hxxps://github[.]com/user-attachments/files/16325349/Delta[.]zip

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/user-attachments/files/16325349/Delta.zip

Score

6^/10

discovery

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	compiler.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4412	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
844	schtasks.exe
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3548	msedge.exe
3548	msedge.exe
1420	msedge.exe
1420	msedge.exe
4544	identity_helper.exe
4544	identity_helper.exe
4804	msedge.exe
4804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 4176	1420	msedge.exe	82
PID 1420 wrote to memory of 4176	1420	msedge.exe	82
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 4752	1420	msedge.exe	83
PID 1420 wrote to memory of 3548	1420	msedge.exe	84
PID 1420 wrote to memory of 3548	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85
PID 1420 wrote to memory of 1116	1420	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/user-attachments/files/16325349/Delta.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82f1446f8,0x7ff82f144708,0x7ff82f144718
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1450286818586144712,12202791806888374922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Delta\Launcher.bat" "
1⤵
PID:2504
- C:\Users\Admin\Downloads\Delta\compiler.exe
  compiler.exe config
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1132
- - C:\Users\Admin\Downloads\Delta\compiler.exe
    "C:\Users\Admin\Downloads\Delta\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2440
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 14:13 /f /tn EmailCleanupTask_ODA0 /tr ""C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe" "C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.lua""
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:844
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 14:13 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1740
  - - C:\Users\Admin\Downloads\Delta\compiler.exe
      "C:\Users\Admin\Downloads\Delta\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
      4⤵
      PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Delta\Launcher.bat" "
1⤵
PID:1664
- C:\Users\Admin\Downloads\Delta\compiler.exe
  compiler.exe config
  2⤵
  PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Delta\Launcher.bat" "
1⤵
PID:3932
- C:\Users\Admin\Downloads\Delta\compiler.exe
  compiler.exe config
  2⤵
  PID:1328

C:\Users\Admin\Downloads\Delta\compiler.exe
"C:\Users\Admin\Downloads\Delta\compiler.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1072

C:\Users\Admin\Downloads\Delta\compiler.exe
"C:\Users\Admin\Downloads\Delta\compiler.exe"
1⤵
PID:1716

C:\Users\Admin\Downloads\Delta\compiler.exe
"C:\Users\Admin\Downloads\Delta\compiler.exe"
1⤵
PID:4500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3048
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Delta\lua51.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Delta\Launcher.bat" "
1⤵
PID:1436
- C:\Users\Admin\Downloads\Delta\compiler.exe
  compiler.exe config
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3680
- - C:\Users\Admin\Downloads\Delta\compiler.exe
    "C:\Users\Admin\Downloads\Delta\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3648
  - - C:\Users\Admin\Downloads\Delta\compiler.exe
      "C:\Users\Admin\Downloads\Delta\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
      4⤵
      PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
4ec59ac8f3b2ae95168c9cabd3147151

SHA1
de7d5e63c988b9c27f17a6dd8b3e2d6a1208fe2d

SHA256
165a9f3c3e0d665141953f05ec60ff6959e6b15cc50d9cb2746a26937181543b

SHA512
832e5712fa43c890d03ca4c437b11b23bd74d7c383ee095e2bc9380845f592a468fb5cd1eef7d637ae7d34a0b9bc3c11bef84e78d5c42e7ac78ca05aec026599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
cad1a8bd0ceb0b9f3481d56af6704282

SHA1
6949f7dd829ae607abf448a30ff1b11c4445fd67

SHA256
c787eff9187ad32974d9fcb0d3cafb218678cfdda1c752fa7c1d9bd2855ff7d6

SHA512
210487142baa346f713eb4937f7bc19e954b85b8db3fdf32974fbe0c0bd96bfab30e2a41c74f8ff03ebe6923d86a4568de288ceb33b610ffd72e1b24ed2544b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
0c50800df69b24b7caf0976a28a61b4f

SHA1
f5981fd34c94071eff3e15648fac31a738b49803

SHA256
363c602f39fe8d0455d7cf2b354729ebb4b8beb9ef9fc670dd16a72116138231

SHA512
fd9efb76faa15480a1a85a66f7d4d2c0db026e139f55716eb1fa7e87557b03a26c59492109b087e9df368c1e37cb17026eb94ca0e3b6eaf2fb7643757ed047a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
42f720e71a8571927a20d32258e9fa34

