f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Size

352KB
MD5

528f6a10f082f1fddd96c1d4f0bfce95
SHA1

bf2336177611e605410f61cbbf5a3deb2d186f3e
SHA256

f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416
SHA512

e013cdfcf443cf174d3b0319b77f989119f2be29b0e14a09022216e410485e909801cc26c07b076ef620444bc987a8ab327165d279a067b53efe24fa66533a66
SSDEEP

6144:B/3Uddl5Imn5crCyRKqUeyo3NczQgcTq4jpqMhBrq:B8ddl5Im5cg+yo3a81Hhhq

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\wKTiyscK2.README.txt

Ransom Note

To recover your encrypted data, you must purchase a decryptor from us. We accept XMR (Monero) or BTC (Bitcoins) cryptocurrencies. XMR payment must be sent to: 8AP3aG4nxR3gka11FEDnJGftEyJkQLTVEQjPgrzkh2JU9u6KZYtLdn9eQynn1ogJgUhPBHVp6UoWANgETHK9wHUtQHLcSAa BTC payment must be sent to: 14hsKjR7L2KNmPpzeoXtNB8C2AuBL5Ch88 If you pay within 3 hours, then you only have to pay either 5 XMR or 0.1 BTC. If you pay within 6 hours, then you only have to pay either 15 XMR or 0.3 BTC. If you pay within 12 hours, then you only have to pay either 45 XMR or 0.9 BTC. If you pay within 24 hours, then you only have to pay either 135 XMR or 2.7 BTC. If you pay within 48 hours, then you must pay either 405 XMR or 8.1 BTC. If you pay within 96 hours, then you must pay either 1215 XMR or 24.3 BTC. After 96 hours you cannot recover your data. If you cooperate with us, then you will recover your data. If you delete or alter your files, or if you attempt to recover the data yourself, then your data will be lost forever. The decryptor won't work if you modify anything. To receive the decryptor to recover your data, carefully follow these instructions: 1. Send XMR to 8AP3aG4nxR3gka11FEDnJGftEyJkQLTVEQjPgrzkh2JU9u6KZYtLdn9eQynn1ogJgUhPBHVp6UoWANgETHK9wHUtQHLcSAa 2. Pay in full. Any lesser amount will be ignored. Copy and paste the XMR address. Do not type it by hand. 3. Email us at [email protected] 4. Include the TXID and TXKEY of your payment at the beginning of your email. So we know it is from you. Emails without this info will be ignored. 5. Plain text only. Any attachments, links, javascript, or other fingerprinting will be blocked and ignored, and we will not send the decryptor. 6. Please be patient. We check email often but not every second. Using your normal email will expedite your recovery. 7. If our email is broken, bounces back, or is compromised, then you may instead email us at: [email protected] 8. After 1 confirmation on the blockchain, of the correct amount according to the timetable, only then will we reply with the decryptor. 9. You may need to check your spam folder for our reply. The decryptor will include instructions how to fully recover your data. If you are too stupid to use XMR, then you may instead pay with Bitcoins. Bitcoins may be sent to: 14hsKjR7L2KNmPpzeoXtNB8C2AuBL5Ch88 Please include your BTC TxID in your email and a very brief explanation why you're stupid. If you are too stupid to understand that your data are gone forever, unless you pay, then not even a decryptor can help you. If you are smart enough to understand why you're racing and whom you're racing against, then tell us in your email. If correct, then we will fully refund your XMR or BTC when we send the decryptor. We don't think you're smart enough to understand why you're racing, but we hope to be surprised. WE WILL NOT REPLY UNTIL PAYMENT IS RECEIVED. WE WILL NOT SEND THE DECRYPTOR IF YOU ATTEMPT TO IDENTIFY US OR STOP US IN ANY WAY. IF YOU COMPLY AND PAY, YOUR DATA CAN BE RECOVERED IN LESS THAN A DAY. IF YOU HAVE BACKUPS AND ARE UNAFFECTED BY THIS RACE, THEN YOU ALREADY WON.

