962cf5558dbab7dde0fa0341f069304ed235e4da6dcec72596184597a4ecbdfe

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USBSafelyRemove.exe
Size

684KB
MD5

0eeced8dcb881cb6cf0175b4721dcdf0
SHA1

a3087cc0cfbca651e588d67bd014013a44f1167e
SHA256

96eca2d9c3ca5a65662bb5a1b49288b9ee60d98320ee9cd7ef3150f2ba78eb12
SHA512

513e2a423dcc877a9e29ec081c12e3afb1da18d269dc4c7f19e4086f57ed07c1b2854e2cc3a8a773dac7ff96aee9613c56f9b1278221d8ff244c8ce2f26da857
SSDEEP

12288:5SaoXeTSAuGVBx2QHGYkTDqvuj+7T4qN2fkkJPNXkJMa+Op5Tx6IHTf9wpCF5:5S9OTSAu+2QHGlTDSujep7o1USsTT9

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\USB Safely Remove = "C:\\Users\\Admin\\AppData\\Local\\Temp\\USBSafelyRemove.exe /startup"	USBSafelyRemove.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	USBSafelyRemove.exe
File opened (read-only)	\??\B:	USBSafelyRemove.exe
File opened (read-only)	\??\I:	USBSafelyRemove.exe
File opened (read-only)	\??\L:	USBSafelyRemove.exe
File opened (read-only)	\??\M:	USBSafelyRemove.exe
File opened (read-only)	\??\D:	USBSafelyRemove.exe
File opened (read-only)	\??\S:	USBSafelyRemove.exe
File opened (read-only)	\??\A:	USBSafelyRemove.exe
File opened (read-only)	\??\F:	USBSafelyRemove.exe
File opened (read-only)	\??\K:	USBSafelyRemove.exe
File opened (read-only)	\??\P:	USBSafelyRemove.exe
File opened (read-only)	\??\Q:	USBSafelyRemove.exe
File opened (read-only)	\??\U:	USBSafelyRemove.exe
File opened (read-only)	\??\V:	USBSafelyRemove.exe
File opened (read-only)	\??\X:	USBSafelyRemove.exe
File opened (read-only)	\??\O:	USBSafelyRemove.exe
File opened (read-only)	\??\G:	USBSafelyRemove.exe
File opened (read-only)	\??\N:	USBSafelyRemove.exe
File opened (read-only)	\??\T:	USBSafelyRemove.exe
File opened (read-only)	\??\Z:	USBSafelyRemove.exe
File opened (read-only)	\??\E:	USBSafelyRemove.exe
File opened (read-only)	\??\H:	USBSafelyRemove.exe
File opened (read-only)	\??\J:	USBSafelyRemove.exe
File opened (read-only)	\??\W:	USBSafelyRemove.exe
File opened (read-only)	\??\Y:	USBSafelyRemove.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBSafelyRemove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000041863980ecb17676843456e6005bde5cab2b9a7bb7fd9482a13369c635fec608000000000e800000000200002000000032662a0552feb138e8a0e23b1ac246516de60a908297fdb4973c12143a77cd7420000000220c321488dafd2ad8a2ebb26d9312388ce3be42843ec6e92c75f18d58e962f64000000078b553409ca2349f03f861a807214808f6a4d8b2e5f23b32141cb798e1cbaf4f12669c3f8b3e2396d24e87f0e6b4170481976bf85ceca0c390a37fafb44cf6d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000d58d096f3e1d82e678941c7e50e6cd9106582c89ef58233999c46478df50af0e000000000e80000000020000200000005cc170741ab9d2f2b33505bed28585c62750e95dd71ba3d60aff35bdba7ad27690000000cffd9d5180c7a9005925e625ebe75ff4b1b1f09dcf69838c4ef2fe023ecc55825122b784c60eba7172a12b82a6be2f6b4b3bce0631e19ff1ea79189d23b6245c840da273f072603964170b4cf7ad8740db9248e40fa279748c3edac2d142460e59efcff895486e9ef8f4bbef8fe60189793ebe0e2c07533df38e2e1b794249bb1ccbfe35c873bc415806cc771db515f74000000081d3aca6e89e8cc62e027dd52ec3543bac6e1b369c6bb0591e4515eaf6c9710dc4dd1cd016ac372078cf1c55e5df777849aad69873bcc00e25efa142b0053c22	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C30685F1-7266-11EF-9A8E-4A174794FC88} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432458983"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0033d997306db01	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	USBSafelyRemove.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2228	iexplore.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe
2932	USBSafelyRemove.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2228	iexplore.exe
2228	iexplore.exe
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2228	2932	USBSafelyRemove.exe	30
PID 2932 wrote to memory of 2228	2932	USBSafelyRemove.exe	30
PID 2932 wrote to memory of 2228	2932	USBSafelyRemove.exe	30
PID 2932 wrote to memory of 2228	2932	USBSafelyRemove.exe	30
PID 2228 wrote to memory of 2852	2228	iexplore.exe	31
PID 2228 wrote to memory of 2852	2228	iexplore.exe	31
PID 2228 wrote to memory of 2852	2228	iexplore.exe	31
PID 2228 wrote to memory of 2852	2228	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\USBSafelyRemove.exe
"C:\Users\Admin\AppData\Local\Temp\USBSafelyRemove.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://blog.crystalrich.com/usb-safely-remove-7-0-released/?program
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2228 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd0cec508ed902685bb345da5369e92a