SHA1
f446fdbfc380c76572ae2704d389fec585afa9a0

SHA256
e36e4fd7f44edb351314e5eefa8629dbbc256532832b93a583ace438b7b424ba

SHA512
02a3d0c3ce768990b14d7fb2c76fdfccb308d25104424288d3cc4b6887c5409afe5bdcf11bda4c2960ac9e950f6b9028d9352d366526979050a16fcf36ebbf5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
5c790494da4beeb3b563881ad16b2fa0

SHA1
b589d3d92b7b0ef5fad8ba3571e11420aff9df45

SHA256
eecb3adcdabc8e719f04272a71c8736602d3326d750a55de6772af2462bed01e

SHA512
2195665ad4d80cae2aa241d346284ac7da3be75af4855dee252fb43fa04884e9d7cd9897a5895a8782b294617cf122eac99ccb4d09ca292144b6067b89592fa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
8d7bbce13d559337139050aacd1e4eb9

SHA1
f7f89b58b2ffac2e12bb7772c6d7fa8207fa6196

SHA256
babf50bc0805b24a34bac48d13f009780aaa3058c6335dd49122946c1ad3b5dc

SHA512
338e696848582dcbd4772a8e5076043b84005bab933b85269be7748f35e3503629662186a348f03301e8ef16b188c9a74af2ba06e85d232df1fe86c00a2560b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65a5fbee3a8aee076dd26bef2433c211

SHA1
749d82ae8e40a434a9e193845c86d5657e8871bf

SHA256
10655b6dfb8808b465c23a8a57f7c4616efcc1ed875ccdd959d9d1e808307edc

SHA512
e879da2329722d3fd23582f6cf32247df797445c63701853e728c0e0af1ffef8b403f948d94ca211f0a34749325eba38cbb64a0981213d6ed31f111791626149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
055e75c378da925c3ca166556ec56c7c

SHA1
f7fc59d123db813e8599c3c78b0c1c609f06a89f

SHA256
094632b230c655ae6365cf93ae9ae28ecfea7f8b32fe812214eca3d04d40af6c

SHA512
07de0e442271ad5fed0bac54a4889d50191f2e9fb511e9cac93932490d98e2df568d2ad7da60c8f9d1d71ea5270690a12f8fe662432e61160b74a356d7848aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6828349aa270d238fb9931bf123f0e6f

SHA1
bfe70ba19b99d6bc3ec6095750128f04181ce1f5

SHA256
66888a52cf2f8f09bf081472e0709eb6e25066d1c6ab2badeecc3101962037f7

SHA512
a625200a15af7a18bf0c1294b2e6e357e0b4c3cfdbfa0fe5c9edf81cd1a0680700a6aa869481934d7405c8afa7e3893197bda426cbd4134e68cfe54867f3d77f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f11bc3c3163de9a97164931d2cb9dbc0

SHA1
f9540a56b9ddbd07b509e5cf07c554c576045d5d

SHA256
92d4b3c957f3657374365606c2695b0c9ecdc3c4b98fc936fce557d48afbe243

SHA512
c4eebfc62a062f150cf54f33bd103c514de78f847efb6286dd3d0599614ab7bc98f35180462f6b4f027cf09a5d136810a0ba49090e55d30072e424e52bdd7c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a261a34a2878ff0ee03aa0c3795025a4

SHA1
c0d8c7a157a00d3429620dca0941bf4c013a3ab4

SHA256
d97e2cdd264aaffcbdc9deb128971318ed8f2817b2fb227904d5b951d09da48d

SHA512
b3213ea42ecdff1edd48cb686eaa5f6ec3db1ce214e59b1a577c1aafd9aaa78e13673d12bda2f122520bfad23cf5bc199149396e34a53e3653eb041e3e01b063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea8df52c69abc510ea1aa4d0d376b2c3