Emails

[email protected]

Wallets

14hsKjR7L2KNmPpzeoXtNB8C2AuBL5Ch88

Signatures

Renames multiple (348) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2136	2BD1.tmp

Executes dropped EXE 1 IoCs

pid	Process
2136	2BD1.tmp

Loads dropped DLL 1 IoCs

pid	Process
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\wKTiyscK2.bmp"	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\wKTiyscK2.bmp"	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2136	2BD1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallpaperStyle = "10"	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wKTiyscK2\DefaultIcon\ = "C:\\ProgramData\\wKTiyscK2.ico"	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wKTiyscK2	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wKTiyscK2\ = "wKTiyscK2"	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wKTiyscK2\DefaultIcon	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wKTiyscK2	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp
2136	2BD1.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeDebugPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: 36	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeImpersonatePrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeIncBasePriorityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeIncreaseQuotaPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: 33	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeManageVolumePrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeProfSingleProcessPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeRestorePrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSystemProfilePrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeTakeOwnershipPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeShutdownPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeDebugPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeBackupPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
Token: SeSecurityPrivilege	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2136	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe	30
PID 2872 wrote to memory of 2136	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe	30
PID 2872 wrote to memory of 2136	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe	30
PID 2872 wrote to memory of 2136	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe	30
PID 2872 wrote to memory of 2136	2872	f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe	30
PID 2136 wrote to memory of 1424	2136	2BD1.tmp	31
PID 2136 wrote to memory of 1424	2136	2BD1.tmp	31
PID 2136 wrote to memory of 1424	2136	2BD1.tmp	31
PID 2136 wrote to memory of 1424	2136	2BD1.tmp	31

C:\Users\Admin\AppData\Local\Temp\f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe
"C:\Users\Admin\AppData\Local\Temp\f9b0a14a2070d1aa76598960a7ff4e1da637aa3ac37a73eecfb63bed95a0b416.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\ProgramData\2BD1.tmp
  "C:\ProgramData\2BD1.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2BD1.tmp >> NUL
    3⤵
    PID:1424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\CCCCCCCCCCC

Filesize
129B

MD5
08e9926251379271293511799eb87036

SHA1
29d3061039e4de392f40450c5dd0023be8afa426

SHA256
311e2cdbde9a1827649c15da8e2f456c2e1f5ffa73070f36686d4621eea372cb

SHA512
27fb886aabca161c29b3b2aaa3aaea92c17db6c4a67b1f44ba9fbceb4f3f0a2f068d321d8b998386a50a822de640a13a4e4ccb287bd71a6b79ba2fc3c7e3a95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
352KB

MD5
a4cc7a2a95c4f881954c3780e6699efe

SHA1
28e58715141ec12edfde7dc0e97cd9b1e874b4a2

SHA256
3ce4a5806088774b3f381fbd7071fc46dccc62b8a484001560f39c6f17078c0f

SHA512
ef2fe905c83268363c17fda10de88fedee156fd435640d2887cb6f376612cb970623e3907d02048d07e68f8e254a3da180f2935d43e9a667c8c02749e7b8f4d1

Download Submit
C:\wKTiyscK2.README.txt

Filesize
3KB

MD5
892efc7e09681c42b36b2fe98c290bb9

SHA1
804e40761e6a48268ab4365abb1866a8984ffee7

SHA256
2d852c14216da672726944ab517ad206413343af9cbd0cb0e035e0689a3c9362

SHA512
83da941bf64a9a4036034d85d0385113ffac517e906ae799fa45a3e15dd32c81120b80db9e1398a93c01d2ed2c8a27e8e6c2832c21bfb1490a3b144c35272218

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\DDDDDDDDDDD

Filesize
129B

MD5
3654b9196d795120b5d19df920428e8b

SHA1
0ae7bb85032800db46ebe37473cedc7bea65b005

SHA256
166dc51d4cd2022c0750fd4fd0005150497a1d59843deaa9333e1461bdbce143

SHA512
5e00274b6e9f0a12b5d3c0f4d0ef27a574f46ae2ee635a35cb55521d593b1f85058b9eae0384747df4b7da16ea8d476e37cd06dbd4f1c96c797a1b107087621e

Download Submit
\ProgramData\2BD1.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2136-885-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2872-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2872-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-10-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-5-0x0000000000401000-0x0000000000419000-memory.dmp

Filesize
96KB

Download
memory/2872-6-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-884-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-886-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download
memory/2872-4-0x00000000002F0000-0x000000000032C000-memory.dmp

Filesize
240KB

Download