SHA1
697151375fd385c889ce6b38fc4086c6b2a289ed

SHA256
43289774628110ed2b1c32e7e9be369d3cbfe3ed923d1dde7c854c9bc9c25e91

SHA512
0a336e71ff84e7526510fe0ce1bb23997fb43301f915eaa035f0ffa611503059e691450869740fea12a052c4221d9e16f7a2a17e24c8c389e08005b613d5beae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27f61265c0d4289b9e958199fe28cfe7

SHA1
26d9a32cee0df146d16be4b12a220e10f70d8904

SHA256
c874067f0dc350dc02550805b107d6c2748fa1207d61c4db2f721a13f664dadb

SHA512
9ee4ad7240fc0058383f5ce45f43f1dfee9d2a7217a7f758e1398f45b6805e31c32531f64d6f6b1964dc002d02db07219317d203c33d7546925a84927fbea334

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41c2621fd8618246cc24ec871f62fc60

SHA1
5116940f37e26b5d38ebcebcf2da68e1ebe21374

SHA256
b738f9662061674f25f2b2222eeb972c4e35198e2d859a284fe00386150bf6bc

SHA512
a08ed892a2c542ca834bbe99ba497048003b0e25322aee6e2de1ba5b6263876fa5db5bef295efd9e5cf947d088622252ea3f8006d90350ed4af88347f39f8251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e27e16fd7bf0d9d4e4c541347e45c0f8

SHA1
1725572277a375a7b7f343a70bbcaae3292657ea

SHA256
875d224b82467147b644b726723ff0dc0cf0939e02b05b84827fdcab89e6a1ad

SHA512
5b8f12ca021bae414cd2cb2a6e41c21b8921c16dc97adf75a15c8f4be77aa4a6f967ed964ce5605ea6a7e242c48a42132e2b84c67f00c523ba7910d10e33b2ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
621a68d27ff541be53c0e9a4e5424194

SHA1
d739c48708e084110b6fbbd53695e9a2bb9f974b

SHA256
950df0b4afa18bdfd638d03e945e4fe04efcd556b1a7fa1ea17dece461180403

SHA512
3ed0360a66bd3224897e2c0db69fe7c30aedcc5b41c9815379c4c03604de11cb292e415816c6b5270926eb5403403d0d1f45edb4b4d157d9dcca9c53a9111176

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b68cac4b02f20f1f3dac679639129b05

