limerat | hxxps://cdn[.]discordapp[.]com/attachments/1208968256501583993/1209158180924432445/contexto[.]rar?ex=65e5e74f&is=65d3724f&hm=9021a81adfbcf884344e75c9dce61d9873b125bb42b8b4db544c355b8c756fa2&

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1208968256501583993/1209158180924432445/contexto.rar?ex=65e5e74f&is=65d3724f&hm=9021a81adfbcf884344e75c9dce61d9873b125bb42b8b4db544c355b8c756fa2&

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
123
antivm
true
c2_url
https://pastebin.com/raw/GNTRhv8N
delay
3
download_payload
false
install
true
install_name
svchost.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/GNTRhv8N
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nova pasta.exeHK.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Nova pasta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	HK.EXE

Executes dropped EXE 4 IoCs

Processes:

Nova pasta.exeLC.EXEHK.EXEsvchost.exe

pid process

2452 Nova pasta.exe
4328 LC.EXE
1604 HK.EXE
3972 svchost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

69 pastebin.com
70 pastebin.com
71 0.tcp.sa.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1912 schtasks.exe

pid	process
2452	Nova pasta.exe
4328	LC.EXE
1604	HK.EXE
3972	svchost.exe

flow	ioc
69	pastebin.com
70	pastebin.com
71	0.tcp.sa.ngrok.io

pid	process
1912	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

1188 msedge.exe
1188 msedge.exe
1948 msedge.exe
1948 msedge.exe
4628 identity_helper.exe
4628 identity_helper.exe
1236 msedge.exe
1236 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

868 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1948 msedge.exe
1948 msedge.exe
1948 msedge.exe
1948 msedge.exe
1948 msedge.exe
1948 msedge.exe
1948 msedge.exe
1948 msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	msedge.exe

pid	process
1188	msedge.exe
1188	msedge.exe
1948	msedge.exe
1948	msedge.exe
4628	identity_helper.exe
4628	identity_helper.exe
1236	msedge.exe
1236	msedge.exe

pid	process
868	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	868	7zFM.exe
Token: 35	868	7zFM.exe
Token: SeSecurityPrivilege	868	7zFM.exe
Token: SeDebugPrivilege	3972	svchost.exe
Token: SeDebugPrivilege	3972	svchost.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

msedge.exe7zFM.exeLC.EXE

pid	process
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
868	7zFM.exe
1948	msedge.exe
868	7zFM.exe
4328	LC.EXE

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1948 wrote to memory of 5000	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 5000	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 4148	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1188	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1188	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1764	1948	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1208968256501583993/1209158180924432445/contexto.rar?ex=65e5e74f&is=65d3724f&hm=9021a81adfbcf884344e75c9dce61d9873b125bb42b8b4db544c355b8c756fa2&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff921f646f8,0x7ff921f64708,0x7ff921f64718
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10990889221502492316,4986642114313493619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\contexto.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2664

C:\Users\Admin\Desktop\Nova pasta.exe
"C:\Users\Admin\Desktop\Nova pasta.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2452
- C:\Users\Admin\AppData\Local\Temp\LC.EXE
  "C:\Users\Admin\AppData\Local\Temp\LC.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\HK.EXE
  "C:\Users\Admin\AppData\Local\Temp\HK.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\svchost.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1912
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
76b1bf1cbedc7ec04841ebbf3939a74c

SHA1
c0c28dd7a3626c13c93569250f9d695872ee75c3

SHA256
6a7ae4a55ebf5e481d129323ed5d0e95708f5b247d5fc4bd2a8490d3216a6c4e

SHA512
371f6fb448192f7386bb9d102c53efe94adc70ee749276fa7c02d3e16dc9e08e8b9e78495ea2202e498f4dfe2b2b9b2ec5b4a85c5eafde7cc647ec43fa055862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6c6d60408a241fb15aad7de40b381b0

SHA1
77114da0b9b571b0b98fb662e9655dd9b458efde

SHA256
18264308a924b9dcae6dfa4ad89a54e5df30cc5371feefe81651f5f379599547

SHA512
464582bc5d2a37e2119c4aa5d55a64b76b0e67df0e61efaed2908f2917330dc96e82503cf5416af339fefdc9e87dd890c265d63c5ea41b5fd793a3c4fbd86348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0af497f34c9021f42ca197a2adb4e3c8

