68f94de7b53f346a6aae4a4f273304603ced87aea21b6787a218598db461a4b8

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 02:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26ddce84f91475842bc08e44a8c0a9e0N.exe
Size

4.2MB
MD5

26ddce84f91475842bc08e44a8c0a9e0
SHA1

69719b7620a10e993010678e0b9d19789cc94b75
SHA256

68f94de7b53f346a6aae4a4f273304603ced87aea21b6787a218598db461a4b8
SHA512

37dbabd12cd51f23928241722c378dda25ca1e1e8a7dad9730ba15fc85a199ebb6626d4387f8f4442a3fcff0c8b97d0cf74188edb86bf9be7fe8ccb16dda0a2b
SSDEEP

98304:aGTL/txgOOozhJCqIZcrLpdqmQS449YO81hm:aGTjcfsJwcnqRJb1hm

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
608	wmpscfgs.exe
2280	wmpscfgs.exe
2360	wmpscfgs.exe
2848	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
1488	26ddce84f91475842bc08e44a8c0a9e0N.exe
1488	26ddce84f91475842bc08e44a8c0a9e0N.exe
1488	26ddce84f91475842bc08e44a8c0a9e0N.exe
1488	26ddce84f91475842bc08e44a8c0a9e0N.exe
608	wmpscfgs.exe
608	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	26ddce84f91475842bc08e44a8c0a9e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
1488	26ddce84f91475842bc08e44a8c0a9e0N.exe
608	wmpscfgs.exe
608	wmpscfgs.exe
2280	wmpscfgs.exe
2280	wmpscfgs.exe
608	wmpscfgs.exe
2280	wmpscfgs.exe
2360	wmpscfgs.exe
2848	wmpscfgs.exe
608	wmpscfgs.exe
2280	wmpscfgs.exe
608	wmpscfgs.exe
2280	wmpscfgs.exe
608	wmpscfgs.exe
608	wmpscfgs.exe
608	wmpscfgs.exe
608	wmpscfgs.exe
608	wmpscfgs.exe
608	wmpscfgs.exe
608	wmpscfgs.exe
608	wmpscfgs.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\259466494.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	26ddce84f91475842bc08e44a8c0a9e0N.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	26ddce84f91475842bc08e44a8c0a9e0N.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	26ddce84f91475842bc08e44a8c0a9e0N.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	26ddce84f91475842bc08e44a8c0a9e0N.exe
File created	C:\Program Files (x86)\259465730.dat	wmpscfgs.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ddce84f91475842bc08e44a8c0a9e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000027a11848c484c24768030e6b0c948a7fa9855a8ba602b4a583d4d329a983aad8000000000e80000000020000200000006b805d9458ea784aeed847501384f2e3b5f1fcd94717c389bbb5c2982a9ebefc2000000083b94402a7b6069925c5cd01c60dae3e11c65d2043b95efe7ce26599498d5b364000000052ed31b76437a747b3551d1850e50cf024fd57a3f7bda0dd039eaa09285f167e1605c3e41aff413e3ea76de1ea395e1ca700408bf1c077aa384aaa20c372608f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000f077dd767499a75f60cab362950a1a638a895b24d7e4ae624c2b1e9175769307000000000e80000000020000200000009654e9362fd8aa4da2c8dbc5b3a8baf106a734d2614444d841e8648c48edd7d29000000052574f72a6ed609a6595089522ac2f5131b2c4879a79894a83c2b7c1c5d8364816381eddb53cd66926b214cc532c285e61bc5a33b53c98bd82964c7f38d86a7d4bf76bf002e69ac4f35ef2022b5e0813351254f7bb9d7a021dd9ffd65b9a511fa63d658fba02010b1f4ee1cc850783cf04148ed0305c55e9b9cd008a38a24e19e759c6a96a997cb298dd69e18e6d59b0400000001a1262c1fec6ccc56328d409330f7b672b9d764e11e6c6051a5bdb56d2eb3cdffdd2cc7df45e6518fdb6396d593fccd5cf6d278538085c394cfe61794d9444ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02f77ac72feda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E708C701-6A65-11EF-B961-D22B03723C32} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431579005"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1488	26ddce84f91475842bc08e44a8c0a9e0N.exe
608	wmpscfgs.exe
608	wmpscfgs.exe
2280	wmpscfgs.exe
2280	wmpscfgs.exe
2360	wmpscfgs.exe
2848	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	26ddce84f91475842bc08e44a8c0a9e0N.exe
Token: SeDebugPrivilege	608	wmpscfgs.exe
