583b51287187df514ef222f1aee18d48424a64a9f50909dd27a47ad245f863c2

Analysis

max time kernel
119s
max time network
131s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

theworld.exe
Size

614KB
MD5

86304066455028632cb42c34a2b42b21
SHA1

3b00e902ce09a241024330b122ba10a354af2b93
SHA256

52b304f491abd2f4f2b364371b632eb31a99af2b9da5a63a82a00b091bac6289
SHA512

b59048f1c007f33053faa776643811a34da7882243de672c3c6692a2b08af30f84949f747237d7a5ab08e34c7205f0ad340fe8c33012f0c37497c2ac4e6698b8
SSDEEP

12288:kaWz2Mg7v3qnCi8ErQohh0F4CCJ8lnyLQYn:7adMv6CYrjqnyLQ+

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Modifies system executable filetype association 2 TTPs 12 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DROPHANDLER	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\Tencent\\StockP.n\" \"%1\" %*"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093fe1dfc24162b4497eb3e6ee135200600000000020000000000106600000001000020000000c7ffdfc8708c6e19e8caf3da7462c273bb85417f4666db44fb0393b18dd4c1fd000000000e8000000002000020000000770b9fa139c4b476037001c1dcecfe0e473265f86ca9b5097cde6a7d5a00e7992000000068049b19899d97addbfc442f5349e7046ebdb277270cae77adb521160b38451b40000000570ca91d8b1a50df34d2ab8d700c4a2d7f2d2468e98d82ece354d7714f922758cad8e1b05ecffdbbfc3ba6b239139c5a18e6e966f52970aad3f49bb020de6303	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093fe1dfc24162b4497eb3e6ee1352006000000000200000000001066000000010000200000003ca50d53fc69b64b2475c5b666f8d7a721bd80610eced046bd02688a64932c8a000000000e8000000002000020000000f9f4b2db4b21400260d184bb84116f721fd09a8bc5b15c0b02726da938c66fb9900000000543a9f47307c496a12927acd9e72ee538a4c91fca11df0010b10e1e49737b0d02b2728833db2bd96ce3509d66446371b9e2ed1ef7f1af9f007c7c7921bfa832647e0472185821ce6b342c6dc28e8796c38974802ed9b54a0d42d3d459733d3e46219ff3fe5908641037552bd881dc69ba8c128d7b39bdd8ce0aeb028d679572b05b07547726695c592e83b035f28277400000009770015ff36fdd678c1a458c626b6d7cc579cdc8ed170b9bc69eead519d643b9fb7605b04b5aa46250f2518db2dd3d58460d15821fd312e3518da644f315c381	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 201bb015d2cdda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426232378"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51857501-39C5-11EF-8B56-EE69C2CE6029} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ScriptEngine\ = "JScript.Encode"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\Command	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.n\ = "Nfile"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\ = "编辑(&E)"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\DropHandler	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ = "JScript 已编码的 Script 文件"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\ = "打开(&O)"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers\WSHProps	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\Tencent\\StockP.n\" \"%1\" %*"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.n	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\ = "在命令提示符中打开(&W)"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\Command	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4805"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\Command	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers\WSHProps\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ScriptEngine	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe %1"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\Command	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\WScript.exe,3"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe /p %1"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\DefaultIcon	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\Command\ = "%SystemRoot%\\SysWow64\\CScript.exe \"%1\" %*"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DROPHANDLER	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\ = "打印(&P)"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2624	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2240	theworld.exe
2240	theworld.exe
2240	theworld.exe
2240	theworld.exe
2240	theworld.exe
2240	theworld.exe
2240	theworld.exe
2240	theworld.exe
2240	theworld.exe
2240	theworld.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	theworld.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2704	iexplore.exe
2704	iexplore.exe
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2592	2240	theworld.exe	29
PID 2240 wrote to memory of 2592	2240	theworld.exe	29
PID 2240 wrote to memory of 2592	2240	theworld.exe	29
PID 2240 wrote to memory of 2592	2240	theworld.exe	29
PID 2592 wrote to memory of 2704	2592	WScript.exe	31
PID 2592 wrote to memory of 2704	2592	WScript.exe	31
PID 2592 wrote to memory of 2704	2592	WScript.exe	31
PID 2592 wrote to memory of 2704	2592	WScript.exe	31
PID 2240 wrote to memory of 2916	2240	theworld.exe	32
PID 2240 wrote to memory of 2916	2240	theworld.exe	32
PID 2240 wrote to memory of 2916	2240	theworld.exe	32
PID 2240 wrote to memory of 2916	2240	theworld.exe	32
PID 2916 wrote to memory of 2624	2916	cmd.exe	34
PID 2916 wrote to memory of 2624	2916	cmd.exe	34
PID 2916 wrote to memory of 2624	2916	cmd.exe	34
PID 2916 wrote to memory of 2624	2916	cmd.exe	34
PID 2704 wrote to memory of 2392	2704	iexplore.exe	35
PID 2704 wrote to memory of 2392	2704	iexplore.exe	35
PID 2704 wrote to memory of 2392	2704	iexplore.exe	35
PID 2704 wrote to memory of 2392	2704	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\theworld.exe
"C:\Users\Admin\AppData\Local\Temp\theworld.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWow64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitor.n"
  2⤵
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g9
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\theworld.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - Runs ping.exe
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da6a56b82d457d6a792b0a25775b8de0

