69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe
Size

6.2MB
MD5

953fbbadef8be562de7c47d9fbbb249b
SHA1

895984e31ade4a38e1c13a7ad3767be1b7142533
SHA256

69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf
SHA512

75bd646669982c71b15ee18981af3af3ec4d0242f6fa6928f46a17bf8c53d2a146451ed0ec0e1df3d4bde9865b795fd8f5dc3dba1d5c2309418515f71f703f24
SSDEEP

98304:4iGBZFvFQklHubVD2W3gXsWvfTITRQbCsode2RTuBnOMJUIfuMp0:4BB1QoOJrKhTORQUd/NuJpaIfuMC

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2312	powershell.exe
2616	powershell.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2668	netsh.exe
2824	netsh.exe
1700	netsh.exe
996	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	Quick2011.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quick2011.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2312	powershell.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2420	Quick2011.exe
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2312	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	30
PID 3068 wrote to memory of 2312	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	30
PID 3068 wrote to memory of 2312	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	30
PID 3068 wrote to memory of 2312	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	30
PID 3068 wrote to memory of 2668	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	32
PID 3068 wrote to memory of 2668	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	32
PID 3068 wrote to memory of 2668	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	32
PID 3068 wrote to memory of 2668	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	32
PID 3068 wrote to memory of 2824	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	34
PID 3068 wrote to memory of 2824	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	34
PID 3068 wrote to memory of 2824	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	34
PID 3068 wrote to memory of 2824	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	34
PID 3068 wrote to memory of 2420	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	36
PID 3068 wrote to memory of 2420	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	36
PID 3068 wrote to memory of 2420	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	36
PID 3068 wrote to memory of 2420	3068	69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe	36
PID 2420 wrote to memory of 2616	2420	Quick2011.exe	37
PID 2420 wrote to memory of 2616	2420	Quick2011.exe	37
PID 2420 wrote to memory of 2616	2420	Quick2011.exe	37
PID 2420 wrote to memory of 2616	2420	Quick2011.exe	37
PID 2420 wrote to memory of 1700	2420	Quick2011.exe	39
PID 2420 wrote to memory of 1700	2420	Quick2011.exe	39
PID 2420 wrote to memory of 1700	2420	Quick2011.exe	39
PID 2420 wrote to memory of 1700	2420	Quick2011.exe	39
PID 2420 wrote to memory of 996	2420	Quick2011.exe	41
PID 2420 wrote to memory of 996	2420	Quick2011.exe	41
PID 2420 wrote to memory of 996	2420	Quick2011.exe	41
PID 2420 wrote to memory of 996	2420	Quick2011.exe	41

C:\Users\Admin\AppData\Local\Temp\69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe
"C:\Users\Admin\AppData\Local\Temp\69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="리드콜상점"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="리드콜상점" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\69e8eaf4f18c7b0e63308e1d42cdc85fb2b60d090bd1bd5791483d09882b9ccf.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\Quick2011.exe
  "C:\Users\Admin\AppData\Local\Temp\Quick2011.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall show rule name="리드콜상점"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall add rule name="리드콜상점" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Quick2011.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
05e09672f1501e375a96b88dda7b6b48

SHA1
f1dfb5fb92579d5c284a40753c559cfc42ee0e86

SHA256
c182560cb22ce28d66ca0eb1aec81b5faba7e63d18a7e628adf6188454e17d92

SHA512
a618db8bebc9f647884f7a367b588cb147e79bec6c0c107c5b6901bc6c0644956e69420f8a75e57c1d80ca45175508faf7efe365fa416f78aa8c2793f3726f49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_39A6AE8F43AB86162D90804E368F1A4F

Filesize
727B

MD5
ce757937524a89e2027404625e34c775

SHA1
a550fbb7ede474e9eee5dd332ae7fab0b5b12056

SHA256
7e30233ae33041310a6114042990106b4831494049a35b8bddc71f149c5bbb29

SHA512
0c6f94631a8f48384e72a42bad587738c85b5d28be14872541dc3e6057a5e769359272e5ff0cb122fcb96eebad806f86cb95a6199ff2edb139ba17cd53749856

