74e5e3f697d9ab2d813a7c2ba9b2e9e91956ad91af45feb6c98851946e3b096c

Analysis

max time kernel
120s
max time network
43s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41ccd38905ec14102b3f1863e008c220N.exe
Size

2.9MB
MD5

41ccd38905ec14102b3f1863e008c220
SHA1

000abd1db229ecb30559aba3d34dc012cb680af1
SHA256

74e5e3f697d9ab2d813a7c2ba9b2e9e91956ad91af45feb6c98851946e3b096c
SHA512

bc2c3b8b99329b61b82a0622227cc9912bb0b34e129569307536f3e9423af096a593fa310148e8ab2bf832176fb95a8aa3225bed3a3e5e4ccc3b3e97cc254eea
SSDEEP

49152:tGQ1IXUtz3UXyYAtehSSJEWFU3P5F06520twrKf5gRV6Cs7esM7ELNgZkuudpvXr:wl8zkXyPterEf7520KrjYCsY0geuubXr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 7 IoCs

pid	Process
2492	41ccd38905ec14102b3f1863e008c220n.exe
2180	icsys.icn.exe
2652	explorer.exe
2640	spoolsv.exe
1892	svchost.exe
3060	spoolsv.exe
1996	setup.exe

Loads dropped DLL 18 IoCs

pid	Process
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2180	icsys.icn.exe
2652	explorer.exe
2640	spoolsv.exe
1892	svchost.exe
2492	41ccd38905ec14102b3f1863e008c220n.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	setup.exe
File opened (read-only)	\??\U:	setup.exe
File opened (read-only)	\??\L:	setup.exe
File opened (read-only)	\??\A:	setup.exe
File opened (read-only)	\??\M:	setup.exe
File opened (read-only)	\??\E:	setup.exe
File opened (read-only)	\??\G:	setup.exe
File opened (read-only)	\??\I:	setup.exe
File opened (read-only)	\??\J:	setup.exe
File opened (read-only)	\??\B:	setup.exe
File opened (read-only)	\??\Z:	setup.exe
File opened (read-only)	\??\N:	setup.exe
File opened (read-only)	\??\P:	setup.exe
File opened (read-only)	\??\Q:	setup.exe
File opened (read-only)	\??\T:	setup.exe
File opened (read-only)	\??\Y:	setup.exe
File opened (read-only)	\??\V:	setup.exe
File opened (read-only)	\??\W:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\H:	setup.exe
File opened (read-only)	\??\O:	setup.exe
File opened (read-only)	\??\R:	setup.exe
File opened (read-only)	\??\S:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\X:	setup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	41ccd38905ec14102b3f1863e008c220N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock	ngen.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	setup.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2052	schtasks.exe
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
2652	explorer.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe
1892	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2652	explorer.exe
1892	svchost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeRestorePrivilege	1996	setup.exe
Token: SeRestorePrivilege	1996	setup.exe
Token: SeRestorePrivilege	1996	setup.exe
Token: SeRestorePrivilege	1996	setup.exe
Token: SeRestorePrivilege	1996	setup.exe
Token: SeRestorePrivilege	1996	setup.exe
Token: SeRestorePrivilege	1996	setup.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeSecurityPrivilege	1852	msiexec.exe
Token: SeCreateTokenPrivilege	1996	setup.exe
Token: SeAssignPrimaryTokenPrivilege	1996	setup.exe
Token: SeLockMemoryPrivilege	1996	setup.exe
Token: SeIncreaseQuotaPrivilege	1996	setup.exe
Token: SeMachineAccountPrivilege	1996	setup.exe
Token: SeTcbPrivilege	1996	setup.exe