SHA1
2794dbe6cf4ed41fcc2f1e32c3a31b0a3667bbed

SHA256
3ea8a6a6486e1b0865fe4a732760a98596ac5c6df13b689111f1004fd8e9aef8

SHA512
aaabc6a5cbf59215918a4cfc7ec012d7519ed530aca81895be40ba764cefbb813542f8f24cb07bfb3f9fc730bb9a2634d256d43c33e28e21631a1a208461c3d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
dc3623f36db9a4361bd966932be58014

SHA1
5ad22bbc64417157f2237696561903b39e6dd1bf

SHA256
877307424e9cec71281979736ad230bb6ad402340f0e5f72db60cf2e3bbaaa75

SHA512
79e833d015544c053c7896656176e9bf2e1732aa3429512d902e5f109f1468b7d05a478af3b632a0b1d1b4c2d3c7600c3fb90449e56e9760d9faf567e9f39b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
849fb2d8c1d1cf00f1b0bc69c63d9ee0

SHA1
4c27b0aafea6f1fbfed960dd9e6849b9b150d9c8

SHA256
f8d41caf67f0b26037f63a473c2277dfc2985b9607bfd545158d9d4b5cf6bd6a

SHA512
8f2bf74a2fd7e9264b766c79dbe85929ce2755bfcd3858b123e6ae10198f9d51225dcaf64ed9b542f4f5828ee7da6f77ebf68a85266fadfc9cf4a607105102e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6e79eea47e1498dfdf2ea385c02ba5e8

SHA1
026bf353c3a7e7edc7256a4204ad2bb781733242

SHA256
dea59f65ffad6ade506c3d3af7ea82d34ba1a3b98522d65176393613202022db

SHA512
514ea62e746cd647fc2405905b982ea3523d59414d64516927ec191c70444f95de035c4944d8a60cf64a1de2729e01b364a754d1492f8114a8d339705dadb7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec05774969cee70178010bfa58222ca1

SHA1
4bc0e49624e6d6247a458fa72609179688c201f2

SHA256
18ed8bf2783d2ec4ca03003daa502fe6e812a894354c8669e9ff4aae24721358

SHA512
1262374b8751e1bd20bf208b796be0999ac79c413afacbc2a4c76b126a8695157168e77adcfdd41f83d8b13e4b2867603293b66d0b788756f81ffdba8381861c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HK.EXE

Filesize
37KB

MD5
63710d15a1f745c7000c480d1ddf4a06

SHA1
ff2145da875a9e960f3e1a5827e6618f56152616

SHA256
6b28e06d21307f9ec7852f5f07695d65a20cec2b1d3ce627e23003222ffafee2

SHA512
0b770f73fdfa14b0ca5b22107bdd9a16e86e61f924c2a541e2bc666089468827da78d893fcd36206fb9c1b8c4824e807eecd6157336c96bfe763e3b8d0cd2dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\HK.exe

Filesize
95KB

MD5
e1525cd6c6dc9720f004f27b74c8d018

SHA1
5ae77c31a17d072b043e8aec409c77c111a94e37

SHA256
566894b4452c8489d5acfef3fb762937e749002d1699cb4c09660dfb93d846f9

SHA512
2d4035d607c297b76c1ae94ee1302d9eb176a848f872ad14d22237a2e5cf9f1fcaec06dadeb05fc95bbdb6586ddffb30621354708f8ba64e1e4fbc6770a302f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HK.exe

Filesize
57KB

MD5
4b82fa63361041414f46947a1313d8f9

SHA1
79825ac2e644dcc13db0bfce2663344fca963b68

SHA256
35893bef14cb58ecbb5d6e2df4dec5680da6fdf1aa507361cf1ddef22bfcabf5

SHA512
139c4f40a84ea983979b7f1ad0bbecd48a263d9612e5d05afd107ef91512786d499df4cb94461bb3675e0638c883ae93dceda73c0ec98d092292f6dc179d6782

