4c736c3660695d303248d0b9edd1b2fd48822cb27b066c58908ba5a22e0aa65f

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

002325c6d5ff1184320cb9d86750b53a.dll
Size

201KB
MD5

002325c6d5ff1184320cb9d86750b53a
SHA1

27b40c67cc44675169603ef175f04af1d118b090
SHA256

4c736c3660695d303248d0b9edd1b2fd48822cb27b066c58908ba5a22e0aa65f
SHA512

95e50cc5cd7c9b5f725811a42c1b9429b2dbf10f5208cfbb69364b356c252109d04d4611a998dcb6a6329171592c5256db675432d5e3f9af51ce768a9d51baf7
SSDEEP

3072:wKR2KgWgZBNdePSY6b8ByUP5XEbZOjL10Wv9W/KyEW80VQcKd:jR/m3du6b8ByWXIu1XVq80V

Score

8^/10

evasion upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2640-0-0x0000000000160000-0x00000000001AD000-memory.dmp	upx
behavioral1/memory/2264-8-0x0000000000180000-0x00000000001CD000-memory.dmp	upx
behavioral1/memory/2696-11-0x00000000005E0000-0x000000000062D000-memory.dmp	upx

Modifies Internet Explorer Protected Mode 1 TTPs 15 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	notepad.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	notepad.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000201630a143209386100f16a4659c3ef97e11e780aaaa31433cef0c31719d5011000000000e8000000002000020000000fd6ed415862b458eb7571f5b755461dda2a054ad756fef4d9499b806973d82852000000046b46cca05c6a5dfa391ee7496d3bc3a9daa85d1fc330d9d26bcb1bd0381f312400000003a739230d3a798390747b370e74b6b698b35ab1dc7631180807a73f145bd28b8abf89579a037b6f8a55f042d2f8d5416aad7a31ed732c664d846691d37d60f09	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb8000000000200000000001066000000010000200000003beb0548064457e681112bec783dbff9dfb17f9832c96fdc0d7320d4a3001a7b000000000e80000000020000200000002ddc0fdd0fe3a3d398602c9d02a1244e2a4e9a6954569b846985d3f34b51bb7990000000c064e4c932675ec5a843561dd847977655dca74e8d70a24a22aeea41c4262f3e98b633284b3c461b4c772db8ebce6c467b3eec9bad6832476390b978433388f4fa04bb0a86b57bfd85af4dd9deb806189e864f5e0ef26f7dda0e1914cd02748f13f9025411f525a2a0f49d07b5ebc14d84a7d7df6156e3c9d5388369af177437684b48c83b55739cde43f2098ff1eee640000000004b43f406537cfdf89f54ca96762351162ef95ea20b1ff12b39fb34a0fdfc0da5e9e8dad09e95709098128cd8fb1bc2cba013cae1599f3e2bfa8027bdf2bab0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410037813"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807fa03e883ada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{66B116B1-A67B-11EE-ACBB-46FAA8558A22} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	rundll32.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2696	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2640	rundll32.exe
2640	rundll32.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe
2264	notepad.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2268	ctfmon.exe
2268	ctfmon.exe
2268	ctfmon.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2120	iexplore.exe
2120	iexplore.exe
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2640	2528	rundll32.exe	28
PID 2528 wrote to memory of 2640	2528	rundll32.exe	28
PID 2528 wrote to memory of 2640	2528	rundll32.exe	28
PID 2528 wrote to memory of 2640	2528	rundll32.exe	28
PID 2528 wrote to memory of 2640	2528	rundll32.exe	28
PID 2528 wrote to memory of 2640	2528	rundll32.exe	28
PID 2528 wrote to memory of 2640	2528	rundll32.exe	28
PID 2640 wrote to memory of 2288	2640	rundll32.exe	29
PID 2640 wrote to memory of 2288	2640	rundll32.exe	29
PID 2640 wrote to memory of 2288	2640	rundll32.exe	29
PID 2640 wrote to memory of 2288	2640	rundll32.exe	29
PID 2640 wrote to memory of 2264	2640	rundll32.exe	30
PID 2640 wrote to memory of 2264	2640	rundll32.exe	30
PID 2640 wrote to memory of 2264	2640	rundll32.exe	30
PID 2640 wrote to memory of 2264	2640	rundll32.exe	30
PID 2932 wrote to memory of 2268	2932	explorer.exe	32
PID 2932 wrote to memory of 2268	2932	explorer.exe	32
PID 2932 wrote to memory of 2268	2932	explorer.exe	32
PID 2640 wrote to memory of 2264	2640	rundll32.exe	30
PID 2640 wrote to memory of 2696	2640	rundll32.exe	35
PID 2640 wrote to memory of 2696	2640	rundll32.exe	35
PID 2640 wrote to memory of 2696	2640	rundll32.exe	35
PID 2640 wrote to memory of 2696	2640	rundll32.exe	35
PID 2120 wrote to memory of 2800	2120	iexplore.exe	36
PID 2120 wrote to memory of 2800	2120	iexplore.exe	36
PID 2120 wrote to memory of 2800	2120	iexplore.exe	36
PID 2120 wrote to memory of 2800	2120	iexplore.exe	36
PID 2640 wrote to memory of 2696	2640	rundll32.exe	35
PID 2640 wrote to memory of 2120	2640	rundll32.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\002325c6d5ff1184320cb9d86750b53a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\002325c6d5ff1184320cb9d86750b53a.dll,#1
  2⤵
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2264
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\ctfmon.exe
  ctfmon.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24d9cc5df8559ff2dbb8a15e3b765836