Token: SeSecurityPrivilege	1996	setup.exe
Token: SeTakeOwnershipPrivilege	1996	setup.exe
Token: SeLoadDriverPrivilege	1996	setup.exe
Token: SeSystemProfilePrivilege	1996	setup.exe
Token: SeSystemtimePrivilege	1996	setup.exe
Token: SeProfSingleProcessPrivilege	1996	setup.exe
Token: SeIncBasePriorityPrivilege	1996	setup.exe
Token: SeCreatePagefilePrivilege	1996	setup.exe
Token: SeCreatePermanentPrivilege	1996	setup.exe
Token: SeBackupPrivilege	1996	setup.exe
Token: SeRestorePrivilege	1996	setup.exe
Token: SeShutdownPrivilege	1996	setup.exe
Token: SeDebugPrivilege	1996	setup.exe
Token: SeAuditPrivilege	1996	setup.exe
Token: SeSystemEnvironmentPrivilege	1996	setup.exe
Token: SeChangeNotifyPrivilege	1996	setup.exe
Token: SeRemoteShutdownPrivilege	1996	setup.exe
Token: SeUndockPrivilege	1996	setup.exe
Token: SeSyncAgentPrivilege	1996	setup.exe
Token: SeEnableDelegationPrivilege	1996	setup.exe
Token: SeManageVolumePrivilege	1996	setup.exe
Token: SeImpersonatePrivilege	1996	setup.exe
Token: SeCreateGlobalPrivilege	1996	setup.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2604	41ccd38905ec14102b3f1863e008c220N.exe
2604	41ccd38905ec14102b3f1863e008c220N.exe
2180	icsys.icn.exe
2180	icsys.icn.exe
2652	explorer.exe
2652	explorer.exe
2640	spoolsv.exe
2640	spoolsv.exe
1892	svchost.exe
1892	svchost.exe
3060	spoolsv.exe
3060	spoolsv.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2492	2604	41ccd38905ec14102b3f1863e008c220N.exe	30
PID 2604 wrote to memory of 2492	2604	41ccd38905ec14102b3f1863e008c220N.exe	30
PID 2604 wrote to memory of 2492	2604	41ccd38905ec14102b3f1863e008c220N.exe	30
PID 2604 wrote to memory of 2492	2604	41ccd38905ec14102b3f1863e008c220N.exe	30
PID 2604 wrote to memory of 2492	2604	41ccd38905ec14102b3f1863e008c220N.exe	30
PID 2604 wrote to memory of 2492	2604	41ccd38905ec14102b3f1863e008c220N.exe	30
PID 2604 wrote to memory of 2492	2604	41ccd38905ec14102b3f1863e008c220N.exe	30
PID 2604 wrote to memory of 2180	2604	41ccd38905ec14102b3f1863e008c220N.exe	31
PID 2604 wrote to memory of 2180	2604	41ccd38905ec14102b3f1863e008c220N.exe	31
PID 2604 wrote to memory of 2180	2604	41ccd38905ec14102b3f1863e008c220N.exe	31
PID 2604 wrote to memory of 2180	2604	41ccd38905ec14102b3f1863e008c220N.exe	31
PID 2180 wrote to memory of 2652	2180	icsys.icn.exe	32
PID 2180 wrote to memory of 2652	2180	icsys.icn.exe	32
PID 2180 wrote to memory of 2652	2180	icsys.icn.exe	32
PID 2180 wrote to memory of 2652	2180	icsys.icn.exe	32
PID 2652 wrote to memory of 2640	2652	explorer.exe	33
PID 2652 wrote to memory of 2640	2652	explorer.exe	33
PID 2652 wrote to memory of 2640	2652	explorer.exe	33
PID 2652 wrote to memory of 2640	2652	explorer.exe	33
PID 2640 wrote to memory of 1892	2640	spoolsv.exe	34
PID 2640 wrote to memory of 1892	2640	spoolsv.exe	34
PID 2640 wrote to memory of 1892	2640	spoolsv.exe	34
PID 2640 wrote to memory of 1892	2640	spoolsv.exe	34
PID 1892 wrote to memory of 3060	1892	svchost.exe	35
PID 1892 wrote to memory of 3060	1892	svchost.exe	35
PID 1892 wrote to memory of 3060	1892	svchost.exe	35
PID 1892 wrote to memory of 3060	1892	svchost.exe	35
PID 2652 wrote to memory of 2392	2652	explorer.exe	36
PID 2652 wrote to memory of 2392	2652	explorer.exe	36
