493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de

Analysis

max time kernel
145s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
Size

4.0MB
MD5

0665268da65d464a476d88bc8e57c531
SHA1

09eab43494f7910641a8a043a1c5eac88b793a2a
SHA256

493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de
SHA512

0e0e24f7c809200d3f3db1e775820c1afd547247df1ad3082ce46ad89849d24bf94aeff2f58cbc29630440605fecaeed786e83f5d1061d7252a7a7f6b2b990a2
SSDEEP

49152:cwVJ/qUQ5F5EexZD63Wb5wSSnebipRCoBRI17fMt6v77/lClNiuHL1jGgJ6OLCSu:3/257I6GnaipRT/md77AlDL1XsOXFs

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2344	wmpscfgs.exe
2408	wmpscfgs.exe
2620	wmpscfgs.exe
2644	wmpscfgs.exe

Loads dropped DLL 10 IoCs

pid	Process
2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
2344	wmpscfgs.exe
2408	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2620	wmpscfgs.exe
2644	wmpscfgs.exe
2620	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
File created	C:\Program Files (x86)\259466666.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	2408	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb78000000000200000000001066000000010000200000001e602e09792ed0b9b85119030906052d2d4920ac408093018785ed4bcaf74d8e000000000e8000000002000020000000e6fcd808d23195359f2078d8db5bdb75e91b65dae06ad8ae1d21e3b7c17315eb200000002a1c2bf9ddc1f1b520a30be04b9bb40e26e2ee7051abfa187594c4135898657840000000be105bfe6fa1742b450bbbd5e450a5dd05cb1fdfcd4f5b01b83e05470cd41aefef597f49dce7389b25eccb6d28d1c810e92e035c9fd6d49a04e19aa362927fe4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A22DE3A1-6190-11EF-9245-EEF6AC92610E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c525799df5da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000e615de098e149a7d31f9b08a880c4687e4294c9bdd6186f8445f354f2e070905000000000e80000000020000200000001d2544ecad8381ec576d841e8b598ad58f3ef12b9b3ccc7758094c7696e951b690000000e86986c2baf190d058ec92c249c5a75296c2819e46e475a01a9d40eb78b5794dc99663cd2646c548e76d943129a1121725807ad8df3b2a7f1ede3746e7924d8825060d1384bc7d0f931d7d9147dbcbecef5d7074439493e04861fac9dd233b5aa0ad064fb166da92ec666ce521febfbee062bdbe1debccd6bef69cf0bc3dd3521d1b587f9223dc47f360aaa47a3e381c400000005fac93411157827399a3cfffcf2a2d391bc8ff36817e56f300d9eaf37f3491a9c0e9a2a1174da4983d6c8ee6fbdd638e8b305723a0d05426d9f29976928ef640	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430607797"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
2344	wmpscfgs.exe
2344	wmpscfgs.exe
2644	wmpscfgs.exe
2620	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
Token: SeDebugPrivilege	2344	wmpscfgs.exe
Token: SeDebugPrivilege	2644	wmpscfgs.exe
Token: SeDebugPrivilege	2620	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
568	iexplore.exe
568	iexplore.exe
568	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
2344	wmpscfgs.exe
2408	wmpscfgs.exe
2620	wmpscfgs.exe
2644	wmpscfgs.exe
568	iexplore.exe
568	iexplore.exe
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
568	iexplore.exe
568	iexplore.exe
884	IEXPLORE.EXE
884	IEXPLORE.EXE
568	iexplore.exe
568	iexplore.exe
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2344	2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe	31
PID 2180 wrote to memory of 2344	2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe	31
PID 2180 wrote to memory of 2344	2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe	31
PID 2180 wrote to memory of 2344	2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe	31
PID 2180 wrote to memory of 2408	2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe	32
PID 2180 wrote to memory of 2408	2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe	32
PID 2180 wrote to memory of 2408	2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe	32
PID 2180 wrote to memory of 2408	2180	493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe	32
PID 2408 wrote to memory of 2852	2408	wmpscfgs.exe	33
PID 2408 wrote to memory of 2852	2408	wmpscfgs.exe	33
PID 2408 wrote to memory of 2852	2408	wmpscfgs.exe	33
PID 2408 wrote to memory of 2852	2408	wmpscfgs.exe	33
PID 2344 wrote to memory of 2620	2344	wmpscfgs.exe	34
PID 2344 wrote to memory of 2620	2344	wmpscfgs.exe	34
PID 2344 wrote to memory of 2620	2344	wmpscfgs.exe	34
PID 2344 wrote to memory of 2620	2344	wmpscfgs.exe	34
PID 2344 wrote to memory of 2644	2344	wmpscfgs.exe	35
PID 2344 wrote to memory of 2644	2344	wmpscfgs.exe	35
PID 2344 wrote to memory of 2644	2344	wmpscfgs.exe	35
PID 2344 wrote to memory of 2644	2344	wmpscfgs.exe	35
PID 568 wrote to memory of 2020	568	iexplore.exe	37
PID 568 wrote to memory of 2020	568	iexplore.exe	37
PID 568 wrote to memory of 2020	568	iexplore.exe	37
PID 568 wrote to memory of 2020	568	iexplore.exe	37
PID 568 wrote to memory of 884	568	iexplore.exe	39
PID 568 wrote to memory of 884	568	iexplore.exe	39
PID 568 wrote to memory of 884	568	iexplore.exe	39
PID 568 wrote to memory of 884	568	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe
"C:\Users\Admin\AppData\Local\Temp\493ad7077d80f01a63c27d703ad75aee931fa971135816ac27b684026e6971de.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2344
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2644
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 168
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2020
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275477 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ecf6b5d64848035d1dcbb19552967b0