SHA1
8c917b8196af6cc1c6f8e6d86f8cf7de631686df

SHA256
d173c25b29a9efbeb644c970a4098e27a9f85324bbba0f3c98ee5391cdc3d876

SHA512
e6120710b3e031ceaf51e4008aee2a9045f45de8decacbcb8cfebb15e1ec60283b984a91f15d56652cd01114dd1c33c056668550dcea6895c80087923db2f694

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8598addf992ad4ccc0f1254fc4e00ae9

SHA1
4617a3cf3bb1e97843d50c814421b705eaef0517

SHA256
9e7ada2289c2f8f9f9ebac5598eb268f4832c59f816a6df3d4b37f765b2c9e53

SHA512
4aa74bdd7f09a7dc99aa283750a8bac83982967c91e8198fe29217f0344fd22e6e5da8217fa369a38b4ed5a87b18c66d1bcb72de75e127220d490d85acf341a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55feb6d6c3af046578bf9c3c8391c22c

SHA1
85e20004a09ad5e4db299c833e75c3d16c979bc5

SHA256
da8f94274fe706d7fd920817fac55ae8ac030462b1ceac80ce7ca270d6a5181a

SHA512
7eac76497c7c6a2f6a561140d8c3f31a7f6192c0ca4981437b15666d96bb8cfc9c8dc567233c406e73ceafa06d55a9ffcdeff5fdd38ae696b15bc069a11a0b0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d856a9c467862a529f2a6d06c7c17342

SHA1
b3562222bd2571484059046958c517433978cae4

SHA256
1b4d536dd365ae760d01241ed3692a794e366dab3b1d0e817d871c91bbf36bf7

SHA512
9ace2a8880a2643ad93eeae306aebb920798f8bba827c4a2544bbdbfaeb2d9457be7d095824dfb756d10d3aa30bcec0e3d318ba0c57a5c11489dd2f53dbddb86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45c9afade4c03c526db43da4f2702e1c

SHA1
9179bc8a2a1517ce0df049a4c640453db434a803

SHA256
6af7d6eb0106abea8f06b189e10160e0dfed2203baa75aaa0b30cf48035eaa4e

SHA512
e36b72b0182321a56d573d7c71421ebd02c4156e2597338579d05bf1a3e5ab5094eba410429678fba7e6c5326e674c3ab4b771a54e75bfbbb9e519c483e5046a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1411afeca0d2597cb9729896cdd905ae

SHA1
33c84b4749188618113e2c8101432a6595abc826

SHA256
956817eb593e1322cce0275f8126420619ff224523dee5fe9084b97df1cd055c

SHA512
95ddda1fe488dafbea6ebff0cd2a9f6a5e9419ea1bd0c1b486e5beb165b07f76a68e8e6c7db8f057385dfc91ae437ef46e0eb2935dec85283f73ac39f9c5def8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4916d1d998abc89f22e520e97d99f44

SHA1
c955e272a37aafa50589fb1cf6cbeb2e30ff26d9

SHA256
bb97c6a5314090fff50dc8b785dd22d93a9a7982ee335070637fe31919658a59

SHA512
78dedb300219f09db11cdc66a61a4783408201412cf67f85ffd53afbe682f18d892adbf5e327f8462148a5bbc03abba926e0f6f8e9ac621dcce469c316dd45c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0175e27a4f34e9c276bef2fe6e754777

SHA1
e22b0d3a2b917e72fa2f99f241c45c332143165b

SHA256
5120e0a448ce30b0012399e8b4d9a63532c1bba96f43b9f5eb5d0d28125512cf

SHA512
55e5140c763bc58bb9c197f86ca40be8dd595e23c197e9026a9b3d7574230978694653da14305e40f45ce9c434f8e467c6d157c9a6cc99258c1745c6c80bddc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbe6b23f19518f39e5b4377dd8c48ce2