SHA1
c2845877f76456fad9554c14cb65a6638f901a8a

SHA256
bc1c9c62b86ee2f0a0328944abd55af63d16e731050f315ef21d66d02a6f9ede

SHA512
1fb5aebb95c4063a7756d40aaf6cb7a8eb1faca6274f59984a06e44855d0a28b518ebf3f11f8198c71e12fe199f9f0019886920e4724efc422a7d5249e1d2667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3fdc76a1b3d9adc5987ba8fe149ba41

SHA1
c2b61df11141ce78f03497fabbd14c20bbc0be95

SHA256
f909eef11b4d972b0177190bf017e3c12b69e776a5e2d45cfaf3609bc52d900e

SHA512
1a32b4fb8b0a23e61ad076e2f4dc732b13a8dd42f75c90ffb90723d33b9f0b7e2d58689e3398923da670abe233f7abbf5d4ff1ba9e2baeedb9a4e930d7ca3e02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
894926400e004fc86c3dbf93ac911cff

SHA1
a7cd97a6f92672a550b6c9614d689a39e7914d3f

SHA256
195b8f2b7687d6d91967ba262817c6728c5759c9e37e1f8dc5be81b5951d81a9

SHA512
056d3a81589859244abcdca9b17000649edd4991e036754374a4e7da48987fee716b1a724628728263306d08d689cd1dd45f299f94e55c9fcb63b6c7817cf4c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b93bdefede3adec96c30e7ed65c3dcb5

SHA1
46e5a07df1b174e9b2b27b352c7b2c9f26ce5cad

SHA256
d98659aa8148293b496a4be5cae1d0f93c8f48cd96e6d33adcb8d43a8358e593

SHA512
98c713fcacbf233cf3864d76c3b811e0de01c9a691042c9a489e642563b39ded1b5e5a085a95f7ada029d87bda877b4ffa59902512fe310b2b416c08fd705adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c88976aa6dc462ca09a09e4361c0b2ad

SHA1
ef50a0a27346ed711f4d1cac116e21721de32a18

SHA256
aee14414b87277b518cc166b8dce08c1b6b8c660e476cb80d8fcf90e25b64fec

SHA512
db94c5f66d4cb591fb635a7518aa48710439a3d93ac0d06ff860cf934e615b788942f08a0717444fa5fb41a1db4a8b485feed9064c9154510814857073a7d1b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1fa9e15c7135e85c4334d728ae3a811

SHA1
97c9170af670288b0202987fa976ca423099ae60

SHA256
be3d98bf7b508d0433e9a3d2ac3b80795a99465a9b8d14282d86df05800b961b

SHA512
901befc512dd56c0a3829a1660cd27148bb6aef29a05e6df4a1bf48286f9820867010c028a5b0c881d43ac286930ad2f6dfe49dd138ed16e8c0a3f3524f6244c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
696b602627bb4f599a3f462a3748b478

SHA1
6ddb4e4a12bc62390bd2ec47419b493d34ee9e17

SHA256
0236166b58ac2d703ffac9bf6405ba44a1ce89155668f17387b81d8c7fa2620e

SHA512
8d2dd2ce4e42082d3cc9bdbd8bf1d708e085ed599e53dae30b18b179da22ff15d12b412bd3c81c10956854ed633c0d33aa37d90f28102c3e174637530a91265c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c65b3099e95df9c50f789af7b0a03a3c

SHA1
6fec70e8571eafca6eb6c6a58005b80a36565c52

SHA256
926502251a2bbe9e087dc76cfb1a93d549d00c38fe9ac7d4b6e08b33acc3f89b

SHA512
f298c53e87a5175f1fa6f40caaf1e345a30cd9810d0aa8b713a953c68400bb85d15a81f55f8b965ac49420e8b6102685f7152a21a5e34b08699a89f13879c95c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9ad1fe293a4cbb935b3c454f35b7d43

SHA1
b4b2723c1e74f198e94a36d637d358f3c54a8aa4

SHA256
2c745a739b84382441a2fc81fbc576a50696fdbf0dd49595a76248a47796a9de

SHA512
d1557344893fde62e3988d1346a943ec5220bdbec38caf1c04fc356d45299fe84be22079ce82498e7e42998aaab96a74477ad413a905ca812f04b7bcbbc438cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e43243bc47e95f2d0c6970becffcf81