PID 2652 wrote to memory of 2392	2652	explorer.exe	36
PID 2652 wrote to memory of 2392	2652	explorer.exe	36
PID 1892 wrote to memory of 2052	1892	svchost.exe	37
PID 1892 wrote to memory of 2052	1892	svchost.exe	37
PID 1892 wrote to memory of 2052	1892	svchost.exe	37
PID 1892 wrote to memory of 2052	1892	svchost.exe	37
PID 2492 wrote to memory of 1996	2492	41ccd38905ec14102b3f1863e008c220n.exe	39
PID 2492 wrote to memory of 1996	2492	41ccd38905ec14102b3f1863e008c220n.exe	39
PID 2492 wrote to memory of 1996	2492	41ccd38905ec14102b3f1863e008c220n.exe	39
PID 2492 wrote to memory of 1996	2492	41ccd38905ec14102b3f1863e008c220n.exe	39
PID 2492 wrote to memory of 1996	2492	41ccd38905ec14102b3f1863e008c220n.exe	39
PID 2492 wrote to memory of 1996	2492	41ccd38905ec14102b3f1863e008c220n.exe	39
PID 2492 wrote to memory of 1996	2492	41ccd38905ec14102b3f1863e008c220n.exe	39
PID 1996 wrote to memory of 1488	1996	setup.exe	41
PID 1996 wrote to memory of 1488	1996	setup.exe	41
PID 1996 wrote to memory of 1488	1996	setup.exe	41
PID 1996 wrote to memory of 1488	1996	setup.exe	41
PID 1996 wrote to memory of 1816	1996	setup.exe	43
PID 1996 wrote to memory of 1816	1996	setup.exe	43
PID 1996 wrote to memory of 1816	1996	setup.exe	43
PID 1996 wrote to memory of 1816	1996	setup.exe	43
PID 1996 wrote to memory of 1336	1996	setup.exe	46
PID 1996 wrote to memory of 1336	1996	setup.exe	46
PID 1996 wrote to memory of 1336	1996	setup.exe	46
PID 1996 wrote to memory of 1336	1996	setup.exe	46
PID 1996 wrote to memory of 2016	1996	setup.exe	48
PID 1996 wrote to memory of 2016	1996	setup.exe	48
PID 1996 wrote to memory of 2016	1996	setup.exe	48
PID 1996 wrote to memory of 2016	1996	setup.exe	48
PID 1892 wrote to memory of 2260	1892	svchost.exe	50
PID 1892 wrote to memory of 2260	1892	svchost.exe	50
PID 1892 wrote to memory of 2260	1892	svchost.exe	50
PID 1892 wrote to memory of 2260	1892	svchost.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\41ccd38905ec14102b3f1863e008c220N.exe
"C:\Users\Admin\AppData\Local\Temp\41ccd38905ec14102b3f1863e008c220N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- \??\c:\users\admin\appdata\local\temp\41ccd38905ec14102b3f1863e008c220n.exe
  c:\users\admin\appdata\local\temp\41ccd38905ec14102b3f1863e008c220n.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2492
- - \??\c:\2b3ad4a9c4aa807e6f59ae11\setup.exe
    c:\2b3ad4a9c4aa807e6f59ae11\setup.exe /web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue pause
      4⤵
      Drops file in Windows directory
      PID:1488
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue pause
      4⤵
      Drops file in Windows directory
      PID:1816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue continue
      4⤵
      Drops file in Windows directory
      PID:1336
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue continue
      4⤵
      Drops file in Windows directory
      PID:2016
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2640
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:33 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2052
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:34 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2b3ad4a9c4aa807e6f59ae11\locdata.1055.ini

