hxxps://shorturl[.]at/uPYud

Resubmissions

15/06/2024, 21:06

240615-zxwjgayaqn 8

15/06/2024, 19:06

240615-xsjb8s1hrc 8

Analysis

max time kernel
389s
max time network
386s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/06/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://shorturl.at/uPYud

Score

8^/10

pyinstaller

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3296	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe

Loads dropped DLL 22 IoCs

pid	Process
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe
2324	Simple.Autoclicker.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000900000001ac4a-34.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629591896464442"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3112	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
2132	chrome.exe
2132	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3988	chrome.exe
3988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
2324	Simple.Autoclicker.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	Simple.Autoclicker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 904	3988	chrome.exe	73
PID 3988 wrote to memory of 904	3988	chrome.exe	73
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 4376	3988	chrome.exe	75
PID 3988 wrote to memory of 2704	3988	chrome.exe	76
PID 3988 wrote to memory of 2704	3988	chrome.exe	76
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77
PID 3988 wrote to memory of 4952	3988	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://shorturl.at/uPYud
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb457a9758,0x7ffb457a9768,0x7ffb457a9778
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:2
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5320 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5696 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5580 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Users\Admin\Downloads\Simple.Autoclicker.exe
  "C:\Users\Admin\Downloads\Simple.Autoclicker.exe"
  2⤵
  - Executes dropped EXE
  PID:3296
- - C:\Users\Admin\Downloads\Simple.Autoclicker.exe
    "C:\Users\Admin\Downloads\Simple.Autoclicker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5488 --field-trial-handle=1864,i,4634552224837099723,6395358762674104890,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2132

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1088

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WatchUnblock.css
1⤵
- Opens file in notepad (likely ransom note)
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f49b442b5fd6ae249aec5c5e549f5463

SHA1
1510334877eda0e0864cc603865c340ad8b8dea2

SHA256
ada3970190ce36605f1fc0f3da35aa4f7f5aab203a607eebe41ca44ca630d1e8

SHA512
39bee4bc485df89cdee9e85f5cadbe4c01e4f44e8fd239222b7792c1aee2f29023c3fea89f826e135545d17d755397a4e20e53e5d2e52406c8ba94a7bd2d3ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
902B

MD5
5a08762ef5c9c1fc3744d93a62044543

SHA1
51da0fec298b363d55f9dcbb3ef98e28a72a78a0

SHA256
c30d966271a1bebe7886fc14679d163ca5294f5f89439e5d101697c3705110e4

SHA512
8316190feedb9af2dc7eca05ebc019d2ba95b359807260fd8f362b10556e4dfb476e6443e661f6f87b6f59ee1c4051f2408da630680387871a365a51458585b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
ddd87eabbf78f052090c07f5d38499db

SHA1
3c8fac0ee65d0df827f08ed04ae555374522f1bc

SHA256
0768d7046ded7d97d53ecf35fc08418e4e2dbab65c15fd31586abd4cdbcbf865

SHA512
1e223f29e73b7f47cda40f5f368761693244cb7232ce71c7c49d93f1498daa0940d722686f17ef8c3d35ed435c1f8b60e08a94d0d588d8c37930b17129b31308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eb05f8e1fd05ab348bdd5dd93282138d

SHA1
dc3edc5c3c9f57478eaee3261c7c402ef4c2aec0

SHA256
1bd5eb95422ae5ac1d8d5ae2693e4059f879be1125b1f37e47259b8efdad890c

SHA512
6149b067a1534dc8df58914150a95922d0ba7d1de58aa136dd648ef7c6ee7531119a55ddd83edeb5c08ee7b09c7d676212a67705db42258898097d7e3dec8cbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e9f344569dbcc217b9e303e048262474

SHA1
2b246a3141c733c02eeb07933289980aed20dee7

SHA256
93de1b60431131aefe1269fa43a62140e8c6c34e8ac3d44dbbd886123bb53101

SHA512
f5c2033458546e2eb854594e51d2b52edcd48370b3537efe5d2d8db285c5ead21a88573d2159d486c17bfa066ff50239b07be14ab18844e6a938d73d4589b21b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
8da44868065ed631999902e8a5fbc584

SHA1
1424ffc4e71fa3d19a862ba2367a404ce1eb1020

SHA256
37e69de92a08b8098066b505b6efca9fd80c15fa884e3453d8045ced34ce61a7

SHA512
15fa8e9436fdc2dfab66ea95af492a03c3a637569135b6c639bdd47c3acc7b9f04322c711cdc15fcc5294354b1e1d46bbcd0f63951599b2dc1da19bdf7a2200e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
f62762b52b4fb3d9859e293fbfbd350e