SHA1
7a65d17d95aa3b30b2ba4f70ebb7f62d12175289

SHA256
b7819876cb0e11a684ae00046fec77ce57df43dd35aeba365c00f05923db4091

SHA512
10e23e06f67747fa6e02bfa0a4c829bbf3bf6a9988cd42616dacb186151adc36b2ac3622d83ab0b25348fc4abc0151a76540bae7e7b370be96b9c275b3a2f979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7035be2628da638cb43b907d88852e9

SHA1
bc67743d45dd3d33a45b1d5ff57512cbac3f6770

SHA256
90d2b141d7fcc4706c4bc43b55dbe32f88843f05ba0b610a0ba1525c628f91ba

SHA512
8a3f5e72c5359e10b480825c48c0aa9403f73f24c5dd6756c1cf6f52db7111c1dbaf9e0cdd6d524f75fe671cb6b0bf08da5210c211c6e1c7b329b28b83863f80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
995b402414a88e080df531c50aaf522f

SHA1
c04a9b03599df9a5e557ea08a6ca5591012f4a63

SHA256
340dfb23ed8083621243d47d90c1491db805aff8c806ffc3a37b8e53986fc85f

SHA512
0d96fb874b62382a3124d10ac19c05cd9f362d43f9772ac70592748cd7168f14db84b961101b6a51b207b7af9a844a5a26804bd13e0b6ebeff2205cdbdba3f16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98180bba21b8f17712704b9b68391b6f

SHA1
6847487dd8df08211e8f877d8980c1db00a4ab78

SHA256
ff92eae4ead9576cafafc4d861f805ee3584d76710c4837465c6480a85cf356d

SHA512
51436530a03734dd59f30fb486e4ec38ea4499ed9534f4d7ec01ffff72b3b7e4fdd0412c98687491306a6e74dc02a6fdf62db780138c5b550bf0ed9a9e25aca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b660319d2c335f257143be051f1b2800

SHA1
f6287cc7a1607dbdae7b2efc268e67883309662c

SHA256
7447dcceb8654f34af84df5df4ef580fff31ca2388f3e4e1f9f757394724f07d

SHA512
5278a431b666c1af0f3fad8081d491916812f6771ebc969e68e90ebe544aa4f9f8620d6980788d360717f9dc4a7773b3cf1cde27d4b694fb6f229a715263ebd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f045c03e12cf38ae98475442ad948c8

SHA1
e55f96c74dd0abd41837f1443ba2811f8ed0071d

SHA256
0852df2a1e11b72360d875858648e3ab7481190ed9abed8030e560b263044427

SHA512
aa3cb1bb79cf3e5d20861c386c294f842ba2a1f5c692fa12c458cda81486f99d0b9c0bd9b41c34aecd88cbfe958cdbe1290ea4c9a2925975b0e0efcefe1e1199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c02403dfcaaae8c94a6b2f87fe41c7b

SHA1
b5a94a1e348611215cef52dce59ae0ddd18b7ef0

SHA256
8ae5b0feecf70d120ee1c2bb350f2d497ec6a5e12a5a540df8e8a1a8c66296c8

SHA512
8722ebe8519514cefe514851f6ba2accb13f9844e8e68ac7afb1b443b3ecb44521b4bd6a6b02629e9ce6be88ef563ba20b0f6d93954df641a97489b56e4d2e8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98a5eebb67268b89fec1d0b8fd0d0785

SHA1
029b5d469d750d1fa4ef00862b6ee901cdcb8236

SHA256
39503c4f1378da960a9b7e8be38f5c82c6b0d6c59936664d7a27ed08916c5592

SHA512
096bc0d1042786aad64e792497190dcc96a88db44f0e1631346b38de8927a1c4c5d2f4dfc1025a9daf171e0a595a439c1bbeb0dfdf00427d1da306f94adf4cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA8DF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA93F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2264-6-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2264-8-0x0000000000180000-0x00000000001CD000-memory.dmp

Filesize
308KB

Download
memory/2264-77-0x0000000000180000-0x00000000001CD000-memory.dmp

Filesize
308KB

Download
memory/2264-9-0x0000000000180000-0x00000000001CD000-memory.dmp

Filesize
308KB

Download
memory/2264-12-0x0000000000940000-0x0000000000942000-memory.dmp

Filesize
8KB

Download
memory/2640-0-0x0000000000160000-0x00000000001AD000-memory.dmp

Filesize
308KB

Download
memory/2640-1-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2640-2-0x0000000000160000-0x00000000001AD000-memory.dmp

Filesize
308KB

Download
memory/2696-11-0x00000000005E0000-0x000000000062D000-memory.dmp

Filesize
308KB

Download
memory/2696-14-0x00000000005E0000-0x000000000062D000-memory.dmp

Filesize
308KB

Download
memory/2696-93-0x00000000005E0000-0x000000000062D000-memory.dmp

Filesize
308KB

Download
memory/2932-5-0x00000000037C0000-0x00000000037D0000-memory.dmp

Filesize
64KB

Download
memory/2932-4-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2932-256-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download