badrabbit | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

Resubmissions

04-10-2024 16:33

241004-t2v6lsyere 10

04-10-2024 16:31

241004-t1vhpavaqq 10

04-10-2024 15:28

241004-swkbgs1hnp 10

Analysis

max time kernel
78s
max time network
80s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-10-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000002a9ef-20.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
3696	6745.tmp

Loads dropped DLL 1 IoCs

pid	Process
4220	rundll32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\6745.tmp	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4568	schtasks.exe
1040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4220	rundll32.exe
4220	rundll32.exe
4220	rundll32.exe
4220	rundll32.exe
3696	6745.tmp
3696	6745.tmp
3696	6745.tmp
3696	6745.tmp
3696	6745.tmp
3696	6745.tmp
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4220	rundll32.exe
Token: SeDebugPrivilege	4220	rundll32.exe
Token: SeTcbPrivilege	4220	rundll32.exe
Token: SeDebugPrivilege	3696	6745.tmp
Token: SeDebugPrivilege	2340	firefox.exe
Token: SeDebugPrivilege	2340	firefox.exe
Token: SeDebugPrivilege	5872	taskmgr.exe
Token: SeSystemProfilePrivilege	5872	taskmgr.exe
Token: SeCreateGlobalPrivilege	5872	taskmgr.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe
5872	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4976	MiniSearchHost.exe
2340	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4220	1860	[email protected]	80
PID 1860 wrote to memory of 4220	1860	[email protected]	80
PID 1860 wrote to memory of 4220	1860	[email protected]	80
PID 4220 wrote to memory of 248	4220	rundll32.exe	81
PID 4220 wrote to memory of 248	4220	rundll32.exe	81
PID 4220 wrote to memory of 248	4220	rundll32.exe	81
PID 248 wrote to memory of 4304	248	cmd.exe	83
PID 248 wrote to memory of 4304	248	cmd.exe	83
PID 248 wrote to memory of 4304	248	cmd.exe	83
PID 4220 wrote to memory of 4252	4220	rundll32.exe	84
PID 4220 wrote to memory of 4252	4220	rundll32.exe	84
PID 4220 wrote to memory of 4252	4220	rundll32.exe	84
PID 4252 wrote to memory of 4568	4252	cmd.exe	86
PID 4252 wrote to memory of 4568	4252	cmd.exe	86
PID 4252 wrote to memory of 4568	4252	cmd.exe	86
PID 4220 wrote to memory of 1968	4220	rundll32.exe	87
PID 4220 wrote to memory of 1968	4220	rundll32.exe	87
PID 4220 wrote to memory of 1968	4220	rundll32.exe	87
PID 4220 wrote to memory of 3696	4220	rundll32.exe	88
PID 4220 wrote to memory of 3696	4220	rundll32.exe	88
PID 1968 wrote to memory of 1040	1968	cmd.exe	91
PID 1968 wrote to memory of 1040	1968	cmd.exe	91
PID 1968 wrote to memory of 1040	1968	cmd.exe	91
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2504 wrote to memory of 2340	2504	firefox.exe	97
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98
PID 2340 wrote to memory of 4544	2340	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:248
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1890092402 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1890092402 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:50:00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:50:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1040
- - C:\Windows\6745.tmp
    "C:\Windows\6745.tmp" \\.\pipe\{9B0E81CA-9AB9-4545-BA2D-7C012B4DF468}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3696

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7ad3eb3-d4e2-4e92-a586-4fd1db2f7a8e} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" gpu
    3⤵
    PID:4544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2324 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75be79bd-bc63-46cd-a611-6ff02b94e61c} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" socket
    3⤵
    PID:1220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2764 -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 2864 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3c9c4b1-a32b-49a0-9a79-c09ec1fb8a1e} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 1620 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb31b53a-b285-4a4d-8146-afb77dd11a3e} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
    3⤵
    PID:3220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4856 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4904 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3caeaa41-40bd-4548-aef3-79178a580fbd} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" utility
    3⤵
    - Checks processor information in registry
    PID:3276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 3 -isForBrowser -prefsHandle 5412 -prefMapHandle 4872 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16fdd509-1bbc-47fe-b55b-340a9f9bb426} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
    3⤵
    PID:1360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e16b1627-78cf-4638-a1e1-e2f8f296afa0} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
    3⤵
    PID:4084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5760 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e3f8996-796e-4e4b-bcee-57f6433a542d} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
    3⤵
    PID:3784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
bccadce322b868a1720252fc62a7c2c1