Download Submit
C:\Users\Admin\AppData\Local\Temp\LC.EXE

Filesize
231KB

MD5
500ee30082725700427a0d3e714ed2a7

SHA1
4443277ec2edf417c3367327769cec392ab65cc2

SHA256
f08ad29f8f232251b04463006b7d17955840ba2394ee06981554a2d4ffb1628b

SHA512
cd28f886cd00b58c8e5199f84da83dc842a2b726eaed156f1f88e9de68dc6b4475b50a51ecaf7a05cae3e2d665ed709cdd1e93c1a97113279fda31dc9da6adf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LC.exe

Filesize
338KB

MD5
ab0703f6f855e6f5303e718ba88a9039

SHA1
e36cad95a0068292a1c4173c4be0f745ff8726a9

SHA256
277b3e56658811b238159fe7fb4faa8580f3a7fd4a9dfee3f4c359d66ab51e7d

SHA512
f4cd9b881367aa880be146645dd3da46cc51f34c079d75d48805a0655897d43edbb0b8298402d74edda7798096f100d58d267ed445de1fbb320222a0afa1663e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LC.exe

Filesize
179KB

MD5
6e29df7cb5446516de57c0eb5858f43d

SHA1
687abe75bb750aef48720abe53c6160bb98934d2

SHA256
c0c65c3aef82862b075276523173c2a363705af483382d69280653d3cc34e717

SHA512
0c835f572b1bd618050cac0fff2e1600df974c14ddee6a7f50663fdb2c6a9f60a3c870ed04caa24bdee0fd576f70089f593a1621f2f83cf51b12358ddc8878d7

Download Submit
C:\Users\Admin\Desktop\Nova pasta.exe

Filesize
2.0MB

MD5
c01c613fc6601ca19fc100b703c6b667

SHA1
9be6a6b0c89a464e7b2ccddfa4cf8f3b8b48e0c1

SHA256
fea1a4d463e427377af3b932aa8961b5f73a5b96fea1c2dde4eca5d3719e6707

SHA512
33c4a386126c12d4b1b5051e22bd272b5358ba3ba91a0993e4efbfc7d2bc6e0b6ee5b904af6276bcaccff6742dbf901fb8165bf5415334bf7dd0557f174fcc7f

Download Submit
C:\Users\Admin\Desktop\Nova pasta.exe

Filesize
1.6MB

MD5
95957cfc47ea73e0668114a33c9989de

SHA1
80d6f804305544f72bf8fc0d56b40af8e4bf1f0c

SHA256
83e27cddd606016039adad00c69b9b20076775153e0378d739cacbd392e2322b

SHA512
24df7d9822583736efe6fdbf31fd070d85f9afef03c5a9a49fd00a0172e8d75879e4c2fa5a70e922e94833aed575657bfdca140d5d91be57bd96462e4337f09e

Download Submit
C:\Users\Admin\Downloads\contexto.rar

Filesize
1.1MB

MD5
37dee081c4ff73fd2252580ea5245a74

SHA1
60930a6197adcd0b96537dcab97e588707fd806c

SHA256
4d842e94ca6b6ea9b4743c71bcb2ec013d632e6835038ccb67e695a1b339cb7d

SHA512
efd66c7a5778ed8b867e53e3909b66db59b28bd28293577de4f4c983b142edc33791911785abb43b27be3a8753b75f10ce7eaa0a12b0be2e3eb57fd1d1ed4348

Download Submit
C:\Users\Admin\Downloads\contexto.rar

Filesize
3.6MB

MD5
b90251c0c8f8862bcf8837364e8e54eb

SHA1
58b28e8a4e4bf5b50772e61a08d501f1cfe75658

SHA256
e0861ca04d51cc65123763f276d2492f4b1a04faaef98f75d3bc24eb39fbe456

SHA512
a59f8c583cf0ef0eef88d8a3d66b6928a6ab3ce9e1069d34245a2f2a01e82e7a98b0e8b29e1828200a192f8470dcabdb5916c46318516245ba3531914f80fe58

Download Submit
\??\pipe\LOCAL\crashpad_1948_WCAFNAISNQXHWZNX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1604-276-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1604-277-0x0000000000D20000-0x0000000000D3E000-memory.dmp

Filesize
120KB

Download
memory/1604-278-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/1604-279-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/1604-280-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/1604-281-0x00000000065F0000-0x0000000006B94000-memory.dmp

Filesize
5.6MB

Download
memory/1604-292-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3972-291-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3972-293-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download