djvu | 261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226

Analysis

max time kernel
86s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b09acb6cc6425fade98408ec43bfcd3.exe
Size

227KB
MD5

7b09acb6cc6425fade98408ec43bfcd3
SHA1

681ec6f05ccc78aa5e519b1fb13cab4455fb2638
SHA256

261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226
SHA512

74621bef98d9c8ce9e33cf1731c16bbe4d3fda2fca06ed03b09f9b5237e4747f0ac0229f70afa852d8c4d1d3baf5b0411e76f568619a038cef39ae55611c6bc3
SSDEEP

3072:/lWhcm24zbcZ87k2gW9YEBkWbnkxvWAhJ7MQUune3UUpS6eC2OiH:/Scm24zbcZ12gXEeWb0/n76EeEaS64

Score

10^/10

djvu glupteba lumma redline smokeloader logsdiller cloud (tg: @logsdillabot)pub1 backdoor discovery dropper infostealer loader persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

Signatures

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1532-22-0x00000000028B0000-0x00000000029CB000-memory.dmp	family_djvu
behavioral2/memory/3552-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3552-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3552-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3552-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3552-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3312-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3312-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3312-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2396-151-0x0000000002FA0000-0x000000000388B000-memory.dmp	family_glupteba
behavioral2/memory/2396-183-0x0000000000400000-0x0000000000ECD000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3732-60-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

BFA7.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation BFA7.exe
Deletes itself 1 IoCs

Processes:

pid process

3456
Executes dropped EXE 9 IoCs

Processes:

BFA7.exeBFA7.exeBFA7.exeBFA7.exeD9E7.exe1396.exeuhfufsh8C13.exe9F4E.exe

pid process

1532 BFA7.exe
3552 BFA7.exe
3584 BFA7.exe
3312 BFA7.exe
2752 D9E7.exe
2644 1396.exe
1124 uhfufsh
3116 8C13.exe
2396 9F4E.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4376 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	BFA7.exe

pid	process
3456

pid	process
1532	BFA7.exe
3552	BFA7.exe
3584	BFA7.exe
3312	BFA7.exe
2752	D9E7.exe
2644	1396.exe
1124	uhfufsh
3116	8C13.exe
2396	9F4E.exe

pid	process
4376	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BFA7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6dec708b-285e-4c5a-9950-21db5d487103\\BFA7.exe\" --AutoStart"	BFA7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

75 drive.google.com
70 raw.githubusercontent.com
71 raw.githubusercontent.com
72 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.2ip.ua
26 api.2ip.ua

flow	ioc
75	drive.google.com
70	raw.githubusercontent.com
71	raw.githubusercontent.com
72	drive.google.com

flow	ioc
25	api.2ip.ua
26	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

BFA7.exeBFA7.exeD9E7.exe

description	pid	process	target process
PID 1532 set thread context of 3552	1532	BFA7.exe	BFA7.exe
PID 3584 set thread context of 3312	3584	BFA7.exe	BFA7.exe
PID 2752 set thread context of 3732	2752	D9E7.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3064 3312 WerFault.exe BFA7.exe
2556 2752 WerFault.exe D9E7.exe

pid	pid_target	process	target process
3064	3312	WerFault.exe	BFA7.exe
2556	2752	WerFault.exe	D9E7.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

uhfufsh7b09acb6cc6425fade98408ec43bfcd3.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uhfufsh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7b09acb6cc6425fade98408ec43bfcd3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7b09acb6cc6425fade98408ec43bfcd3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7b09acb6cc6425fade98408ec43bfcd3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uhfufsh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uhfufsh

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7b09acb6cc6425fade98408ec43bfcd3.exe

pid	process
3700	7b09acb6cc6425fade98408ec43bfcd3.exe
3700	7b09acb6cc6425fade98408ec43bfcd3.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