Filesize
15KB

MD5
afcdf8d8c96f5c695254e2e620f8d410

SHA1
fe785b77e4d5a2f283fe9ecc0606d081e99552a1

SHA256
370ff239e143b83ad4440ffaacc05b3750ea1fd3858ec8f1e6e208d3a72bfefe

SHA512
664000953fa8aca3fca23ee41b7387ca40e68b772e252bba8974bc21df2137fc188a9c22112d593ba83b26653710d8f81845111944e05d5dc0b15c3a541b6d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt

Filesize
2KB

MD5
ab0194db8582e41cf0b85c00f6042b74

SHA1
4d6260b1ed89ad6191ccb61fcf153a4895f0f753

SHA256
1a6175bdbe064e141470470c03ae24fcb09ecbae96ae8f94e1161a2917c5394c

SHA512
3265884f6afa1030e1772dea17c2552fa28ed6369b8e40eaa326a7c7ca93dfd18461f8ee03faf933f2b6a8d58e542b47fd84bc92d78048e0d74da99f5d319439

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt

Filesize
30KB

MD5
4c516c0e0d160703e52045d6c8fa1068

SHA1
844e51a14a65f20999b8f0b8048b336e7acc0f50

SHA256
40f3f69a7a1e0ec7b30c18c9ec646df0b7296acc72466dfcfdfc1b54ae988ee0

SHA512
92b2dbb8777082e5169db52efe7c6f729f3816df3f3768a77e1a013e259a235938967870d3834b27d96783cfe0b6a29e2d7ea241afee66806f5c8f892c5c089e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log

Filesize
307KB

MD5
e643e6b248956c20736141e29d6b2092

SHA1
83cb526e98c1182a8a7ca268bfec26d490f743fe

SHA256
4016eddc50401d58b07df52d4937b9acbb0857c43130557dea201a4835d35d71

SHA512
6f2fa2a856308cf00170023a806e4ecf22d56e055fc6355e538c915a2ecfb3cf4f6a5a15b51c1ec6e8ad43490f96c95414c7fbba4263f35b9f804951d2e629c7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log

Filesize
307KB

MD5
06518664e022e25cf268a68bcd294d1c

SHA1
24132239e0c01edb0791db6c4919669b0540f7e7

SHA256
d086c80cea28bcf07f575f34ca21cedf5a0a83014ce87a5ddebabc86fc250e12

SHA512
f632c27dc4b000d367e7dc691cfd5ddf5546a6885a554ec1e6176ba6a6e343b8864f8f0c07bc22d86dcf340dc6d2561a7b0a21275e7a07b18238bd502f9952cf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
256KB

MD5
06fdf3af72fe1fa25d1f58c8393e80ef

SHA1
6c3e6bbe2c4f12d9da9c340b38241c769b0e4537

SHA256
fe476d89228052a751433e2f6e42dedd827e4b9826adb7512645ba0d17112cd5

SHA512
4a6318ae4878922fba4dc36c70ca011d70fe75ff3a4c7a62b3aad271cec5601c472295f7da34cb135b2aab0de53ef1e41cb774a001988a2edf49643dacb8865b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
257KB

MD5
d5bb2663396d83711f68b99d512715e3

SHA1
851c15d040b80a08316a40327f09b2958739b250

SHA256
be1b120df72ae8c144fba2253c854c237fffa5a3d4e59ba7b71d31dcb5b50711

SHA512
aeb1bf7fbdae6e314c79c990800b55b208d4d5afcaf26b81210c5a02a82e51ac464bbef1953c956e7a2d566fcf0c55141b67406c0cbc58bb71eba3d4afcc973e

Download Submit
\2b3ad4a9c4aa807e6f59ae11\WapRes.dll

Filesize
104KB

MD5
e8824670433ad8593af150b2eb6913d1

SHA1
03e9ab11c1f7bc1b20309da2eef3ae52ce7be90f

SHA256
f8cb2735a2789d8e6b4cd1c7391ed8923466afd274490773e208d502132d1072

SHA512
8cdd6ed3b7fde72c148f8f5f0a795a796ec0d3c0c863d4c8f2cbdfb70443728eb975c1cf683f8e9dcd6079619c0c4e36f97bc56d348ad8b061390f9749faf95a