Token: SeDebugPrivilege	2280	wmpscfgs.exe
Token: SeDebugPrivilege	2360	wmpscfgs.exe
Token: SeDebugPrivilege	2848	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1488	26ddce84f91475842bc08e44a8c0a9e0N.exe
608	wmpscfgs.exe
2280	wmpscfgs.exe
2820	iexplore.exe
2820	iexplore.exe
292	IEXPLORE.EXE
292	IEXPLORE.EXE
2360	wmpscfgs.exe
2848	wmpscfgs.exe
2820	iexplore.exe
2820	iexplore.exe
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2820	iexplore.exe
2820	iexplore.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2820	iexplore.exe
2820	iexplore.exe
292	IEXPLORE.EXE
292	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 608	1488	26ddce84f91475842bc08e44a8c0a9e0N.exe	31
PID 1488 wrote to memory of 608	1488	26ddce84f91475842bc08e44a8c0a9e0N.exe	31
PID 1488 wrote to memory of 608	1488	26ddce84f91475842bc08e44a8c0a9e0N.exe	31
PID 1488 wrote to memory of 608	1488	26ddce84f91475842bc08e44a8c0a9e0N.exe	31
PID 1488 wrote to memory of 2280	1488	26ddce84f91475842bc08e44a8c0a9e0N.exe	32
PID 1488 wrote to memory of 2280	1488	26ddce84f91475842bc08e44a8c0a9e0N.exe	32
PID 1488 wrote to memory of 2280	1488	26ddce84f91475842bc08e44a8c0a9e0N.exe	32
PID 1488 wrote to memory of 2280	1488	26ddce84f91475842bc08e44a8c0a9e0N.exe	32
PID 2820 wrote to memory of 292	2820	iexplore.exe	34
PID 2820 wrote to memory of 292	2820	iexplore.exe	34
PID 2820 wrote to memory of 292	2820	iexplore.exe	34
PID 2820 wrote to memory of 292	2820	iexplore.exe	34
PID 608 wrote to memory of 2360	608	wmpscfgs.exe	35
PID 608 wrote to memory of 2360	608	wmpscfgs.exe	35
PID 608 wrote to memory of 2360	608	wmpscfgs.exe	35
PID 608 wrote to memory of 2360	608	wmpscfgs.exe	35
PID 608 wrote to memory of 2848	608	wmpscfgs.exe	36
PID 608 wrote to memory of 2848	608	wmpscfgs.exe	36
PID 608 wrote to memory of 2848	608	wmpscfgs.exe	36
PID 608 wrote to memory of 2848	608	wmpscfgs.exe	36
PID 2820 wrote to memory of 2756	2820	iexplore.exe	37
PID 2820 wrote to memory of 2756	2820	iexplore.exe	37
PID 2820 wrote to memory of 2756	2820	iexplore.exe	37
PID 2820 wrote to memory of 2756	2820	iexplore.exe	37
PID 2820 wrote to memory of 2796	2820	iexplore.exe	39
PID 2820 wrote to memory of 2796	2820	iexplore.exe	39
PID 2820 wrote to memory of 2796	2820	iexplore.exe	39
PID 2820 wrote to memory of 2796	2820	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\26ddce84f91475842bc08e44a8c0a9e0N.exe
"C:\Users\Admin\AppData\Local\Temp\26ddce84f91475842bc08e44a8c0a9e0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:608
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2360
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2848
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:292
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:406533 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2756
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:930837 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
729836086a8cf886facd2cd02c50bb41

SHA1
af8cf3aa235e39ef5fd76ef3e13575826f008e8b

SHA256
6e28979374bacbf622f3567e0eb796f38162038ae187654ab2bd7b6733d75381

SHA512
2293d6572f65a616c9d7dd6428fc84e6ff99f8bc976d3c6e718201981e98dd1b56edd4ccb64c205ab809aa2122f018d24a5b33b94d142ddec5472a26ed36f57f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf0ef5b12ab2e993d4ad532762013cdc

SHA1
1fccb30ad95b141023117965e66d5784b91c4211

SHA256
99b2c37c908ad10aea16437750bd4bee12e9d6a68c0fcf1bffad4c4e17fff51b

SHA512
c2f2a504cc8bbbab633087f3807bd5c26336f9465053e60852e12826c9e52e28099dd56c5c582d10260e80c4121a485a6d592aec241fc80a48565690b3dd47ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e295e59d8c7d12e5231a26ca26a9a6b