SHA1
d64961926f937dba04190ba464245a9f595f752e

SHA256
3c7f380d82e20ae1cd8505781596e40188c4a2c852500d5be54d4c371b4760d5

SHA512
c2ce0eb527832e917e8a77236e20cd69a393f762a3eb0bb4ace29f7c1ebde4fe6eeebc014a9b4673d23361966932aacc65de425b03b22dab91d593a1b2ea6b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\json[1].json

Filesize
311B

MD5
9105750f17d90587cfdb3073e3db4b41

SHA1
68299e57ccb94050710511c9fba7f144af55038d

SHA256
325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9

SHA512
07fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YHMF37VK\request[1].json

Filesize
896KB

MD5
6621f92e253c53901a45c7eae20938fc

SHA1
7e3759b02202ffaef0e2e41666edf7af66360b65

SHA256
1d359835b097d15a97f9f77359939b79e7d63697eb23de72c88d39b5467fc77b

SHA512
7616351db372c1c391ba5e3cbbada8db17b5d06dc03cb064eaa27083ecf101c3b7d1757ec8dca752200cf5b7118ffdcf818c09dd20f890a0f1dc564db3d1f05e

Download Submit
C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe

Filesize
203KB

MD5
3260b6847dedcf0b5bcaa74c17e9fb9b

SHA1
1ef8e1d6f5410230d6581593173a5672ed49de5b

SHA256
2b8abe5e810da75d292c35fc28d788570e769472019990056c1f1c091199c89f

SHA512
55090430456e54e24c5b9c88f6ace189f93a685801bc326e25346d90cf96dadc49bb06a23edbb018d5ebfbd44af8f7e63d7195fe40d12e0473de41801ec3c322

Download Submit
C:\Users\Admin\AppData\Roaming\tmp\conf.lua

Filesize
298KB

MD5
a6e82e3f005f61929f62c981670138b1

SHA1
71f15a319a5f8f353068b6463d153e7bcc4ebf23

SHA256
289b7cd5419091154d2db0c1c70e7580ccde22ebe59b03ada35e95ee6b530bd7

SHA512
0691bc3995e0bae2048c966a7f3c207cfd708fa691b2f95b85618c136ab3bb65d4201b4d9d690b3a3b7812c52c537175a91af6efcf98959ed5fca84aa7467cce

Download Submit
C:\Users\Admin\Downloads\Delta.zip

Filesize
437KB

MD5
050db28009fbccb87c4b8fe65d26d7b4

SHA1
04618dbb5a56045fb7489e94d063040d9df67e51

SHA256
85d38a787184d7cd88265b79ca1161712bec08bb7b1248ecb1c3f9cbb38e388b

SHA512
586f8a0ef633f16f796cf95d34a58fe90ae782ac885436e67626170bf8ea550cfb34953a46b55a1c4d4c4074161b440bc4d3858f5e0527b6fb0711575b86f60d

Download Submit
C:\Users\Admin\Pictures\32404286A0B54A9396206F13FD83251A

Filesize
1KB

MD5
e3b46c0161446ed49f3cdbc9cafc4b6f

SHA1
05d3035b386b1c85dfa58723b1556cfbbc6e5e2f

SHA256
26aa93946ee1c1cfe39520d3c4828ebfba01c2ebb565fb6337d8b57dec9a4b68

SHA512
9b9847e2418657ff73f76c5d14a9f7db41fdadd518418dec8e93ae6ec3137f68786ba271ae2d39b0073a1b73c633ee0cfe41b562cf34511e1a1e371b94f5f804

Download Submit
memory/1132-209-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-194-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-227-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-226-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-225-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-224-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-222-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-221-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-220-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-219-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-218-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-217-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-216-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-215-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-214-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-213-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-212-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-211-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-210-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-229-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-208-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-207-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-206-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-205-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-204-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-203-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-202-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-201-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-198-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-197-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-195-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-228-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-193-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-192-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-191-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-190-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-189-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-188-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-187-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-186-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-185-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-184-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-183-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-182-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-181-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-180-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-179-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-177-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-223-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-200-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-199-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-196-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-178-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-230-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-231-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-232-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-233-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-234-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-235-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-236-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-237-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-238-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-239-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download
memory/1132-176-0x000000007F030000-0x000000007F040000-memory.dmp

Filesize
64KB

Download