Download Submit
\2b3ad4a9c4aa807e6f59ae11\setup.exe

Filesize
262KB

MD5
f9eef088eced778bd54b716b0459fa8d

SHA1
4e371fdea1258f508a956b9a7dd58e3aee9a67a4

SHA256
ff2be9643a7df7241768e7e439524d11618f2b8a8fbe47f2e94d6453b0e04dae

SHA512
7309817a3fc29892f2ce87db63b58b1c95e03bad3cfb7a987d543861ddc2766d83f3b3d6bb4bb2af8b3c3f7fa270e527d92c9ca661ff6b7fd9ff1d5658e73133

Download Submit
\2b3ad4a9c4aa807e6f59ae11\vsscenario.dll

Filesize
671KB

MD5
9b44d9e919f2f89365fb197bbd505400

SHA1
cd7484c2564d6f2d5baea8b5408af7715d9a3f49

SHA256
ed27270ea89f0a1cfda7f6e100204ebec0641bb41cafca5a287db81e69cdc120

SHA512
7cf04eb0ca2613648e21476da133716eddb6b53ba29b4dfd461a8b40295e4b928b8a57f4fc2cca4199e31eb88daf4a1899fe017afd5bfe1eddc0793119f9d517

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\DefFactory.dat

Filesize
784B

MD5
b4d60c4744eaead8f042b06a71a89e15

SHA1
9ff4fe9922ba4306cbf7a7dbffca3d7c0be81aae

SHA256
8de5a4fab48b4afaadb3b3226f26b7c8c7e202e114181aea7861352484e730c4

SHA512
58e6684c3fb9c84d7ef0ae39247667a04aa9b0da32d1507ab80fc0582447590bf728e6324e8e34680bfbba9ebe1a995ed0fe3e9e161c182dd53b271fcd56a4f7

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\HtmlLite.dll

Filesize
173KB

MD5
1427f0ee7ff3ca5339f54a2b2480dfaf

SHA1
f14f4beb3131b925dd958d83f5f22a53a29bd2cf

SHA256
b238e8c647d2980ed5e965f484e8adadcb20832719735dd94472cfad2a27d9b6

SHA512
fa8b87c3fbcc02a5c7ea18968a11b815bbf87f8cf58c766366cc6fcb80206dbf5dfa36880fe8cb17092aefcb51513dae39ed6a806f46d0055979e9ffb64e02e6

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\baseline.dat

Filesize
205KB

MD5
814af5d4e24f23eb2c93145f8469d8e3

SHA1
fb2f66f333b8f5ea727e70ad15e4d44ff66bec8c

SHA256
e27661f825eb319c845e48b19f5a60a19eb1985b377e2ef613409880a5b7d242

SHA512
580fd779e53fac57a29032211c3bbd7632407e4f0dac99f6cfca4e8a035e64ed9671623f4ddecbb56f3a31682ce55d392262c421d18a857b6bd2725280814cac

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\dlmgr.dll

Filesize
269KB

MD5
a309fe305d44711d62f03c8bae580e40

SHA1
27e3d98b556ec41ead00568b5c58a35c8e226228

SHA256
8d41eb260b66521b7789e7ca3cd98296b6cd309e2ca86959ceaa3a87892527ee

SHA512
bdf1f674e0a1b7d192cf8001b75b301b440c1f547c2de36a33f4065f0be6a24c5f5f4fc6bc4c4693c622f5cc042263e4cfecc73394f3da81365a53d6b6491a68

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\gencomp.dll

Filesize
1.0MB

MD5
7701205cb985edbae0c1d283604e04a4

SHA1
2462782694a693fa1de5a0cfd32dcf66ffecfef8

SHA256
4532624fd6b585c519dea8e3023a68a0b2adfa801712ca616d411078e7f4d541

SHA512
6d11be23ba7f6f4009c41cd08e78dbb80ce2d5393ac754d5380be12a12c8c2d385ee891a651c608d1eb1cd46932c8c10f8cdddbfb051a62b532a51b0bdd51864