SHA1
3d580c0a9b7590a88847ac59fb712301088944c9

SHA256
d5b38ba0c8412ca58303a7bb42228208a21cdcc04714a441d8af75a684ae5679

SHA512
fb3cbd76c845d4488c8806737371dcbe45d6ce7351ca5b2f0ca25c8282d81cf72d5b62d839d6135072fc7a98f991ecd17c7c87e3aee876e3ab95ecb8a505700a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37c532826d2dea89c05eb620b242af39

SHA1
78b7af8ae18e63a37c9f86d0fe21282fcc094feb

SHA256
d2de8ebb724f933bbbbee701592895c116a68e4885ea93dae451b243d655a0fe

SHA512
f69cfc2bd2bd4d337aba72901b194573ca55b5c07ba9f929f3387bdec86de2b4d4a1f10d45e7bb49fc98342bf3f44e9351e295d829567761efbd1bd18470b3d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d333c9ad51397cbff14f5ab16ef0d1c

SHA1
528d3b578240ae6f4c3f58bf69106ed39c195d41

SHA256
5c7dd34deb1838980759f65f55427e18263ca6c80bb77c1b13c1cb0fea397214

SHA512
148e87f5fa110a493f86d3bc6458d9cd73489ee9496f62bb15db4801586f10c4971edab74d3bde2dff5fe7f227399e63eec991ba389da94e5f25d6885a00d2db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87ffd49c742a1e7b707ed6045eb4e95f

SHA1
735817cc853a2f5e4d9ea32423c6f8a22fbe6d06

SHA256
adecb95fa93876bdde7a114dc1d1ad1f813663f4f8e275ea5786d6eb38d3d694

SHA512
9e6c0f8420840a2ffe9c71d3642e903a424ce6cf3636b1a16ec810edab0c528f9aa4e68e672aa8852517351697f7bd4bd44e79a651275b9e740abf2621e7c8fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9671c7e16c30850d473f88fd0ffabfb6

SHA1
0c6d9fed1c93c71756753b165489bd8abf194504

SHA256
f5a48914cf42c6265ba8177d4e5c3b48d5eb944c2230978f191e248df76eb291

SHA512
82fe8009c2dfaa533420544b48d1cb7820849ccf43aa7b214e53a14b1a50e288e1376db58b9acdce192c6e7245f06b9ecfe409094ca44468b29900f9848820d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e716698d55d48cc302e23bf77128646d

SHA1
9b7c318600ceb633aeed2c9256a8e6cf3738323e

SHA256
d22b63ce5b0db651ea5b57e21cc1e26a6e5065c5ea896710619f4aa9bebb27e9

SHA512
70ce3c598d3671427296f57ce9d1d12c4d9fbd1c130b9a583e0bd8177badb57ed4a760cc583a93a4d2db9055095e6cd46980d446894049b0d1ffc4039be0a839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e62ed29c4f6d4a8d2652c72e6223cda

SHA1
87c71aa4f53967f2f299fcb6b8e8d1dea5cdf9c6

SHA256
2e970c7fa06ec3a220b5d93a3d26b008994f9ff61310a440459bb00308250393

SHA512
c19bb567673fced65acffc9b92e3ea925adbb03cc65efc6c54947b751707fdde33c44ffef613097fa52e04248853e1297fa6356d12f59540860a1492575c5826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c28604196ce8b120a11b8b932ed01e93

SHA1
dd25acf09f054119b0ff5959d835a7028800c50e

SHA256
ea8663281c65f6e17f36e4160a191cdd6065097aaed79aefab1824a1c3eaf10a

SHA512
bf0457e7a6ef37a452326738066787f4d788c1c6f3d73b57e3316ebc4d299781f67dd219014af77a8846acf6862054f49fb46a707193f787b180568eb104783f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19c2df8205f6ed858b8415c55b5fc081