SHA1
32e03ebe755341a087690ef3a50ac747f23492b0

SHA256
41ab06e07000c175e312001c719ad69f1fb3fbf0fd441d5fab55a92618eb23a5

SHA512
ebc2444bc59ec55f30fac5c9a9ad1a875749b5b30ad16f26804945a7318d54e12f3fbfd56beef3f4027a7f935625a592d6363dd890f751bc186d0c74a85ac9b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
c43ffb2515b4c2614abb52315f9a17bc

SHA1
3d1b334bbeea3f7beaa8294ddde7569187af83e8

SHA256
2df1882da00584930b555d9d5703fab464f002b919977dcb33f94737a3d32f2f

SHA512
057556b0c20d4f1b653fc976567b1461e6036de174297e4dae4d70dc09b52a15b121e3dfe9db3850bd930938b73dd9a75f49e3c8b906e8a498a8a781d6767d91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e6d200b3-acce-4c8f-90c0-cfd116a477f3.tmp

Filesize
137KB

MD5
ecf53ecc84d881dda2227b61129da3bc

SHA1
4a209e232e2f057bcdd0f5bdcaea43aca2b87680

SHA256
ca9c1feb25414130a851f82c16fbb179bc35e8a1837debfceedd48e5c9a3b18a

SHA512
196cc0db810e82f4e0d89d00044157d0fae4f238fa164cb572765ddff5d6c59b9476c86d127967e50aa92073391a91ace168aead78394850205c1fd317b06d19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\_lzma.pyd

Filesize
154KB

MD5
401eca12e2beb9c2fbf4a0d871c1c500

SHA1
7cfc2f94ade6712dd993186041e54917a3dd15ae

SHA256
5361824ddac7c84811b80834eca3acb5fe6d63bf506cf92baf5bd6c3786bf209

SHA512
da6b63ba4e2e7886701ff2462c11dd989d8a3f2a2a64bb4f5eed7271b017d69e6cfe7347e3d515fdf615ec81d2bb58367bcc1533b8a5073edf9474a3759f6d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\_overlapped.pyd

Filesize
47KB

MD5
04f8440ff4724eb61a35ac13f3643ae9

SHA1
ca0f01c4cff9cf2433326d407d143278940346b9

SHA256
370b4ad06881c3cb781be0f78476eaeb5e440c60498f5791c3d413860fdc9b5e

SHA512
b575ddc7804ddb634077cece18dc4ec83d7c7e1d0de913abada64b2666f77bd413b4494aa96a172a0b0897695e2772edc72bcb549c314317e613f37510c88e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\_queue.pyd

Filesize
29KB

MD5
8eabd51d536276f3b3257ee975e50bfc

SHA1
1a13f707b29b895647a7de254031a6c80eb2cb7a

SHA256
24c23d04d274a4c1234f1a1a35b1805e1f17f99968f8baeec0c3b5295f05608a

SHA512
cfa027a1e01204078ccab3c2e1910e5806e0294d3ff0225d4713ea3b16cf07589005a0cc342688c3bb0bb6aa31b5401760c3890d46b39038b046072ad7b02b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\_socket.pyd

Filesize
75KB

MD5
4ceb5b09b8e7dc208c45c6ac11f13335

SHA1
4dde8f5aa30bd86f17a04e09a792a769feb12010

SHA256
71f014c3c56661ec93500db1d9f120e11725a8aedabc3a395658275710065178

SHA512
858c271b32729762773562ab3dbda8021aa775ba4606f57e891be18d9fe27518a48db0811eff9aafe53fb44557186431c672bbec204fa17a8ae6b86765a02d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\_ssl.pyd

Filesize
155KB

MD5
dcb25c920292192dd89821526c09a806

SHA1
79c9af3a11b41d94728f274b45a7c61dc8bbf267

SHA256
4e496cb3b89550cf5883d0b52f5f4660524969c7a5fa35a3b233df4f482d0482

SHA512
ae4ed1a66eef0b0c474c6ee498cd1388ef41f3746905257c7f5c0f73abbe3262eb47bb5748d47d55f1bd376308335a089c2b4c15ffe5d7fc21f2a660a4a93ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\base_library.zip

Filesize
1.0MB

MD5
e128175437e0e7faab804ba139f99c38

SHA1
536fe430c3de6d14795d289faa62183fcb7e1178

SHA256
d08c270a2f88db1e0f9bce5adf70f2ca35d42042f025b1804665bff4c1fcfd6f

SHA512
a558168b48d47ed17cfc8a48134fdce58c050628ee96a76c359369c28bcfcc3d9a095120c3da1de63cc91a63110b0bacf1e21c3989655e672ad2ce896a652085