SHA1
64492af949bac8edeefb06f23bf3e3dbdbf018de

SHA256
31a64af1d6feb3b6d04f8df49287a67ae1f6a70840771b74def049e717a3007d

SHA512
f1cf4de469ff6b60c479fb762ba6b9a17050f1030d64f40fd6633c60fc64158bd04344371b0fa55b3c8f1a1fffa02facf7557e065dd414bf2d8724dce382085f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a62c3f6174f4b1ffae4d9315d041bc4

SHA1
c9241cc8f262c09d918f0b58a7ca5c78b3e427be

SHA256
4dc6bbe8378217e3c2ed82c995726aacf8483401d71d0575556cdc2bc94305f3

SHA512
c89c4660211ef2535540936d5b063a4dfeb52f6895b9d16c85ae4929e324519dc129b712414995bd4eabfc7ad76ca710e87b239eab557e6ab8b2cc4d869f1f00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84d38693ea2a3ea609beeec036da4ef3

SHA1
05515aab1f2bc59f4e5c720be3c5e54a23f12e5a

SHA256
241db1060dcfe12253a8489cee3f3df8248ac898db7ab6a189511c0f7ae97e20

SHA512
230f5e22e5a4862e48a9e2fd307b35c0887b892538d86d8a15f21a5fbd967fdf4021826100f5825809acde38a6bd0790633007679678ebc4c22b42e250e2369a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aae5f061aa82c3f4f9b3224c021acb2f

SHA1
3c3d127e977e4ad45c847dc8a1ec386a918642b2

SHA256
c505abefcd7b396ae2167587758dd7165417c22df9660216aa768c09284c8fb8

SHA512
5c2ce5eb4794656676da422892c9d03f1ae877de6835400a0cb5c4e959ed874aee094ea725af484480d8007b4a741f90d63469ff57d6a855f9e4228c52bb662d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa2d689f871e490d0a6e720d7226cc34

SHA1
992503512e5546985803091d6c5b1ea5bf860d8b

SHA256
82e9055dc8c53527e7fd33f8cfefff61a131bcf8df95175879b3a0be85f047b7

SHA512
5231dd82e49476a87a975c94163ca87f9086670ad83b291d95060d0dea9b656be873d7ef0e6df819295990eddd2ec4ea64228d7daa4da5efea3aadd669a5410b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2236584ebdb79aba80af9c0c7905330

SHA1
94013875ddf87fa6c3527954681e2d2f5687f283

SHA256
cd3a6368d1ca6ed505d7a81155b129c46ae2f4fafc6a13edc289ca5c0412c468

SHA512
2416524eb3b471f592d49295d87dacbb78495f78d4e0a78b813334afaf692d9fbfd5033c9be81f8553c924d33ea3539756a32321c1ad9bedfc6d4fd271a0ce04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e4cc8440acf972c2d831ccf783c761f

SHA1
b91012dfa13de01cb1de4bf9218519b64aeae393

SHA256
a86164b627d928588ea050cee2d9f14d057560d1f733e102c35bee9719a0353d

SHA512
13517f7f3c484b384f85b66232c10f4b369f30243a2fb3e3bbf4be40aa5131ea493abc65a41e13b5a2132f711db03149a4e173b421c8abc62e955b0f4057a5d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a66b3ec6d5eaa005a06c3396f15622e0

SHA1
b8f03f3d40547c412800143ff58621a6675a90a0

SHA256
aa288febca95ec5fd7b7e06f12cbda61f06ca3d7d8535f0520487b381fcf5b54

SHA512
ddb0cdae49ce2388f6fbf7e5414c1e9db61eee925d1e5b3e2cc19c97d40f85817c69ae2acf3f136d3a7bebb0fe619561270ede53444bcc9577bfbbd954135349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33409f279f8a496d18965c5924d46cad

SHA1
6dfc3f699a4ea9f2bcc934ae8dbe48ba23387690

SHA256
1e134adf3e03ec99e0ded273c530cf0fc3f690ec8e632a8be66d8fff60e7412c

SHA512
a7dc6adbfd9d0cff3af1fffc3e53add558a25c0f98068274e595664546b3ccedb0a04955f34ec29720b83735f3b989dc1a91508aca147fd34050710f57bae2b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b72456e7ebafefaffd10ccf24e21595