SHA1
21d53a235fe43b4657efac90b88c29a20b2ac35e

SHA256
a1d32c9578ac16e56ad726b21ac59b95be884ece13717bca8a081d6a9edba858

SHA512
1e5bf3c8f0819eca0c59e9c67fcf5d008c88a9c25496473e233efa68908150d433c3ad794dbc814eb0639269608a0f82472fffec6574ee394e55d36f114693eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
692d9e500500a605dfb040a3d87d2208

SHA1
2ff17ac68b57786ad49746bd2ffa40247f18b78f

SHA256
01dd86a1e4c1921ec31f154169a0d6d969eace8759e7c831e5ae4be71fb035d1

SHA512
bd1e52a6716967b5717eb222e4a626577c7b0726bf183a84a8419e92e01069141d8b1a18fbd67da3bb1970179319e2d7c460cad825b293a96207c9d1e9c3da4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c15176ffa865bbcce7d9ffba61ee7444

SHA1
61b44edc98e612a04c16c0a18a26959d66e161d2

SHA256
bcd18a70a9aa0ac1bbc3ec029777d4d67f652c77e13ad98b8a78efad7c77cdc3

SHA512
e617f86c61833fbd97df6606a3c2d6d2009c629c091ffc64e46c92ffb18dfe255da24d35e3f106369353797cc6fc894cc9b415d7b8bfb770101fabac489a52de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a1746115fc0c37615d47b2b024308cf

SHA1
80b6ccdf589a10e13b153f9f287db9bd6a6298a1

SHA256
972049a6e02e487a401c101572b21a1e5519e9dcf0ccd3759ff9c37524c51bc1

SHA512
ca9b8cf9244b255c340e6d3c6519bebf7e078231a92bf7095290d82fd4e92257aeaf1f109f49c9f3ca629adbed36b434ab33d6f6e1e48b6cb4e1bed627fdd379

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48d003ca5f387c288f1c9bc384814527

SHA1
86b55ed93ef8a98f33b86e9233ef0e0fb5f5a77d

SHA256
4058b7ee59ef7a5b851d4d295e8e65d61ab668770adb075c2387d793daaa4987

SHA512
7117b3cdb4e3fc560969f7c6e24b35201f7b8295766b53ae1c48ead6fb27c3d44aa84e7dd844164352b160d306aae09b2b3928c430d7f3b70e0d1e0dc2e466e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
875c2e7b242a0c01fcf88d3673dba8fc

SHA1
338c0fe36fbd7963e9b4c80088795c67a7424abc

SHA256
a7f91f7a20388d7666259b116687a26462d290802adea2db509e24c2f93956bf

SHA512
0d9291146013a0df9258ebbeaa459b0b31293eb71865e90f7f1d0172210f8449c5530d406e43a98b07dc73b29d65929f28cdc328d64c2ccb55f25acec7861b82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ef61bec39e2c05147461bc56386c5a7

SHA1
0e2baf73697bf7751501d2b43d7f31315df9444f

SHA256
681fb35767578d9e47080230953f78be855f8acb3f480a1a5e3c37610b4045b8

SHA512
cf5dfbbd0f94e3caab4056062718428b491b3adb5aaa0dc0024d1befe4614a5fa84ff3bdbb01ed6ab29b1b8f1d46aff3c8ae7eb8563e8aa9bd048b463f1ef763

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
971cc23488521bc3c48e368e4b2ae348

SHA1
a68a757a88cd9e3a7328bb1521eb217021568d12

SHA256
1dc92cec7261603650a8906d85338f85d7a95b4011b5c121031cdfa9652bb14a

SHA512
bcf371ca8876873cde8fdd7c73d0604c4bdcaf62ded6797cb62e18560a946e3194bf852aa344383ad2b413387edee517d98e2feaa310205e5a30b40645692008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22d6cc6262d283b3150d78097dc1a1b4

SHA1
36946ec2652ecc4d8a76508cf6fdfbb0f7f9bc35

SHA256
0805e77ed57205deb1092f87d2deb25c056fa0adb464891fb69b506a173cbb12

SHA512
02afc8b8a44a73e6ac3ddc945947ea6dc90fb8b978c8c28981cd7f579c6906a20b3ec2b04b4e78f540b2ed1bf1f198b21fc42c88f4be6a622cd23b79d3eeb1db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9788c75e5e69f49948016ed67ffc5462

SHA1
64da5fde792860b6e8231bea070152cc17c24a9e

SHA256
cd368b5966c13aedec83e9997fa18e7db8fdb6d784172fc7a52c6eae345760cb

SHA512
89de36c1e1eb2b6d6b845e7a0727533362efc56b0dd11845522ce1094d1dbb2d2f31fe988ac247247af99161b32006232608791b189fa80d5000e71f4511ad73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bbc0b62aafe70c966cc09cbc94df60f