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\logo.bmp

Filesize
5KB

MD5
27d1fb0f5ffab86ee4c906b67f7e3c29

SHA1
6f984c1e49ecfd5c3b9916c2e4b434fb8bf6103e

SHA256
0d6e46ff07901cc9d82e8fd76f8477474c3f440bf2e43ee5cea859c0095962a2

SHA512
db1d703f0bf9630404f64de54fc16447dbe993b61d2978e757a6676c1ad26c3f738c1cab7d269337f314dff917183f9330d57e4becbd69dbcc3daeada4ccfa9f

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\setup.sdb

Filesize
71KB

MD5
7a94ef3b998e1098d2f4f7c66569bb9f

SHA1
5859e1ceff415a3613cee75f6b93dffa085ef83d

SHA256
95d71e04f822cdc59cc7bc449401f6e0c378f0ed7352ae83f5db30ee2d724639

SHA512
40d3d4b8930fd2d218c569be742c8640504369e66a43ec507d4c0d90e0fc61a45a58e5c96c4c5dc33b15cb2f632eae9dc796fb893c1cbd342fe9aa6e9fcfcd8e

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\setupres.dll

Filesize
107KB

MD5
96d6e171f743a7c9222e2bc524e48a52

SHA1
ef1780adad57493058312967f720de1946d85a29

SHA256
73faae5003cf24b7b399d46d42babd754e132112e3bac9c1249a1310a25d1c6b

SHA512
4aaceb25276f5cb0c214e2141714d3044b01aad90289305bb3e211ecc53bd0cfdd41d73649bc2a31f017b04b95a69863bb3abb604f7d7bb7712c5e0a3ca36357

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\sitsetup.dll

Filesize
1.3MB

MD5
70d42b96463300dcf804e18f2f1f9db1

SHA1
670e74d08090f78e63f056fa814aeb6d3c56e620

SHA256
63492edb2927fb8dea57580a55901f805c4d61e10d7f097b61f0b9dbf03aedbb

SHA512
b911562185e439306e04d96b3903005ca16d6506f4a8f1fa0a4e7923eec7486a3a722e093c372553a0b12c58ce133b3acdf54deae1828ef0b9c3bfe8279d5474

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\vs70uimgr.dll

Filesize
613KB

MD5
cd272480b9a40c1743791e8618fb5541

SHA1
ef1126e163b14563780ce3250408572c6966878c

SHA256
c5b6d65a9667aa1231c66d72ff86fba55e50ba7f4e279cf3f267e03d90d616a0

SHA512
6ecffe64826d0c3e88a2d78486800cf526891551d0edfca1e89c9f1a65d28ebc4bbe42ea141208c09ebfc7967fb1c0271bb7fc6562f17aa298518798caaaaac8

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\vs_setup.dll

Filesize
1021KB

MD5
ea4594bfc4df5a6f16dd79ea27b93a70

SHA1
80b492ad344f775001d08b2023c51f5199a724b9

SHA256
25b52ec5e47ec8dd0719bdc4961c926d32bb5ac1e0fc71a9d8cb5ab835da6ab1

SHA512
f3f410039fb21149f40bc2d06e2734ef349a9a993537165e551ea8dd0c011386fe75ecaf4b1c7336e76eb50a6f7c36600284798a460f1d0a8783c00daecc7d2c

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\vs_setup.ms_

Filesize
603KB

MD5
8f479f91a12d4e48ecaaaa478aab1042

SHA1
ee42220275f4e82986f36d4f144fc891b07008c9

SHA256
b051bc37cc923fd3928a4d95ae4478d7b83f719625100ac950c6462a004399a5

SHA512
39d01f80f8fbd8d83baac76179f2d6c56206f7c29d692f89c51a8e1e9ff241a3bf6c30c5a37242e9cf7abb227edc75d695cab89bb9be845b39ce2f91aa916186