SHA1
0b94dd2c003c7dd1ab30feaf9c29fce8628ad9a4

SHA256
0983ff0b0f5445a5bb716d45248d26cecf4314c4ba4522fed3a0e5e6767ce23f

SHA512
5e775eabf98512695ab4890d8307d25d1157996699a3b366793f3b695f455e1477cdfc3fe96fc7b7e886c0a621db3dbcfa9bc8997fee3b75dd11f69059d165a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
491611ab370c6613c33e84bd0d907eb4

SHA1
bc969d39763331ad5bfacfa9b2b82f0d9d298c13

SHA256
b1ee452b467de980de9eb75b45102360e38b781e2c07e3e19745aa940e6da64e

SHA512
897e6a1816caebd8f5503ce8ef3c22a989554976b559d7f37d1ab513a9cd116382f25edd88e66e173446a863e043c0462a1ff331279761a14dd41de5b2fa641f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b28876f15e5cc725364f45f4bf4aef68

SHA1
ac7db1246e315523c0bfaaaf6db444b97ac4de46

SHA256
a53ab69b8068dbf41bf569f112781d72129907dcdfaab4c11b438c9bc0d4c92d

SHA512
f1d7d22a7103955b2a006ee7672fabe3c0eee953fc6b17c048d4a2147455239ccafe3fc964dca048a302970fe157417bb6d4d3e48d884ef944de165c1c245cae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
584139808b2ec5cc0c9e74b3e69ea7ac

SHA1
435653ba1ed7ac6ee2ea90a3821c534cbdba3ed8

SHA256
fa218d795607ba373c3823ee5da4176067ac9c2a6761e9019ecf5aa0848b3048

SHA512
eaaaad47164e7aeec4c691832c6e8edf3216e2e8ee6e4fea3bab092ec4c2778bb99f27ab227e37a79bf4f86e3ad2204bc28f87feea5473bfd7bb04da7447777a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d1ae418426358caa957e2ec35460e1f

SHA1
5cb96b1a5067731b997e3e2bacc8eddcda7cc95d

SHA256
5cb3827cd0668b99f678285c117a504090dd587647962d9b5c26c1d2b1754e5b

SHA512
ec25e8f20e4ee6fe7abd9028e5b752d7eb0c0266538cefb92188cb556168f5283315cc4df5403e4d5f1e2d294b086ce38ca972a9ffc0f77fb9738d8933c9c098

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23a3ee35f68cbbd2269a1cfd818b5b21