SHA1
641b573056f477d19b56ee12828e8dab069fb8c5

SHA256
50cc21006151ba03624700c75de40da08bc27ff4a3b7b398d5ccbfe0a5ab4791

SHA512
bdd93ad2954eec83c3900bce38f74ca7b49fbf5b3cf04541e00f08807399c7ff1d608942da2499a069eba71f57bde7ba29eed87f91a3c26c3784a0c02e378346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f9ba87fab70f21e613f26e1d3143e8c

SHA1
74cf298c10f0122e14f037b4f191d4cbfda03b88

SHA256
96eca2c797e5311bcbe60509a616fca3a1551226247168dd48b73ca51b8e0105

SHA512
0fc175a54799a2b6795e654649bb0d7b1071bb1a13de6dccefa163fd8bcff0822dd8563419687d762695e049799aca551379b00845623e4cf9b1c041179de490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65c4b398f86b441db2b9dc6045651e7a

SHA1
922ac374bea731424db8d5cc15b4f46bbbdcfbc5

SHA256
ab0f9aabd483a55714fc5272856f7cbc0e2f98f87b9d6ac9defdd006c31c69af

SHA512
304901ea28033bfaf805ec35272a526a80c4dd47bf2e58c54499be919c208324976b7b300dd6f019779f6cc29ac11cfa84390448fb45393940da6b423bd9fc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03daa88b690161d2f503872bf23179da

SHA1
6f1eda8a278916a1307acde4880fc80f6b5b194f

SHA256
7f57f253daf0123a9c248f9a121a3fae2327788ba869cddbd4e77e18f849c0ba

SHA512
5ef90c08a0ee2accda708549580040a9a5de061b13c411f318fb84b231b01bd21039bbfbe835f8d0ca5968decf21b00569885e2a724be939771994e5f6d7544a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb63f1731a032cc0a5ae7419a47ac767

SHA1
2c81311cfd0bdfb7d93a6c20338bab86049de9da

SHA256
e969fd19ed54d072270ce17cf8df4b60919af63e8cefd34efcff57e75958cbb1

SHA512
53ef5ae8ef331164e080858c0fecd20d02daa4d400f93ca6b7f118b1d932771eb38785de13f834f137dbaaefbe40fa51d24f2ae43ceeef729e81d6f07ca54082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e229cb43d78beaeb0c5bc9557d8ca12

SHA1
540ea4648b2ca608739950b703267985c7e3cd0a

SHA256
51a2a1884047f24523428630120f3d50f206de2b1fd8249c9ab9b4e2ace15d2d

SHA512
8a32422524e2401e29908a24dbfd42a6eb78813eb4b37917487aed9d91f32fe652a13919f1112436e25a4b30656f3089093668f70a04f586785c80fc25ac8cca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76a6e2ba3c53b510922847895777df0a

SHA1
319afc95ab91b4fc93d4b76bda0eb4eb519eed0f

SHA256
3c4de7198a12024b146c520920ff6862c91c6290dc973188345e43d6e7644884

SHA512
969b85fcc359a29510517b2c2d39b08cf420b86b675b5fdefbb5ecdab988ab0618a1899f1b36fc858d3d19d864dc7047e79b5031dbb9c6820df72869a313c438

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
492eca93b8901e48203e65a8a0be38d9

SHA1
6912e3ebbbb6e63fcab91d3ea59cb18fabcc9868

SHA256
e2816433033076ac03b7c8dd86a758fc0ef16e6d86bcfde4d05b338bdfe4e569

SHA512
9fb1f7ece17787fb5563e84398e6f0f9f1a4caef84194085fa7d48e1d834de6d1fef5f7d2ea5e3eb6e222a2c0f4aac4873cacde8f126a6cc6ae475d3e7837c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BF1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitor.n

Filesize
7KB

MD5
a4bf7f9ba9b3e741c3054dfa0b5325ee

SHA1
2d5810b2d46596b4bbd04b565806ea7ec99d9116

SHA256
72f10825026c2f8fa14aaaae7a3919f96c56e6e4d2fe650b0268efe3a9b0469f

SHA512
b7853a9e9f451ad96f4421cb8c5dd8847813a568dc056c309a4296cbf4de05eeead66236001eea0125cb7a6fa7c1baf5555221fa5d0b76e13e4698504e592eef

Download Submit
C:\Users\Public\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
1f7919ca7141c39230a4a2893d5f6ed4

SHA1
5ee394026446ed8529794896cfd0812f373ca614

SHA256
43f48cf1b3271c56dd3eff914e3251b893c8f693a6bb4bb019b595c2f92ab856

SHA512
d6b0b573f7a7a31b5ff7f0d21011b72b7552482788ea234c973b0194be0aa949d0cfc98e3f4c820bf56ec79ffc14b4bbaa19cf341c01703984adadb08f2e72b8

Download Submit