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\python310.dll

Filesize
4.3MB

MD5
54f8267c6c116d7240f8e8cd3b241cd9

SHA1
907b965b6ce502dad59cde70e486eb28c5517b42

SHA256
c30589187be320bc8e65177aeb8dc1d39957f7b7dcda4c13524dd7f436fb0948

SHA512
f6c865c8276fe1a1a0f3267b89fb6745a3fc82972032280dce8869006feb2b168516e017241a0c82bdae0f321fab388523691769f09a502fc3bd530c1c4cacf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\select.pyd

Filesize
28KB

MD5
a7863648b3839bfe2d5f7c450b108545

SHA1
10078d8edb2c46a2e74ec7680d2db293acc5731c

SHA256
8b4b5d37b829ba885281134d9948f249e0ecd553ae72deda6a404619fdf4ccc5

SHA512
a709865709abe0c39d68e2ced4aa4387cd173ea9aa0a04c9794733b5bf3584d50256a9f756fee1dec144a9d724b028264763196eeb7b89ab2697ff26d83db843

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tcl86t.dll

Filesize
1.8MB

MD5
75909678c6a79ca2ca780a1ceb00232e

SHA1
39ddbeb1c288335abe910a5011d7034345425f7d

SHA256
fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860

SHA512
91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tcl8\8.5\msgcat-1.6.1.tm

Filesize
34KB

MD5
bd4ff2a1f742d9e6e699eeee5e678ad1

SHA1
811ad83aff80131ba73abc546c6bd78453bf3eb9

SHA256
6774519f179872ec5292523f2788b77b2b839e15665037e097a0d4edddd1c6fb

SHA512
b77e4a68017ba57c06876b21b8110c636f9ba1dd0ba9d7a0c50096f3f6391508cf3562dd94aceaf673113dbd336109da958044aefac0afb0f833a652e4438f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tcl\auto.tcl

Filesize
21KB

MD5
08edf746b4a088cb4185c165177bd604

SHA1
395cda114f23e513eef4618da39bb86d034124bf

SHA256
517204ee436d08efc287abc97433c3bffcaf42ec6592a3009b9fd3b985ad772c

SHA512
c1727e265a6b0b54773c886a1bce73512e799ba81a4fceeeb84cdc33f5505a5e0984e96326a78c46bf142bc4652a80e213886f60eb54adf92e4dffe953c87f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tcl\init.tcl

Filesize
25KB

MD5
982eae7a49263817d83f744ffcd00c0e

SHA1
81723dfea5576a0916abeff639debe04ce1d2c83

SHA256
331bcf0f9f635bd57c3384f2237260d074708b0975c700cfcbdb285f5f59ab1f

SHA512
31370d8390c4608e7a727eed9ee7f4c568ecb913ae50184b6f105da9c030f3b9f4b5f17968d8975b2f60df1b0c5e278512e74267c935fe4ec28f689ac6a97129

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tcl\package.tcl

Filesize
23KB

MD5
ddb0ab9842b64114138a8c83c4322027

SHA1
eccacdc2ccd86a452b21f3cf0933fd41125de790

SHA256
f46ab61cdebe3aa45fa7e61a48930d64a0d0e7e94d04d6bf244f48c36cafe948

SHA512
c0cf718258b4d59675c088551060b34ce2bc8638958722583ac2313dc354223bfef793b02f1316e522a14c7ba9bed219531d505de94dc3c417fc99d216a01463

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tcl\tclIndex

Filesize
5KB

MD5
c62fb22f4c9a3eff286c18421397aaf4

SHA1
4a49b8768cff68f2effaf21264343b7c632a51b2

SHA256
ddf7e42def37888ad0a564aa4f8ca95f4eec942cebebfca851d35515104d5c89

SHA512
558d401cb6af8ce3641af55caebc9c5005ab843ee84f60c6d55afbbc7f7129da9c58c2f55c887c3159107546fa6bc13ffc4cca63ea8841d7160b8aa99161a185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tcl\tm.tcl

Filesize
11KB

MD5
215262a286e7f0a14f22db1aa7875f05

SHA1
66b942ba6d3120ef8d5840fcdeb06242a47491ff

SHA256
4b7ed9fd2363d6876092db3f720cbddf97e72b86b519403539ba96e1c815ed8f

SHA512
6ecd745d7da9d826240c0ab59023c703c94b158ae48c1410faa961a8edb512976a4f15ae8def099b58719adf0d2a9c37e6f29f54d39c1ab7ee81fa333a60f39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tk86t.dll