SHA1
c1c1f3668379c97cc8cf01e0cbf1ff746e99ae51

SHA256
3f760cd82725c41644ff7d360bd58a07b81b331b130dd0b7e8759ad0a8fd2cf8

SHA512
fffcd5a6d96bfac0c63c78e25accfe8a0c85e2788d3f0f0b600fc17791acad76c472f7d61c10626d522f9aae03ad47193062089643295150efce7e953ec52106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
392623a2cc7f10faa323ba4bf5203ce6

SHA1
2564347cd5377185fbe5d85d308491a62f5040e8

SHA256
a039566d978b149954e21f1a2153153553dc1985f60e01f90fe15c5b98f92a59

SHA512
4921230a3cd99992bd890a9558faf8f2f43d50133efb1b3ea7cd7c5725137fd02e0ba6eb5fa153d118965c0e167b929a825557cd2b3bf80e40c373d7731bfdaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f02eaf0a95c0ba3bd7a23a9fc9e338df

SHA1
573b396d7f6b8fb79307c5fcd1ebfb198de40f66

SHA256
f7bc7912e13cd219d22bc81c5dea1657335b336f5e453ce2185910f0bcb0befd

SHA512
e7487a44759ee559606e62a865076c46f36cc1badf46785f5919082db27b66f87cce91c3120887e57ba9eac83dc967a80dd0ee656f07ab285bf33cd574557ecd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13d6eeb6cc95c7913845a0acbd49f1f8

SHA1
c8a5eecf3184840c2872227822da2e157d485dab

SHA256
fbdf2b9b846d8e08ed2a8f5c735a08ea0bf59c9353a2a453c36bc6c6010910eb

SHA512
dd95f1e4601b9a3e6b5348131da1bdf154bb54bb06638c77265de41537498b42e3d4e9645ad71b1d098a376728833691fba6057c6ffbf81a592b383c89a40cac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18f9b5f97779190e782b61b60b768ee5

SHA1
5121e7df86f042c4d14638d23d9ec33c833869ea

SHA256
44482774b2b492e0f213acfa207ca7ee57ad9349cffbf5ca009a18835507a891

SHA512
73e7d74dda1e262c67863a5da31a58b37fb9947fff3584d2a08af6cf566fec74409acafa8daa89cddae30a75c6f225bb91a442419376b124447824ce8738a41e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
201ddd58c298cb08f48f54de221464ac

SHA1
5221820b4eb6125a3ca365039f53a10dc5c7c58a

SHA256
3234b6d4af814b7b4f006dac3ed4a477d58445b220fdcb9be24ce02565d03520

SHA512
f442e4427ece85280b8c0d9b1530b9690f9f19df728730c37f9bf325c2bfbb1fe0d8b5be0116da0ab019666e2f1853dd21056af2b026468727acaee632368dbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4346f338285e1282e47bd9950780777

SHA1
4365383e8d2309ecbf7c9cf6c804d7445d24b296

SHA256
86fdb7d25413a65c895ad1c876fd0ff4410098a3f06edff6250026c59cfb45e1

SHA512
7000e7312d35083b6edb8611c560f3bcb098ceeaa51ca040e4a3a86b97d1dbeeb1e58f845ac054eff0bc21ba7a2da9db271ffa9e72e336e87f0b474286cecd81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff8139a8cfc9648ef91d248a5b750d06

SHA1
6818753c971b64185e2bf763d211987a28b73a76

SHA256
ddb895db570143173766a4ff614bc5b5fb2a0cb7baaaf2f5ad7353b9c08acbfa

SHA512
6a85a5155c4d3c1d1bab1b1eb096a27e51bb1477982fbadbe03e82920d5c7063aeca8028243ab503da8420db840c5263c026f1e46c3b00bc8757f9c431fe38cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d64f43fe616a5bb02dca47d171f4652b