SHA1
19e9e4f1ab4eb2b980634b0c891a38c4b91111b2

SHA256
be1d5fe8f388222e27e9a40c91c53dd92cb48f85c35d36f19e7a455c05603a8b

SHA512
1f052fc4cb52907d7c0dc25eafac53226ede99e3c81fbae351af90fb8c9dc80f59cf8d3f5e532ba20aa3bd397fdc07cd9a2a4706a9c2a9e52a79502e65a0079a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a365903386108cb18d0a97dcb045a29f

SHA1
f749c77fe7b7b67893244c6927caefdfb496eebc

SHA256
352986f352a0ce613adfeb502ecd8d4e16dd258d68c7d5e701999e57e583ffcd

SHA512
c730100a3a37f1d0f8a58317a4a5b494f9392ac4a375f58a3b2beb478759d536e838c6bddf97d98367031b7c260b4b41069debb3a3d47b47d0ff5baac74db1d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23bca6af3a3bfe2d8b0e10d9598eb6dd

SHA1
a9c46274ec360bc83995fb70d0310a87d9618908

SHA256
647fb844376487c5ead34a1e2660816103a1f7278f2ff7a4c7219c4ec8302a83

SHA512
75a218ad146e846b50174ecc628d5019061a8d1e9d3ff1e69a1386321c8763346d2542d0cd619b9359b5e76518ffad3176d7fb6d952dff0ef839b369f23cd27d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93ec6a8d7dd34ae613f781451cc2c8e9

SHA1
bf87bfa37c1fcf7209175d2f7a2f19f5e5e04afc

SHA256
7815204b8becfee3ea703b3a44a2c6839b06bb3f029f3b697f9edcf5c2200c25

SHA512
9d57c6d9f3e4129f883d0c84ce23839658be96ee1568554f782d43e16bf846904526b02f1ea2946b45e63c596e34832e4626232feeaebf9263cb419f824a5ef3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d760fed2ce4753df6268357ee7f5799

SHA1
b54b2a19638bb45c0649bcbe568286c3e22cb8ed

SHA256
621733a4c6f9d83433b982bd0d3d41918fdf1439e9b0bda45da252f7590cfe80

SHA512
8229c9f9d7fece8e145f3201c78ef3957576d7ec638886287721d8d9a961a005fe15367573c65c99a8ccd94d772a39399950252df73e995a5cf805a462eda59a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c45284f5c1804c0161d15fea20abfc6a

SHA1
1fc9644ce7daa44a6c2e62c90687af34b5435a1f

SHA256
6e25b0ea1749a1ae3c479b3492053af5c68d1efbcaf3ce91a1de7c427ace87cd

SHA512
6c5709eb39825baf4743ba52ced7457362520fc3181445ff5c94fe316bc79e21522b66017c0f9b8b41e59ff043a3206d57cbb8394a199c920103e0814cd438bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4b5a6ab7f02b145845f91d442db60f9

SHA1
237f91ef812aef3eb9ec2b2b7d0ac1307b7ee9ca

SHA256
6c4afcbd9efca9605ffd9cb4f5b3020e04d35e18e8f0bbbaf32a667cd30a3b5c

SHA512
1cd1ea0b0eccc108cc02311e464354361fd5de4384a1ff6d0740cbe11a22c5e1064f314454142813803f442071995fb1cd94a7fa1dfd275e1a51e97f462aa370

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52231ded2817a7dc9876875961b67b55

SHA1
5bdec48b5cdb84c0d1668304aa23949615c2015f

SHA256
a41e472b6be0965184aa0fc6c08f04ede008e8eae38cb930face740ab9da02ad

SHA512
81f974d089848f65f7507a1de036fc23a0d3818f857bc2c1d6fe730b0d7ce67c5e911f5cd992f7db97a0e21c1faa0b4c0f7eab4d30c2cbca358595b8253d2471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\blcJZLipi[1].js

Filesize
33KB

MD5
e2ec36d427fa4a992d76c0ee5e8dfd4d

SHA1
47ec4ace4851c6c3a4fe23ad2c842885f6d973f2

SHA256
36488e81afcbc4d7018b8764c18032b10be21aa45521c9671fde0cc77f70b2d8

SHA512
d1ae29d19f65ce74b9b480c82b87315634ec2e96d199f5feb423918af9ad6e24c8b436e03904d452f71562f04c42acbb250256eed73bcd592a79c08911c74976