SHA1
c4460cda64e026ade329c5e2a95deacc32dba46e

SHA256
db5655c00663f62f71fc90e0b1fb93ca3e75e860896f03f1d881d3e9beeeba1e

SHA512
974e2ab098403abb8c6d6921fe0e218e52f070d4e11d1529ce5536f143b880a2cad8904d5c505470f0a5098d468b4c179f7d50921a4d2be6f2416eb155e4f24c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b584115c46222dc82426aa93373b4ec

SHA1
e886e4c532b4cde3891eac85325dfc3cec623d11

SHA256
4f7debc6c1794a181053ef1fc5151ac43736303be67795743395efa9cd38e27f

SHA512
5e80a32c294e0c4774710a8ee8f853ebdda7120c4b0a90af011f24c38411773d5c7f62f85fb5148628f1ac95de11fc98aa25051e72d9338f6268345eef420228

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a8cda8b50b53c2454c3a53f3f48f7a0

SHA1
8a9e69f323238a60ba03e5ea4103311be5e0b8d4

SHA256
7ffce51850d060bee7aaa202aad151b7c184c413307cdbc846a3a24757b93994

SHA512
6c46a18325809180480a837dc7bf166bce9729fa02ce038e9eb401e84ea89a9687b03ca84b3c962485418578d313bae50ed0d3a16d60d4530984e776a3efef85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22cbb0294c814482089fd302f398bcb9

SHA1
eb47fe626ceddce49ce7fe358b441f1515eb8cc3

SHA256
2af68fe8fe49641831f32777eadf2cf01c5555151b3209453ee3bece336c0d1e

SHA512
7f5def928c01eb719a056c81a4638c27af7b3474b94853f253bf4bafec144a383a28b64df682e4d2672ed87f69b0a127eb3bab7924f0dd92cfc6bd7f2cba2c8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5dc2bb5ead3378804c515e3f2ff994f

SHA1
813eec6e719c411f52dabab2f84db51c12df1632

SHA256
439fbaaa96814afb70605cdddac1f2095d69b89f715a613498785293ae6579fb

SHA512
9732fd24d8ee1b2d15376203234ccd1485926cf911f7eaf950b4d548da1923f621c9383756f31bde3e7c98e03f46d28b3d7813a73418ea0e0cff6733fe7f6dd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2405db9a38494fcd5e427fcfa8bab22f

SHA1
d18903684fc65cf87c968cc8c3207cb7d49cb0a5

SHA256
24e10a1a44b1b491643c367cf7faee57d07995e3f040a2a6cec9729f43597501

SHA512
15f796e2823bfea9e90b5e7988403043f7a2743e0b52cb3b7203d34a79da8ef5a9b148a88eb0e035d0f2a21fe6f893e0d376fba0559c0927d2780979c593022c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5067388f33d88fc38b44a0ca3bd6654e

SHA1
f2d6379d88aaf2247fb01ed2f2debe38d2ce4f2b

SHA256
422fad7fe8a67c3e045b29d1e7cefa0fa069b3d3cf70efdbfc7e682461f9a87f

SHA512
cb3bff690717197cb86e402d54d6a0704539ea4f53577a59d7dfa4c87e3948abd3a61bb10eebb46b99a2f6f17373066cb6598c4d906b928eae0ca016f26a4df0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
449c11f7930faeee92d6dcbf3277e789

SHA1
69a2bc4d8a9d30cd064a587223db3cf72678122d

SHA256
5f60806f3f3f21983062f7253fd1528e4b1605dfc392275b4f1fb5ddbb808ad7

SHA512
8c15bcbad9c003bba4e51a97bddbf10ffe5d2eab619c10aae7a70fff0667c850ae66e5e057d4aee8339c7c6a06152d3427e8d4076498de9ec44acb694022de10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7630af36765d56e9bb981072197d39b0

SHA1
f83153af20a15a8b7d488cf5c0d2d43f5bb0a056

SHA256
b92a212ca83a3758548a6ba1c9c7a4c8e72e703d8ba81513739a16fb8b46328b

SHA512
c30dda635108618a0534b2220dadab059c193e77aa7a51e69f6e63c25500a710e7bb13705d3f636e2bef3658f9713dfb1475fd8747bad3437df000dbdced68d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0791bfba97771b9bbae196ce238957ef