7b09acb6cc6425fade98408ec43bfcd3.exeuhfufsh

pid process

3700 7b09acb6cc6425fade98408ec43bfcd3.exe
1124 uhfufsh

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

D9E7.exeRegAsm.exe8C13.exe

description	pid	process
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeDebugPrivilege	2752	D9E7.exe
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeDebugPrivilege	3732	RegAsm.exe
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeDebugPrivilege	3116	8C13.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

cmd.exeBFA7.exeBFA7.exeBFA7.exeD9E7.execmd.exe

description	pid	process	target process
PID 3456 wrote to memory of 968	3456		cmd.exe
PID 3456 wrote to memory of 968	3456		cmd.exe
PID 968 wrote to memory of 4496	968	cmd.exe	reg.exe
PID 968 wrote to memory of 4496	968	cmd.exe	reg.exe
PID 3456 wrote to memory of 1532	3456		BFA7.exe
PID 3456 wrote to memory of 1532	3456		BFA7.exe
PID 3456 wrote to memory of 1532	3456		BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 1532 wrote to memory of 3552	1532	BFA7.exe	BFA7.exe
PID 3552 wrote to memory of 4376	3552	BFA7.exe	icacls.exe
PID 3552 wrote to memory of 4376	3552	BFA7.exe	icacls.exe
PID 3552 wrote to memory of 4376	3552	BFA7.exe	icacls.exe
PID 3552 wrote to memory of 3584	3552	BFA7.exe	BFA7.exe
PID 3552 wrote to memory of 3584	3552	BFA7.exe	BFA7.exe
PID 3552 wrote to memory of 3584	3552	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3584 wrote to memory of 3312	3584	BFA7.exe	BFA7.exe
PID 3456 wrote to memory of 2752	3456		D9E7.exe
PID 3456 wrote to memory of 2752	3456		D9E7.exe
PID 3456 wrote to memory of 2752	3456		D9E7.exe
PID 2752 wrote to memory of 1948	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 1948	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 1948	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 3732	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 3732	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 3732	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 3732	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 3732	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 3732	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 3732	2752	D9E7.exe	RegAsm.exe
PID 2752 wrote to memory of 3732	2752	D9E7.exe	RegAsm.exe
PID 3456 wrote to memory of 2644	3456		1396.exe
PID 3456 wrote to memory of 2644	3456		1396.exe
PID 3456 wrote to memory of 2644	3456		1396.exe
PID 3456 wrote to memory of 4504	3456		cmd.exe
PID 3456 wrote to memory of 4504	3456		cmd.exe
PID 4504 wrote to memory of 4908	4504	cmd.exe	reg.exe
PID 4504 wrote to memory of 4908	4504	cmd.exe	reg.exe
PID 3456 wrote to memory of 3116	3456		8C13.exe
PID 3456 wrote to memory of 3116	3456		8C13.exe
PID 3456 wrote to memory of 2396	3456		9F4E.exe
PID 3456 wrote to memory of 2396	3456		9F4E.exe
PID 3456 wrote to memory of 2396	3456		9F4E.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b09acb6cc6425fade98408ec43bfcd3.exe
"C:\Users\Admin\AppData\Local\Temp\7b09acb6cc6425fade98408ec43bfcd3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AE9F.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\BFA7.exe
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\BFA7.exe
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6dec708b-285e-4c5a-9950-21db5d487103" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4376

C:\Users\Admin\AppData\Local\Temp\BFA7.exe
"C:\Users\Admin\AppData\Local\Temp\BFA7.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\BFA7.exe
"C:\Users\Admin\AppData\Local\Temp\BFA7.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 568
5⤵
- Program crash
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3312 -ip 3312
1⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\D9E7.exe
C:\Users\Admin\AppData\Local\Temp\D9E7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 836
2⤵
- Program crash
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2752 -ip 2752
1⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\1396.exe
C:\Users\Admin\AppData\Local\Temp\1396.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16F2.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4908

C:\Users\Admin\AppData\Roaming\uhfufsh
C:\Users\Admin\AppData\Roaming\uhfufsh
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1124

C:\Users\Admin\AppData\Local\Temp\8C13.exe
C:\Users\Admin\AppData\Local\Temp\8C13.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\9F4E.exe
C:\Users\Admin\AppData\Local\Temp\9F4E.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\9F4E.exe
"C:\Users\Admin\AppData\Local\Temp\9F4E.exe"
2⤵
PID:1176

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3308

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
4305f3b83ea7e48583ca9863f6a51c75

SHA1
83587d71d6baeca1bc553f67a84c399789c91cb5

SHA256
2251e0ab16b12b3590efe8b9793dc002345123f8a9dd98c4c31c957995b99273

SHA512
94c77f16fa66618ed073af0157d191efd39b9ef78ff7113a224117c8156594b36076b40ab7aafb8ec534dd82a069339486b693c8d672e431e2330be4a4c4eea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
3b5ce0ab5f48896a24894f915f6888b5

SHA1
1fdac639b93393c6d1bd9dd1965522debe9cc8f3

SHA256
e2e8d5febe2c333afe8c3a199d27bfd4d787fbc7b92025e3e49f1294c7d2d99b

SHA512
9701c13b9c681590d700ce3edecd8180d6e0ed07b16153018bc02a08b12abdd59327efc9cb21208a85b38ae1a99aebac372a0378984fd5224f7a8045830049a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
5438399e35344fd436c4a134915d34a6

SHA1
2c58d8229bebd3d97e7e7bec125da4caebcd461b

SHA256
d0831327b04aa49d3744d248a66ece8b5be5279064d543f6a3e376fd50037865

SHA512
cc011d1b255cf6eadcecd5e5345569aee96bdb4ac4cb9ac4af0521798f0d85cb0bf3d33ef51b6ceafa8b4045d5d3242d5b5b2e242b8bc2cf6c96c4b387a2c2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1396.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C13.exe
Filesize
30.6MB

MD5
ff35671d54d612772b0c22c141a3056e

SHA1
d005a27cd48556bf17eb9c2b43af49b67347cc0e

SHA256
2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

SHA512
9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4E.exe
Filesize
4.1MB

MD5
e445c438749eab1cc57d98407a83875a

SHA1
4b67b8f084aaf3a7a89534b32beab4e5faef674d

SHA256
f5cb5ace2b7d35f46c14eb827cf041dba371d5b9b9c8c7ef8ca4af01faebab37

SHA512
1e338586df2dcf4a77f9605860e18c5feb6f0cdabf7165877a53996af944aac361a4ca1faa2cce791a0d1336458965888d05af495bb6e2faac6031ed3cd160d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F4E.exe
Filesize
1.6MB

MD5
ea13ad53adc157def5fd150fda23d492

SHA1
d52ab628a8b0aea12434b802f271f1f2ed4ae08f

SHA256
eb33959b99858e4961b747c8fe54f24289abe775d90b525bf789ab8500c7af7d

SHA512
969335b51863178f44f1f0cb42d6c21de0dc71faa5f1dd66ff84b13af93e4f23638a3fd74b6222c1f1c1837f4aa6389eb06e975277978df3c7b51687e27525c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE9F.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
Filesize
759KB

MD5
46a230d9be88dd7dca63ab0ec41c0b14

SHA1
8072cc39226b6b18164eb58a81ce7433fae55c58

SHA256
59b4a0b07d2a7901e49e8cc55c2eae5b457fde6e8b25295374a3e4ee37e207b5

SHA512
8c21b6c8f33608e47ead31e1e731a7cd4791d53a05f4574143156f067669a4ced8b48ffcd4f13f5d9cf9eb63dfa7873d8f491b4a02e05370fd03ca210adf9a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9E7.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wklua5pr.m1h.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\uhfufsh
Filesize
227KB

MD5
7b09acb6cc6425fade98408ec43bfcd3

SHA1
681ec6f05ccc78aa5e519b1fb13cab4455fb2638

SHA256
261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226

SHA512
74621bef98d9c8ce9e33cf1731c16bbe4d3fda2fca06ed03b09f9b5237e4747f0ac0229f70afa852d8c4d1d3baf5b0411e76f568619a038cef39ae55611c6bc3

Download Submit
memory/1084-216-0x0000000001000000-0x000000000104B000-memory.dmp

Filesize
300KB

Download
memory/1084-213-0x0000000001000000-0x000000000104B000-memory.dmp

Filesize
300KB

Download
memory/1124-135-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1124-139-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1124-134-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/1532-22-0x00000000028B0000-0x00000000029CB000-memory.dmp

