375a14c4253exe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe
2348	166375a14c4253exe_JC.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp
1492	91D4.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeDebugPrivilege	2348	166375a14c4253exe_JC.exe
Token: 36	2348	166375a14c4253exe_JC.exe
Token: SeImpersonatePrivilege	2348	166375a14c4253exe_JC.exe
Token: SeIncBasePriorityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeIncreaseQuotaPrivilege	2348	166375a14c4253exe_JC.exe
Token: 33	2348	166375a14c4253exe_JC.exe
Token: SeManageVolumePrivilege	2348	166375a14c4253exe_JC.exe
Token: SeProfSingleProcessPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeRestorePrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSystemProfilePrivilege	2348	166375a14c4253exe_JC.exe
Token: SeTakeOwnershipPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeShutdownPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeDebugPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeBackupPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe
Token: SeSecurityPrivilege	2348	166375a14c4253exe_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1492	2348	166375a14c4253exe_JC.exe	32
PID 2348 wrote to memory of 1492	2348	166375a14c4253exe_JC.exe	32
PID 2348 wrote to memory of 1492	2348	166375a14c4253exe_JC.exe	32
PID 2348 wrote to memory of 1492	2348	166375a14c4253exe_JC.exe	32
PID 2348 wrote to memory of 1492	2348	166375a14c4253exe_JC.exe	32
PID 1492 wrote to memory of 1976	1492	91D4.tmp	33
PID 1492 wrote to memory of 1976	1492	91D4.tmp	33
PID 1492 wrote to memory of 1976	1492	91D4.tmp	33
PID 1492 wrote to memory of 1976	1492	91D4.tmp	33

C:\Users\Admin\AppData\Local\Temp\166375a14c4253exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\166375a14c4253exe_JC.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\ProgramData\91D4.tmp
  "C:\ProgramData\91D4.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\91D4.tmp >> NUL
    3⤵
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\AAAAAAAAAAA

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\BBBBBBBBBBB

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\CCCCCCCCCCC

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\DDDDDDDDDDD

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\DDDDDDDDDDD

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\EEEEEEEEEEE

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\FFFFFFFFFFF

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\GGGGGGGGGGG

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\HHHHHHHHHHH

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\IIIIIIIIIII

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\JJJJJJJJJJJ

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\KKKKKKKKKKK

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\LLLLLLLLLLL

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\MMMMMMMMMMM

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\NNNNNNNNNNN

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\OOOOOOOOOOO

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\PPPPPPPPPPP

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\QQQQQQQQQQQ

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\RRRRRRRRRRR

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\SSSSSSSSSSS

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\TTTTTTTTTTT

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\UUUUUUUUUUU

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\VVVVVVVVVVV

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\WWWWWWWWWWW

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\XXXXXXXXXXX

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\YYYYYYYYYYY

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\desktop.ini

Filesize
129B

MD5
524c5d985e252a3ba84296e4798293e4

SHA1
730b6d3161f66ee1f63d7fdf50849d1cf6fa8516

SHA256
ca0057e1de64664e76e259e65ef0ea17951cfdbfee60fc832d9652a0393a0825

SHA512
749b3b7093acc20a734f284428591dff63068a5a20ce8b7a687d9f60115dcfb309451fa88567d4489e8a4a4128d816ee8fdc2deeba984ecc38a12a79df79a699

Download Submit
C:\ProgramData\91D4.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\91D4.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDD

Filesize
145KB

MD5
e22b18e1319dba186f5ca7bdc6723abb

SHA1
2747cd882135716ca710a3ebcc898161f628a007

SHA256
38af6682317108702163f7243cc35d6088d0d0b4a35f8a09f2347da7a6c5198c

SHA512
c20ed12235af02e02dce0ff6d72e833e0f5c57354b589a689b8f0f34eab88f3c4655ad03604e01146a18f83746e17dad28b417daf85b53779ad4252fd335f222

Download Submit
C:\xUtJ4zKuU.README.txt

Filesize
45B

MD5
05432692125816361180a1597440ec4a

SHA1
91d40f4c7f284981ac7b6945e2028fb17ae4f4a3

SHA256
d0d1abd3c8fc46bfdf269c7075b693b811570fec574c457669aa691448aca1dd

SHA512
ec0381f2b2e0d165b17ab0b7e6a17ae13169d1a05820541f8bd49fff7f5ac9de2677841bc1070957ec954b8aa6e13fc3309619b875aafdec4fe9d85026025350

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1014134971-2480516131-292343513-1000\DDDDDDDDDDD

Filesize
129B

MD5
715e4a83724668802f47afb25df61fd0

SHA1
b7a65ce732b328afe6e4bc31b326619b109acd98

SHA256
da5cdcf67336c8ac15b68cf9eeed7b25a776453075f920e1acde77b09ce87b8b

SHA512
a114437e2e70c3f0c33ab0feac7ff828d481676e237125f90595485247c707136431aa0066c17185b7c05a05608405c10e7664dc74721ee792ef6cfd71ac260d

Download Submit
\ProgramData\91D4.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1492-11796-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1492-11801-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/1492-11808-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/1492-11811-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1492-11814-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1492-11829-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1492-11830-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2348-54-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download