SHA1
decf33f23d09ad287242a9dedfe8edbff1433a9a

SHA256
431bc472092ccf2a46a6aa32fb453cb6a917fbf8988c945b0f00a9deccc6fa54

SHA512
c78cf5027c227f4b9a1fe879a840a49c082591a5c3b4d60edc6f4cb3a204fe21619b1c48fcdc3325dfc78de8529ec8a0ddbf04a925a47151c27b99122f55986b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8628841909c888e46dcbddd1ae7275f2

SHA1
bc3b9eea5e0f81d88da99b99ebeb7409d32f86c9

SHA256
e661f15c274eeb1ff0407f78ce3c7094e72e07578d105c10a9065bcadcea8362

SHA512
28c55face5225c464b46f929e3acc9459872c4a2ef22d0b5a822da9466700f7d81551d24a190ca7e95b8a9495ad97ccbd7a65a55261de2ad1b1fb15db46e5d1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67327429c8726019c88b86bb26cc2cdb

SHA1
516da11867b8af902ccf3e38e0485a0d42da2e8c

SHA256
52bd02e793d2f874841971f0380ee772b156783ed7d9536414a409d8c63d3f77

SHA512
0ee90b14c92ac98baa985a5119fef37ad233c4ac16c733263b2cf89706949ca99d2eec3ec8789bcfa5ae73e33cdc280c31e3338d1de1410791ccad5de93adb95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9f76f34eb4458ac28b76b6bcec45cb4

SHA1
2b50b89892f6146bb42edd0d55b8836a47c6d099

SHA256
74b4de5da3740e47163d20f82f083a1f952c1b73b6705e0aa4f33c13122ae3b2

SHA512
9f2bc92fd3144ffcff72be2e31be9ecff29f0e863495156a9d38a1c32fd2f4c4321602272cbbdfb015dec564e6cef49a0e8745aff9d8cbe2d9f0a3b37cf85951

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2edfb0dfcf29eb56bdfc02cc27f94203

SHA1
cfb5f0a796e236e9535643e1809bb7d7619fa69a

SHA256
673c2fd4484d119249163c54e2632ec6c31340bbeb4e593aadd2294a6801d22c

SHA512
26bf8e0185a4620de2451988f5e47b994dbf513ea1fd23b9b83168d7a21ac4b17788da95413e356369c59de1fc0a359d93043b295f87aaa26ce56d645362fe33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
a73756824829619d5b3d45bb58f20953

SHA1
8eb847a4d9699c3c875fb77e6044881067180d29

SHA256
280e131a60702db1cbdaf857ee041904c42ba818d04198095cab6b5ae4132cc5

SHA512
c4b6508d2710d4c569ab60fe5b31382707f24dd72361a8d67938ddb53965ab5687b0d587960a56d80a330c6101cd0aa424c86295dcc41522d6c86bbabf3ef69c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\yiu0yt6\imagestore.dat

Filesize
1KB

MD5
81ff8643aa75ba1b5f28bf7a24c3e51c

SHA1
fddf89d9d40a61d8852205e9f4112e202ba9c02f

SHA256
2061ff28e3e476c4d6b047d91474fb5ace2513614aacb3ba3c275cef243b1b1c

SHA512
fc993ef734f0cc1918c59bf970be67eb394ebfa9310f12f9c2289ad2b626227fabbd9703117ca789ed40ac92c07f45aa68f541099a625b48b2314a039613a78b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\favicon[1].ico

Filesize
1KB

MD5
d0c42bccbb2c782cd0aea9e87a3edf21

SHA1
68ba03642822fac8c816724158bb07a4c958ee92

SHA256
9860c2037aaf2971f6e6a8568ca8a0240fed2950bf761f8a7436fdda837a8454

SHA512
1fdd29928e9e5cd497cd5bd103309c9e6d0de86847422959ff79d3cdd0e47b4d0c61abc78d6a88a07ae67c56eac7d551ed194e4875611397d447f7254265338b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB0F9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB0FC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2932-867-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2932-0-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2932-1297-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2932-866-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2932-5-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2932-6-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2932-7-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads