0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
Size

382KB
MD5

68cbf095bb125e821ea6e9ef606a2150
SHA1

1d741dbb11578bbd98cbf49872d842d8917eeeec
SHA256

0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1
SHA512

c6dbe362dad00b42d21174ebbfedc8d3b1540cda045dc146146229e0916507fede2cb9692be62492ef0a4ad6a3acf2c589c247c8bb16371956c031b294418322
SSDEEP

6144:tQmjUsl9+ZmYjBGA8OBKRmK3JbeYJt+vbnvbFA2yY:qm4sl98m4BOZ4K2B

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 14 IoCs

resource	yara_rule
behavioral1/memory/1796-0-0x0000000000400000-0x0000000000436000-memory.dmp	UPX
behavioral1/files/0x0006000000016cdc-8.dat	UPX
behavioral1/memory/1796-15-0x00000000002A0000-0x00000000002D6000-memory.dmp	UPX
behavioral1/memory/2796-17-0x0000000000400000-0x0000000000436000-memory.dmp	UPX
behavioral1/files/0x0037000000013a84-18.dat	UPX
behavioral1/memory/1796-25-0x0000000000400000-0x0000000000436000-memory.dmp	UPX
behavioral1/memory/2540-28-0x0000000000400000-0x0000000000436000-memory.dmp	UPX
behavioral1/files/0x000b000000012251-39.dat	UPX
behavioral1/memory/2796-60-0x0000000000400000-0x0000000000436000-memory.dmp	UPX
behavioral1/memory/2332-68-0x0000000000400000-0x0000000000436000-memory.dmp	UPX
behavioral1/memory/1592-70-0x0000000000400000-0x0000000000436000-memory.dmp	UPX
behavioral1/memory/2332-87-0x0000000000400000-0x0000000000436000-memory.dmp	UPX
behavioral1/memory/1592-91-0x0000000000400000-0x0000000000436000-memory.dmp	UPX
behavioral1/memory/2540-92-0x0000000000400000-0x0000000000436000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2796	wmpscfgs.exe
2540	wmpscfgs.exe
2332	wmpscfgs.exe
1592	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
2796	wmpscfgs.exe
2796	wmpscfgs.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1796-0-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/files/0x0006000000016cdc-8.dat	upx
behavioral1/memory/1796-15-0x00000000002A0000-0x00000000002D6000-memory.dmp	upx
behavioral1/memory/2796-17-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/files/0x0037000000013a84-18.dat	upx
behavioral1/memory/1796-25-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2540-28-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/files/0x000b000000012251-39.dat	upx
behavioral1/memory/2796-60-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2332-68-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1592-70-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2332-87-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1592-91-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2540-92-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\adobe\acrotray .exe	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	C:\Program Files (x86)\259414592.dat	wmpscfgs.exe
File created	C:\Program Files (x86)\259414717.dat	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c81224c091da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000020ffd2f7b470c095f0fac91d4b0565db727925267c5c2e22da896cae5be23c62000000000e80000000020000200000002ae9190fe547d2980689c4048a2e48127b92c4a4bf0a5abf27fab038b22d0564200000004349707c1f9cea2a0d7bd00d9cf3dbdead7be7e19e74404b3067fa4eb6863df640000000af7c137c80367476e7606241b9820ecadb6903ed5d4d15367f7b8d3027ca06fd74a41e2c69088621347948d151a7ec869d17881b1dcc81856df363269174a8d4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419627601"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5F9270B1-FDB3-11EE-A4EE-CEEE273A2359} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000006b202cbc6c05120ddfeb1ef6c204b6ae1de458f217daaeedd688ef2d45a2aedb000000000e8000000002000020000000ce4c6e115aa07b9e9eee523c3d64c1ed92dbe47b05b275be825e7f5b3395b57390000000a7e735e34e72f141c9d26fcd6ef6e95c7875165ff312582242c676437756972e7d0f0afe5af9718f39aee3a1b3832d9888802d7e9763ab1d1e6fe6a4339ab492544c0f5fe41e87b77600598447eb65a7a87590986bb4265b3f91061b37076a2899ab579a38a7faf55b7a588c2c64c119a0b2fa5b440a8e73136cdf3758217c70eaef43a992c0acd36a79da36c7569f954000000098bd67e9a89f3886ae99917c58b70006ee6416252735d09ae6a9910f164de98a7d2fb65701c8b07503e6c078b278068cea8fc7fc1202e0f88f4aa68b43859d0c	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
2796	wmpscfgs.exe
2796	wmpscfgs.exe
2540	wmpscfgs.exe
2540	wmpscfgs.exe
2332	wmpscfgs.exe
1592	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
Token: SeDebugPrivilege	2796	wmpscfgs.exe
Token: SeDebugPrivilege	2540	wmpscfgs.exe
Token: SeDebugPrivilege	2332	wmpscfgs.exe
Token: SeDebugPrivilege	1592	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2672	iexplore.exe
2672	iexplore.exe
2672	iexplore.exe
2672	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2672	iexplore.exe
2672	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2672	iexplore.exe
2672	iexplore.exe
2224	IEXPLORE.EXE
2224	IEXPLORE.EXE
2672	iexplore.exe
2672	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2672	iexplore.exe
2672	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2796	1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe	28
PID 1796 wrote to memory of 2796	1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe	28
PID 1796 wrote to memory of 2796	1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe	28
PID 1796 wrote to memory of 2796	1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe	28
PID 1796 wrote to memory of 2540	1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe	29
PID 1796 wrote to memory of 2540	1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe	29
PID 1796 wrote to memory of 2540	1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe	29
PID 1796 wrote to memory of 2540	1796	0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe	29
PID 2672 wrote to memory of 2620	2672	iexplore.exe	32
PID 2672 wrote to memory of 2620	2672	iexplore.exe	32
PID 2672 wrote to memory of 2620	2672	iexplore.exe	32
PID 2672 wrote to memory of 2620	2672	iexplore.exe	32
PID 2796 wrote to memory of 2332	2796	wmpscfgs.exe	33
PID 2796 wrote to memory of 2332	2796	wmpscfgs.exe	33
PID 2796 wrote to memory of 2332	2796	wmpscfgs.exe	33
PID 2796 wrote to memory of 2332	2796	wmpscfgs.exe	33
PID 2796 wrote to memory of 1592	2796	wmpscfgs.exe	34
PID 2796 wrote to memory of 1592	2796	wmpscfgs.exe	34
PID 2796 wrote to memory of 1592	2796	wmpscfgs.exe	34
PID 2796 wrote to memory of 1592	2796	wmpscfgs.exe	34
PID 2672 wrote to memory of 2224	2672	iexplore.exe	35
PID 2672 wrote to memory of 2224	2672	iexplore.exe	35
PID 2672 wrote to memory of 2224	2672	iexplore.exe	35
PID 2672 wrote to memory of 2224	2672	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe
"C:\Users\Admin\AppData\Local\Temp\0c0024c51cc4295bd46ea7ad3ab08d92d4d77a564ed3d11826f98b56765130c1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2620
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:472077 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a904f1ab471634ca16d4483197a3a86

SHA1
dd1a149fb4246697350b2d63cd0e112bb93e9779

SHA256
b22e2c77269fc65638c2e880ca47b457f9fa7e2e52a9be413a9c840be8220a7d

SHA512
2021c02abcd2d6d8acc66e146c398da482692cc9f4cef87b12846d438ad9d5322d4047c5a28c66e779ae4fec56b6bfbe99e3d61f5137558157633c4ddb37d38e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c98b9df6c34762c4d0640961a4d9c2a7

SHA1
4c517e5ea9d91c5c36576dcbf97bdc9d78c79851

SHA256
8814c3c5cdad66520c5d9252c5b2a64a4a92d1c69879d02edd8139472c840389

SHA512
f8e34405a95c6755e8de5fb0a57ef83d2d4f6af41cbed9597abebc177ebc55246a7a7ed952f3bb127d2f44443109fb0543ac8f8720b479af0abbce7caa4e8fce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27518f24d50a0581ef40f6e852e1f9c6

SHA1
172d384414514120f92ceda65ac15bdcfc7835f5

SHA256
aa594eddf13d7ca75a423708de986402e74aa059b6100522ae3ca19214ae113c

SHA512
4729dd26871f491cf44b2a7725ed7a36eed7333638fddf0ae68a851cf3bb0e15c330439e81d6e13de762df3ed640166b25f2f95cd8a5f256db00cfc14189f8d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc1a9c69c1ede1cab3b678d55ffeb862

SHA1
90f570245b36e4d41a5dbfe6cd8331ef6d97e4ee

SHA256
cfe5e75976e408135093a53f28dcd540309d0efb5f605e486b91e1b4cc11a9ae

SHA512
9d1c04c014342d7df59f70f73dd34663eeae387605f1215c5ec68d62b29fdaf008f57c7c69d30e66641b7c836afc4e7f0618eb1d32b52f371a69efe6a877e986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23df777bd90b765a88932025f578b069

SHA1
b6afb34aae6e46597aa50db0de6ff8f5ff148fe8

SHA256
f449c3fe56fe52ea2ba72e35aac21c45ad1fa96ce55e02294055666a2199f856

SHA512
85cfba879186d64a31315a46d4d9bbace4deead0ca753769cb10ec808ebb5f2474deb58ff5fb0facef6fb365b670415dfe23d1a19fb9674870ad73dabdeb9d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46795bd4aff3f76d388edd02df996afe

SHA1
9614edd9b68bb11bc77845b64aa91d99f07d5377

SHA256
40fb3e30027eb495dde4ab08347d76beb2fb95ddc1e218543e07e6ea5d1adfd3

SHA512
2186f1b9de3d486f1d5d80033c2a7d9cdfe3e5ce4d56eb71c6e6d3770d07fadc87ffa226b763d33f52c75303e0a0bc780f44573a622ede2b7d1626b47e51b485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f59a39b3b040af31b2836c3d10430b8d

SHA1
4f6f2b54cc3ba0c558660b0cd0d19b5508ba65b0

SHA256
9a45f62c1a9f5130893e83531c1722091c94dd295196648dcbc4a7cfd35401e8

SHA512
77e9ce7ff892c82a466331f0fd2f7bbf13adc3fe7a95da403d4b8112f50cb42003f77bab0049fcb06e4ac6aa5f4ce16d2d533c67433c63a8d5d1844314b7dd84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f96fde70fbfd7c70e46253e1f15717a5

SHA1
2bb8fd5312c1700174a3eae68e7902c297657051

SHA256
b19113c2f7eb1b8cd3c13cc222ff381247b98c58fc5da805a8540fb90215f638

SHA512
78f0bb04371a12ad2d023624a0431ddb4cc01d344e4e22a9f72096c08a4697c024b2e534b34165636996945dd6be872b6175056aa4ab111c02cd6d9bee4bc92c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3ce90a6f2456ea8f5ac4e83cf26054c

SHA1
cbbb143af3cb542322e36e6e5b526630cdbf4c69

SHA256
22e86e3b40464cf76ecbac16cb2cceca4193156c2615f9be1586411f06346562

SHA512
745c82ef5ed67cf0bb4930b7e55cb1dc2fff6d61dda1030b09b243f7e491c637399d1f46cb6cdeab6c09989593702356aeb2ce555f14e78b9a66070294c8e913

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc1c5e47cd9bf4c24bd66256b0fe82f7

SHA1
a3a391c45981acd0490819ea3dbf5cc809a923ad

SHA256
ad268f480d7d91e4c27e625a8008d9ea73a6b6ee165cf93be6e1700736296aee

SHA512
922f7e1ce847ff148e0031b6c6c1e0e1a942715c3bf60b17e45cc6bf9cdef7cbcac47e43f80274973ecafb9ffbf18e109aa8251445a597bb68c043aec9629b47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f30e5016bfffdf5f195732f77e2d1968

SHA1
cd4e140da92bc61aad5c46f788532f7bb1e8755f

SHA256
cabfff4aba93211698641ecc71ffbb53349e15d065495ca7aaf483b51fcdacd3

SHA512
6d84535e2dad6a87216dc1523dea1ca801ebf988ebace3146159fbed7be2891258d07e19c7ba1f8cd10c237ea3bfbce4770bf84826cf7de3f52981c20f15966c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15f4050272f6ab22c0cabf06e5b03c9f

SHA1
23dbda33f3d8e0c03b225d557ed095c05dc64ea6

SHA256
27c0de8990d8cf454461b61d2f1e4ecdb9942d88625482dedf7485a9b179216f

SHA512
a919190f19d2859e0d9059560c52f58894ac8cd2c0a61a3341d0e1b9e4e1d3c94ccb61e1111a18bb8efe03efdeb084cfd38a129a794678a058382b434db82302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da9ce4767d2fb48227715a06dbb13e93

SHA1
14fcad026b2dadd1ff9fc56dc2b44fa8801d0c70

SHA256
24328f7921425b2cfdec285f6b3c090ff4714d921181f729734de983cd3d859f

SHA512
2be796a822c1d14b16b2393bdc6f840d1f17ba44460e1bc2961849b725f4e421c47c0e68a8a6253f1eda0a40debe392edfd4c7e4da75cd873db8761a5f3c6d8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aea5eedb1b83bac2f2a45e8dd0b040b6

SHA1
e7ec948fcb6859bcfb7bf4dfccfa9dcf2640a0ea

SHA256
9f5aaff88e8bd84788ffa3421227805c0c7d5ab2b8b80a7b415422a30c6244ee

SHA512
ffa6409684980d11e78242a227ea235b8c4c66de55de12b5c563acf489c58201e9a7fbf796903dcc2dc09e5a97439fb55f2ae1ca672ebf98f0aea4207deb101a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
968122718509875545c71579a90033fa

SHA1
362cb988e33cab6fea8df38a680d789c454dfa25

SHA256
cb8fc009fd02277a2c7c7d33c07ad8372d9f49f7b65942a06264727631ddb171

SHA512
b501bde263eac4536ac64a01a1ea20954a65a12fad9f0bd6c035d24499fc88d0317d43bf49efa0903b23cf91412441a713ae149c6b175a96a60683268c5f905a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62e96be256dcf8868c98136013bbf4d5

SHA1
d8745f4901255fd1cd6e181b0b5ae471529a4dfe

SHA256
e095cbba13f2ccd3621655d1c649fcf597b1d6380a7a46a4088844dcfadc5f2d

SHA512
fd2695ac0922a7da698f0890975b368abe2fabbdb5bd95dd7e48711d3819b3ee5a759fccb0372a2615bb27621882e0c8c487e73290c91f86302022cba66526c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b284aa60fc94c0bb5163f1a3780ccb2d

SHA1
ffaf30600908ae6bdbe8906bf894fd49ff2cd9a5

SHA256
37c39e9772d18c195ddf38e3f4185e4557a3677469afb937661e09fa22b6281a

SHA512
3d43250931bda649e29efad3c596d217289c1054b4829c0eb03d72f0bd2fb66966ca7dc610f55b0c4236f3f3fa025e5d55f88e39d590aaa82c11f58ff0ee594b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15094d35e49e175d0878bb6a9a84a162

SHA1
6133353501fa14ba0c2f116ee8ce5534642fd807

SHA256
08346cc7e9dc0367603fe56e8a5bce6c882fbab67eca4fb62c5b108207a1eb2b

SHA512
d28284b263779e33a6a110914a44cbded9f96bcfd9dd438dfabb9ddf9f5af1e9faa45b3fba805331188a4d7438c0386e9b129294c163b9f1e39ce0c6502ab80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JB8Q1DZR\bnSRwkurR[1].js

Filesize
32KB

MD5
4c0f57c52b87f02f9d2ed1ae3859243a

SHA1
8942e2891e8e847934a601d561f4683d169c3b88

SHA256
999eda15b8baaf116b1df2c02cca93e903773d939229ea3bf6a8a981815136e5

SHA512
2e471e9bf4d2cc8f81f1ffe0e969a54d5d4e1776507ba82a9e9a138b4bc249c0a7875e31c3fa22faf0546841bafe436038cb12f04b3490a13babef99b0c82b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7707.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab77E5.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar77F8.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
400KB

MD5
3ef8d31a44c1efa776c84a3944ebbeac

SHA1
ebf954637217f2bea1b784f067cab7af0a7ecd75

SHA256
20cbf27f0f38a79163daa90405dc783b3385968fb7fb3401be4a4b35ca6cb9a9

SHA512
c771344b542524bb4fff0bbf8dc7688a23ad411cd18626884a1e4f270a8b02cb6444cae4b9c33997472e18c3db51260874b13c7550a896245db0182b9282a0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFB17A76AC7F00C95E.TMP

Filesize
16KB

MD5
ee0ee4ce6ca88db2ade407e361a0e2ac

SHA1
0427c9996ee16f2d32bd0045f1f67e98c623d078

SHA256
879fc9f48768e411c67c23bdb26d576a74e2d1f918e2ba4fd72c1eaba70d35a9

SHA512
1aa3cefe3db56d1ab8417f3c3b770af7bd680be0993426db84b5443a00708fb2349304e11eb1542d0b61a6e3c26aed53961bd8263d07c5d31ae8eea904bf059b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\65DBBFK1.txt

Filesize
121B

MD5
1b1ef3eeadd22c980c76825a80e089fd

SHA1
a95802bbd895f30cdfbfac69fa9574e22bb06124

SHA256
c9aa15823accc2649be4859d77482b710cfe41af1eebc90dbc1320b7312d8c60

SHA512
6435d2fe8805dc343f5914c92164050492de483921e8958af3c7d93beb9949c969d3d1f5cf64b770e86b1d638f63f38ba963c795b1163cddd09256d26ca7687d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NKV8I5G8.txt

Filesize
105B

MD5
5cf05930e0aa5aa9617005ead6ab0092

SHA1
abbfbce57a0efe4fd79aaa3a944603814adc2c5e

SHA256
12985ada8b6beed170057e0f16428c37a28b06a0978b99a8cdca449c2f69fa19

SHA512
2b663b359e6dcd7c24082a4f6d2ca06e644b6d2d9aa4ed44e773551261e82ea3e25efbce7e54c0eb8512171c2847d1dbf4be908d86fa7995b0070256657c6bc0

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
414KB

MD5
62b2353d1f2c91540e677d2ac5431d2c

SHA1
ef6631f157a779efd369cba2b2069311805ebd5d

SHA256
70d5824595eed5aa29ad4d8673b015a1ab8063bd72b941639386df0a1051b0bf

SHA512
3624647ef2d3202ae6d86cc6d88b0d24b78fa69d5c6b7ab366f62e296d7f0052b291394577bc375f5bc917235c7096fe7ce760c991221e58648e77ce231e1bcb

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
418KB

MD5
add0fe362a44622b7d4f6638ff6ffb5b

SHA1
1ea0b2254d9b933f2b536e650df0cc8e2c38ea8e

SHA256
eb95538a4f1f261b921dd77308d8a9f96098b0c7eef188de6c114b146ab00093

SHA512
cfb5d68d085728eba02c4124dc2420133bdb57623faa641f1520aac61f8cdf473f0ab6910801fa4585c0e6b232d1a1cad2c656425d0caad6d0e07cfa99d59ac0

Download Submit
memory/1592-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1592-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1796-24-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/1796-27-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/1796-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1796-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1796-15-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/1796-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2332-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2540-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2540-42-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2540-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-576-0x0000000000840000-0x0000000000876000-memory.dmp

Filesize
216KB

Download
memory/2796-575-0x0000000000840000-0x0000000000876000-memory.dmp

Filesize
216KB

Download
memory/2796-71-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2796-69-0x0000000000840000-0x0000000000876000-memory.dmp

Filesize
216KB

Download
memory/2796-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-29-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2796-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download