SHA1
57b555819b27568aea440eae12e4e32e419bc096

SHA256
5e4374add09255c9d47a6f0255caef0ab1b835371b91c965d71656b97483b9f1

SHA512
41664f2d1d24341eb7b224128de3c69bb8bcd720a295f74b1cd209cc7540f21510aa258d9a8f5d9f6ef921fd14fd597bfd13979aca51b08198910ca758445699

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b239393edf57334212e8da83ff8576d

SHA1
0a6410ff2a9bf2bc5c96a61af24b890dec8240b0

SHA256
b95611784ea706eef7419242460838c811d7838d667c3126287640b8ae393a25

SHA512
1d44ef5d1b77190dc796b17c3b12ed82586be3d5278f2b09fce25555bec7df36b4ff1682a623dc14cfcba1ef8c908082b2ffcbece7c955bf089b7a77a61fdf1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3219f7e7e46a7bb59616ecc47d1e0d89

SHA1
e7eeac8ac6e8d05d6d17ce8fd1ab59bc0fe78663

SHA256
7bc013fe5925706a31d9307c825d46719983517ed9fe7ca2d52b923274d9cef9

SHA512
0600f2e038506f4ad95fd7740a70536f052eb87fe4ed5eb6fb06ccfe658c26c8460d95066575b1a15697ec9d5418ea70623a1a8f400cca92a400baebf3a8d9b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1c6c8aa6d18b0d651ca4382e72c6e67

SHA1
3e2a5bc564ff45c5d98935fe5c20b64fed9714b3

SHA256
3fca3519ec0148f6b907e0b0a9ea35b42bf33f8cc95f90d47a8f2be2e500f8f3

SHA512
2253390d415a39cde90e1a4b784c9b070c2b619c49de49f958fed2030fc2388ba41e6401523b1faa846c7a971e78a1c65bd31e1b9ac87b42141a04d40512ed74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5A15.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A85.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
4.0MB

MD5
e040b3a3f1601bad3b0d56ecd297c5eb

SHA1
ea242632ed771ec963554ada6cc86b6c2c92750c

SHA256
68ccae1113bf91ea9cc08ca075ffb44ace4e4983e0ae98ba7292af7b05e22479

SHA512
11ecc98d4b437eea7136c1279e62cf76e28b3a84c927fc5a60837320e4a1692ddc94bdb909dd2fa619d3630463dd7a79f060a77506773a22db07ca978331c64f

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
4.0MB

MD5
5313b21d6e068ded571bfb406077d181

SHA1
53edee6349f6d07bedf2f1af6aabdf671469701e

SHA256
801bf0acd216851f96e0857ab341a9f026318914aa8eb048d17937c826027824

SHA512
15e1ae5006a8dd0e658f180661c1ac861b999e7464b947d013861d8159dd7efe135d259b3cb04e68cc766c4ee8d69e376930026726db61e54e172d0f3f692ee0

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
4.0MB

MD5
a19d60ab313a64f717d43bd60314ca14

SHA1
2c783a2dff0f28dd86fbb9857a579877bd113442

SHA256
e8a2c8882a1da8c28100dd19afa4e0b65e5dea69cb3e3a0baf4116a981ad655f

SHA512
7383ed5f6717a2f6c48ad0db205f08088b251e2bd0631f915ee5d2bdb06b22526d9f3770b8b43788e9561313f80d52bd030338ed38bdf4a310d3edc6502233ff

Download Submit
memory/2180-24-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2180-40-0x00000000053B0000-0x0000000005D83000-memory.dmp

Filesize
9.8MB

Download
memory/2180-26-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2180-0-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2180-28-0x00000000053B0000-0x0000000005D83000-memory.dmp

Filesize
9.8MB

Download
memory/2180-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2180-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2180-23-0x00000000053B0000-0x0000000005D83000-memory.dmp

Filesize
9.8MB

Download
memory/2344-43-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-61-0x0000000001010000-0x0000000001012000-memory.dmp

Filesize
8KB

Download
memory/2344-512-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-518-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-520-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-523-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-525-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-30-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-141-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-59-0x0000000004C40000-0x0000000005613000-memory.dmp

Filesize
9.8MB

Download
memory/2344-60-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-986-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-982-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-977-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-41-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-975-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-33-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2344-966-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2344-968-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2408-42-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2408-31-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2620-70-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2644-66-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download