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
3468cf54113d2a5a5c0523352c196c6d

SHA1
f9630b1f9d9b75e06be51d2be05560e776767a2f

SHA256
3e61fc0bec02f7c57ab683f5d2fb1acf951f379e947a8b2a27c389070cfdb063

SHA512
4534a82bb8b3cff2a3dc0846e2426e8f89fdddddac10eedf5e3b28acf1c4403f5aa4c0c557a7c0ae33c49536a0b67178e8e2e004719d7812650d19046757a6db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
cc5d7e74c13633186f6c69d01e0fc410

SHA1
59a44f5effacae10662281b9fbdb75426cb7fcbc

SHA256
615eb09b3f8123fb1ebac8c304892b6505bfb5e2f966820a1be87c15e033765c

SHA512
b9d74f58c8a0c79301760eae96b86a1b56c9dd6cb484a9e6914a5c019c516995c6374db0dba00d4be5990d08c3f507ba9d18dc40f85762af2e64bf0054d4bc76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_39A6AE8F43AB86162D90804E368F1A4F

Filesize
412B

MD5
dc237d116b9f28881905ce0c4c8e953b

SHA1
4dd9af918d435aed1d5190add89e453731e85e62

SHA256
03e56779791c95a43e26df9ba407a30a540f4517d2df6c0220ec28dd41352e58

SHA512
81cf7161a70d67e3a39e71686d0e220e6f2d0ef6ddb9e8b69940a3764c971a5e9b39d64b4ebee9525a37d7e140c815ac60b0600b2f542ea7ece37917ccad1dee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55ceea3634a561743eff86ef444d6937

SHA1
a89f195e0fd67b3a1d91d57666d3659eb97f76af

SHA256
e67eba8a24ad85a0bf92dcb0ce194559e0f54401ebaecfdd9f807eb2b0820db6

SHA512
1a4ae379106f36fb776d1e75ed17b2ee621d0e6fedae5ae3ea5444ee3a15784e4e3a1a3d7046747e9cf4d2c49288ac4c16456fae8ea02c210674b8f2713b3d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
3136ee0f6e132ed7be165199493be1e5

SHA1
e2d3261f43e6fa4bd17c311733e87a7a8f782ab8

SHA256
a78117e7ff73b1b993d1069a8a4356e91fc80ac74fd1046cdb8d3f664daf06ec

SHA512
8c3afe068a0dfe25ce94fd1973706635c03f6c2d087b9e3f94ff43d7ff527de69b85ca66fb569721b90f5a4ff46707519a92fad0cd4b35e2ef4cb5ac76c69ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC56.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCEC9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fb65f51b8baa3eb22d83aa2309de7ce2

SHA1
c2ccd210edbfe7cf46818d895223d878b9b1dcca

SHA256
09cb82e0be8314fc9d1ede77a14b0d75715c4610d5b0ce65696089b2bcde0795

SHA512
61195debffcd8a747feb7f51d7408149a5cae5aa7fef4702f43b037204d0521d1f7cf33d137c7d40a635c03ad1378129b9411b67e14c314061d05a9e071da607

Download Submit
\Users\Admin\AppData\Local\Temp\Quick2011.exe

Filesize
6.2MB

MD5
99c0e406058e02bb79745227dcd27852

SHA1
162bc4ed9b5cad6bf9fa20fbfff50afbe4df52f1

SHA256
fde910bcb3374fe1877fd6cc0c514ef35639da1a03f6e2d61280e4858e94716f

SHA512
77bdac3d2104ea472cd659c3a0c8a90904437464a802b6124730d753acea5cf646aa20342b8b7aeeab9f9cbe47bae9ebb2a0fdfcda6b4c243c0eda2425ca8fa6

Download Submit
memory/2312-45-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/2312-49-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/2312-50-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/2312-48-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/2312-47-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/2312-46-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-42-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-55-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-54-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-53-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-52-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-51-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-0-0x0000000074F71000-0x0000000074F72000-memory.dmp

Filesize
4KB

Download
memory/3068-41-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-40-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-2-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-63-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-1-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download