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\vs_setup.pdi

Filesize
20KB

MD5
7b8966dffd15fa01d5bbdd7b312b526b

SHA1
cbfd752a07b35571917820b63a7799bf6755b5d4

SHA256
30ced1ffe473aa41d6968901f6a92dbe7d3f5e60a4ab5d5c82994e14b26dee91

SHA512
e11b4ac10aebd0cb9ec60cbd0fc14b52b99aefd154ca16cc7f49787c0e0954121e9bfd6a9e0cb4ab4a0a1868ca24db8a45ca6cf4b4e6c57a361d79cb352d6cd7

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\vsbasereqs.dll

Filesize
401KB

MD5
057549953160d1e3e54c14263faf885d

SHA1
d3d73df0a71de5bab88932f08344ef91c7653ef4

SHA256
fc5f4e4f12e3baf632a267979da96955412caa63391f1d8137332672ba35cb46

SHA512
53116ad0019ea6bc8385acf3b6eb1a398e926abb4b76462771edc4e95612a527eaab42a6d4eff7d83ed562cc6a3b922a168c17525338ad560aefe7330185f381

Download Submit
\??\c:\2b3ad4a9c4aa807e6f59ae11\wapui.dll

Filesize
958KB

MD5
362a5e06b9aff6d147e491c13b0c3b60

SHA1
c96c759c956a631413717be23d1acae76c252b89

SHA256
df6ee489eba67f24812576dcd1e717029cbf80beed5c623742f7f4fa59928352

SHA512
334a729948e63a35f173a8fccac525efdb2676d174097cf0bac92267c9ef5a95ffb4b9f157c8d0b0f0a31952292a08a1a87d91d6d199ad76c7523685ec348942

Download Submit
\Users\Admin\AppData\Local\Temp\41ccd38905ec14102b3f1863e008c220n.exe

Filesize
2.7MB

MD5
269f314b87e6222a20e5f745b6b89783

SHA1
b0ca05c12ebb9a3610206bad7f219e02b7873cbd

SHA256
c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257

SHA512
34c574c78315cb83aac1b763a4f26f978d6c80d8e5bd61b601d16fdce2bccc109f8b46f03fb938a2ff2b9acb4793313f75b15539006e72b827ff7673507e5beb

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
e576abd2c44e5985b32df3b9dd34f99d

SHA1
98c1ff368e61b280517da64090c1711781c64076

SHA256
ec0f22716125f5cc77a5713d2582badce543577f60875b6ddace4b1e8d2dbad3

SHA512
8444c30fdf10ddd907f3eb96931b33e52293419632d89344d4d59ed1a9fa7ef118623c33f15d5c1d4eb61bea6bead4bc597301fa19561a0e14183fcf58ee59a9

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
e33ac71dfefb13b3ad6c465508651efc

SHA1
a2548fe908fd881c1efd93ad2e77aaa7e32c9d91

SHA256
a96c474b98addb7c5210774fe41eedeb35ce1548f5f9f1dbe9234b07b325ef3e

SHA512
d3fa07624ef0f0f14e7ebc15e0fcd56390145dbe718cd75e0b1867b856b6bb5268dd46bdb052c967e2b254b7ae003df507cd44a5e4a96bccacb0c03371e7762e

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
4c1edca2e2ff0ad38109ba5d7132b94f

SHA1
3c3415e3d2681be8f453156b0e16c57e7fd28fa7

SHA256
b5f4519c076d15520f9ee7fd52793413a86796ea73ef37cb57bcc256bb6c8b97

SHA512
499e387ec211943a91ccb8df6de2319d532fe24f18df8163769c3a941fccce1baea0ab675131ebe4d65cde40a8eb3f6c96be5d2e9267072c0d2283cde40a3283

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
1296ce4ebd40f5d9ec6619f2b676018e

SHA1
c35291d046c7b23887db926e1a57b421b8e14f79

SHA256
356a2300d3dd67e802216a8762f6600e12a22071cd842c0ce992506511d361e0

SHA512
83d847a1a9bf47a6a88e3a440431431164d9018e729e006dfa0766c1d86361c8f191dedbef5e439e6127a533877bf740ef99ec4729c4e36a1f385e1f448d82a2

Download Submit
memory/2180-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-13-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/2604-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2640-105-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/2640-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2652-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3060-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download