Filesize
1.1MB

Download
memory/1532-21-0x00000000027C0000-0x000000000285A000-memory.dmp

Filesize
616KB

Download
memory/2396-150-0x0000000002B90000-0x0000000002F98000-memory.dmp

Filesize
4.0MB

Download
memory/2396-151-0x0000000002FA0000-0x000000000388B000-memory.dmp

Filesize
8.9MB

Download
memory/2396-183-0x0000000000400000-0x0000000000ECD000-memory.dmp

Filesize
10.8MB

Download
memory/2644-125-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-112-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-128-0x0000000000C90000-0x0000000001975000-memory.dmp

Filesize
12.9MB

Download
memory/2644-126-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-123-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-124-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-122-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-121-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-117-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-120-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/2644-119-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-118-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-113-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-116-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-115-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-114-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-111-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-109-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-83-0x0000000000C90000-0x0000000001975000-memory.dmp

Filesize
12.9MB

Download
memory/2644-108-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-91-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2644-90-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2644-93-0x0000000000C90000-0x0000000001975000-memory.dmp

Filesize
12.9MB

Download
memory/2644-94-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2644-95-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2644-92-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2644-96-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2644-99-0x0000000000A70000-0x0000000000AA2000-memory.dmp

Filesize
200KB

Download
memory/2644-98-0x0000000000A70000-0x0000000000AA2000-memory.dmp

Filesize
200KB

Download
memory/2644-100-0x0000000000A70000-0x0000000000AA2000-memory.dmp

Filesize
200KB

Download
memory/2644-101-0x0000000000A70000-0x0000000000AA2000-memory.dmp

Filesize
200KB

Download
memory/2644-102-0x0000000000A70000-0x0000000000AA2000-memory.dmp

Filesize
200KB

Download
memory/2644-104-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-103-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-106-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2644-107-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2752-73-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/2752-54-0x0000000000790000-0x00000000007F4000-memory.dmp

Filesize
400KB

Download
memory/2752-55-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/2752-64-0x0000000002DD0000-0x0000000004DD0000-memory.dmp

Filesize
32.0MB

Download
memory/2752-57-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/2752-56-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/3116-182-0x00007FF702E40000-0x00007FF704D8C000-memory.dmp

Filesize
31.3MB

Download
memory/3116-215-0x00007FF702E40000-0x00007FF704D8C000-memory.dmp

Filesize
31.3MB

Download
memory/3312-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3312-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3312-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3456-136-0x0000000002D60000-0x0000000002D76000-memory.dmp

Filesize
88KB

Download
memory/3456-4-0x0000000002B60000-0x0000000002B76000-memory.dmp

Filesize
88KB

Download
memory/3456-174-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/3552-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3552-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3552-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3552-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3552-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3584-40-0x0000000000C80000-0x0000000000D1B000-memory.dmp

Filesize
620KB

Download
memory/3700-1-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/3700-5-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/3700-8-0x00000000006E0000-0x00000000006EB000-memory.dmp

Filesize
44KB

Download
memory/3700-3-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/3700-2-0x00000000006E0000-0x00000000006EB000-memory.dmp

Filesize
44KB

Download
memory/3732-70-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/3732-130-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3732-60-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3732-127-0x00000000076C0000-0x0000000007710000-memory.dmp

Filesize
320KB

Download
memory/3732-62-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/3732-63-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/3732-65-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3732-67-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/3732-66-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3732-68-0x0000000005F50000-0x0000000006568000-memory.dmp

Filesize
6.1MB

Download
memory/3732-69-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/3732-105-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3732-71-0x00000000050A0000-0x00000000050DC000-memory.dmp

Filesize
240KB

Download
memory/3732-72-0x00000000050E0000-0x000000000512C000-memory.dmp

Filesize
304KB

Download
memory/3732-74-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/3732-110-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3732-84-0x0000000006A40000-0x0000000006C02000-memory.dmp

Filesize
1.8MB

Download
memory/3732-86-0x0000000007140000-0x000000000766C000-memory.dmp

Filesize
5.2MB

Download