Filesize
1.5MB

MD5
4b6270a72579b38c1cc83f240fb08360

SHA1
1a161a014f57fe8aa2fadaab7bc4f9faaac368de

SHA256
cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08

SHA512
0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tk\pkgIndex.tcl

Filesize
376B

MD5
3367ce12a4ba9baaf7c5127d7412aa6a

SHA1
865c775bb8f56c3c5dfc8c71bfaf9ef58386161d

SHA256
3f2539e85e2a9017913e61fe2600b499315e1a6f249a4ff90e0b530a1eeb8898

SHA512
f5d858f17fe358762e8fdbbf3d78108dba49be5c5ed84b964143c0adce76c140d904cd353646ec0831ff57cd0a0af864d1833f3946a235725fff7a45c96872eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32962\tk\tk.tcl

Filesize
23KB

MD5
338184e46bd23e508daedbb11a4f0950

SHA1
437db31d487c352472212e8791c8252a1412cb0e

SHA256
0f617d96cbf213296d7a5f7fcffbb4ae1149840d7d045211ef932e8dd66683e9

SHA512
8fb8a353eecd0d19638943f0a9068dccebf3fb66d495ea845a99a89229d61a77c85b530f597fd214411202055c1faa9229b6571c591c9f4630490e1eb30b9cd3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 826595.crdownload

Filesize
12.2MB

MD5
25ac784b55f1eb6a946db9b327a60d08

SHA1
c57f317d9230f04a3b60a95f30aa8dbab215f139

SHA256
753e6da64a551dde5aa1410e4139e295487b95904e6cdd467c08f455e6f0ed86

SHA512
3dcd20598374c7dc530ca59e2a21289cd232f1aabd7559807ee6a473f573df513421527f7d4474485896fd137eba91a715b1203c727bbae49fef2397d57dc978

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI32962\PIL\_imaging.cp310-win_amd64.pyd

Filesize
2.3MB

MD5
df88f28adccce0d6b61ebb20ea3cb2b8

SHA1
0cbe033e33578c6e1a70bba478bd3ecc3ba07b44

SHA256
98fb89d873050f536c5055ba1bb1816057609ad8f9b1e702e5728a4ec27fa3b0

SHA512
df222fb7797c48a83e7d0a5c239e623c07fa325d5288e442c0901b600f0a4325234b3bcecaa7dde525f337d06f1474e0857da36490a2ef6eefae69d2a8c5f0c3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI32962\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI32962\_asyncio.pyd

Filesize
62KB

MD5
4ab3a456c59f6aed0d147c31fab59604

SHA1
36cf52fce6accb5896e9b9d0cdda816f870347d3

SHA256
97ed94f8d35445573177ba75e17dcf4c667e3c236c0b4d436fa97f8c862cc0bd

SHA512
31b48c7891aee3fb1600f4d29b6bbbb138f8b561bd252b233b69054536c6118225cb9711fa56a0d11a619968c7befc11ec9b31936a346dfd795515934ca8e00f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI32962\_bz2.pyd

Filesize
81KB

MD5
23dce6cd4be213f8374bf52e67a15c91

SHA1
dfc1139d702475904326cb60699fec09de645009

SHA256
190ade9f09be287fcc5328a6a497921f164c5c67e6d4fcdcb8b8fd6853b06fe2

SHA512
c3983e2af9333a8538f68f7048b83c1bb32219c13adac26fd1036c3dc54394a3e2c1e4c0219232badd8e2c95418019b9b22906bdb23a19601447573a93c038a0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI32962\_ctypes.pyd

Filesize
120KB

MD5
2abeebe2166921a4d8b67b8f8a2b878a

SHA1
21f0fff00cba76a0ea471c3e05179e4b4cc1ebd0

SHA256
7adcea3a5568752a6050610cfbe791a4f8186aaaa002f916b88560a1ddab580f

SHA512
54c802d532c9ef9f3668d5e9bf23b69a58f87ec545af7fd4eab1055bfb8ee66481f361458076a364a17ddddd6550a70f5442c2bbe6562553472c0839346b1a35

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI32962\_tkinter.pyd

Filesize
63KB

MD5
e625a7b147aa41022eae5eff336b9a52

SHA1
71aa2bf19265b161809feeca9d9a455881b6cb90

SHA256
a6849cc7f7075924cbebe3000d6daa88d1724c1d869d6683a2bf9664cfb0e9ab

SHA512
e419600e66314fe4c8a90d067e1cd998899f61489d6f233b771d606cd876ad2cac8d449b11f7d03084c6890ae8e21109101adf70c485ea403f78db30e516b783

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI32962\pyexpat.pyd

Filesize
193KB

MD5
2aa10c44252c9d241a01557700df12af

SHA1
fa4d4de5f8d2eb2d6c633d17113347316cb3024c

SHA256
30eb08571a88165b84bc0783c3ffbf19e9d99c5634ab274c73a8ddca163cafda

SHA512
2448c39ba6711093855f115c0ce22e1403b2f276092db9d61d76fdc55839b1a19898bba7ee39625b7ec41aa9a996a4429363bf42571b02775730148049c142e9

Download Submit