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4D97.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4E36.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
4.2MB

MD5
3caf6a9ee20a85f2f6e7305466a6ad26

SHA1
b2fae18ba1b3d2f80acafffd710e92b694db685c

SHA256
957460cd9f4949ee7269555037efcf703df3df71ea5123121fa64572231ca295

SHA512
3333556c3d2276148bd99244ecc2d53fb4cf75c58ea7843e9d6dcd7adfc205d307f4c60d91f67c557abf51cf06c39f9b8df6d12225b8a643f23bff6b1614d3e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A5UFNHAI.txt

Filesize
107B

MD5
2df28c2a41b6b775b2ddc079c6af3f1c

SHA1
fb9f62a37aaf65cefdfc2d581b629fbf136765c7

SHA256
d02a29172244149f34573165b75c63b71e9f10eb474b9690a35a7b56a19f0462

SHA512
1c7c66cd2ad653da5c4df3719be87897983f2120840ee9f3002b31cdd0981f807f9e4b65d306b5d31cf8544000be1b4d39c210d9ff29d744825e562601f6cec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C9Y8J8I0.txt

Filesize
123B

MD5
4d3443648b69f5d68fee84a2ea7ed390

SHA1
507370dfc106c9e132259f852f3238e4d9f1bad6

SHA256
c3f2b816c3b89e64768d5ad440a47606649cef530e5936887bdc07c6c48d3afd

SHA512
9a5ae4c01975accf363d8c0cca359f938b5bb5e4254556708ff70e0401220672931de1e1fb1f435afc8a02731b1e20800fdf4929a84d639a5a9e61330e54dff1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UO23T68X.txt

Filesize
107B

MD5
ad54d72cb3a338fcbfba5a9cf9ff05c0

SHA1
5f2d706a631eaa3edeebd4fb7a526ca49550a395

SHA256
0c9e7bbca67b503a069e84f445e84d625ab08c01260cfa9f876b25a0bc219bcc

SHA512
0aaab5553aa7f56f811fc423d76765af4358f94a1b841b63e5910e3f709025d342311c2e96471a25a0dc6a090aa3855d34d2e1f1d8a45a499c4d6533cf012e5a

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
4.2MB

MD5
dbbd9b69fdfd1c491573c356ed09dfaf

SHA1
a43fdf08ff14f43a3fb57dd0aa6dc3b76f8c5f3b

SHA256
4c02b73890f33dee858a3dc3004b7cc6febf9dcb55901ba7fb1c99f345c37a8a

SHA512
b7810b5238047bd43cd278a2c52f01c7af3108efbea4afa05b48bc2cab51ef38cfd953e0bbb7cd9fc491015803b2ebbbefe75b75798e559bdce8fab22307a2d0

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
4.2MB

MD5
6c6efbdb7d68aa7697b854a1a004f238

SHA1
1e6bc7da7f9691725e42d7801f76962a30991bf1

SHA256
38041149bc0d62c7f295eddeb36ce1df16dcd81ea2d89a9b37318942ee0f86c7

SHA512
ae2fa5be2982f4a77b31f70852c5016779d6f72786aca97cdb7da5564faae3e8227510ce3ba0d224ef3794da0944927ed154a58abdf550aab33a9f9af8bddf4b

Download Submit
memory/608-44-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/608-34-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/608-1000-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-984-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-67-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-66-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/608-65-0x0000000004E00000-0x00000000057D0000-memory.dmp

Filesize
9.8MB

Download
memory/608-64-0x0000000004E00000-0x00000000057D0000-memory.dmp

Filesize
9.8MB

Download
memory/608-983-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-539-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-543-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-42-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-41-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-542-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-528-0x0000000004E00000-0x00000000057D0000-memory.dmp

Filesize
9.8MB

Download
memory/608-33-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/608-526-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-529-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-32-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/608-540-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/1488-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1488-28-0x00000000054B0000-0x0000000005E80000-memory.dmp

Filesize
9.8MB

Download
memory/1488-26-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1488-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1488-0-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/1488-23-0x00000000054B0000-0x0000000005E80000-memory.dmp

Filesize
9.8MB

Download
memory/1488-25-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/2280-43-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/2280-536-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/2280-530-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/2280-527-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/2280-31-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/2280-40-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/2280-53-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2280-68-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/2360-72-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download
memory/2848-80-0x0000000000400000-0x0000000000DD0000-memory.dmp

Filesize
9.8MB

Download