SHA1
7d598caaa0698c260149a6485725ba2ac9716de7

SHA256
e582ee296817ff93ee9f9ff1ca58d96b6fc5bd8547a1ad01ec55d403097b93d9

SHA512
a406675cbfaebceecc6a1d3dedf677bf1b3e8ba3dc5598e5c3a64f928a9952bbdde8930e53591fb8fde03aa56b6ec60db81d57edaf1162e44bc191ceb0f1406d

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
41ce6cd728e8893a0387cd1d5aaf201d

SHA1
c6c5257c73d52968b03fa7a332f61f050229999c

SHA256
c6ff6212cd4c01ff44605a8339568c3ed2b9dd85c7956873ee9db592e24b654d

SHA512
73c40effe3fa0c521cdd5347e85ac142666a5a7b982d96c80f4c08c079d2f5a8d58c12644af20f27b8480040eb74b28d0696be16fc9566c02bf2d60d08839c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

Filesize
6KB

MD5
ee21f5448be54ca9c748836206979f60

SHA1
a8064e8a9321d21707bc68b3606817742beb1bc6

SHA256
52c245bec890318f1355b3666587ea26e0191296e4a0e542c2f17220b2f320b0

SHA512
b363322cdc68e335957d84f8bcfd458aa572641dc748dc53779457d34ab26e45294b979f04556648a11dd774a0127c3b91cf627ddcf172edca61a551faeac078

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

Filesize
8KB

MD5
ec4959e6e420a872717b250c9be40870

SHA1
d0c1f71dd7ec302cff344755509baf8849519016

SHA256
623197b6f0ae7777e670135095bed267134a5919e6267c62f29d77faaf167b06

SHA512
303e46d6dbcc86a1503da0b5ba81fcf7ff5e24b3aa135ac185130841302114f7cac770702c443ca5eeac15d04445583dc4b394d079ae74b6ee1ea16ce6d1137b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
dd5eb814768e98d97613ea0dcab067c0

SHA1
d854eb423115702bc185b2e276730753d1f8ccc0

SHA256
2d62e8d1edc4a04d69043a30372c340a39a99d44910daad7b3279281b8083007

SHA512
88fe02d7b26a13382b4dd7a250fd76ce7e8567586706b277156596f2ff204f25318be571f3d7015f7ab5b638e5658160399ad09995428b02b1ce2fde34e0a8af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
6ff7859a3d7b0cc4f00017c7d382dc3a

SHA1
c481322860e79375da25af046a056cf107a9fdeb

SHA256
f7466c4843eb8dae4997f2eae45b7ec6b1f1efb243c7034ac317e1d124f91bcb

SHA512
c49e4267d32a9a54f2b9c77c2998d6f04dddec166905a924f47e4c529d49c155210453fc35d647878cdc653bdb060a6953c6cc3ad64353f3a9d1fff5b374d167

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
a77ace69b7422a23ab9f05e217e40095

SHA1
d9a023b204929b3738b8cb8c17aa7f825caabefc

SHA256
8f4114d01a7e983da3d1dc1e99b4f975082698641080afb2a6f96aefd3d28e3e

SHA512
819286e07c38b486e5a26018ee993ced7d85415e4d655047bf2c3bdf070abe71aa4099629d34abc0365385eb4a48bf512b477eaf1134aad565f17edc949d240b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\6c3b3be9-ae8c-4643-b769-db548a1b493b

Filesize
982B

MD5
587c25173461b290c05ecffbd3968c53

SHA1
3686c66d92ad379201184abeb56faae73345cf92

SHA256
16118fa1fe0897e0453a0e9bc04816a0b03eb1bfa0bf7106431f718a19807541

SHA512
e87ed9429fa6304084d79883873795d9a349481271c0f8fff07ccd9745ea842bcd44ad287ad4adb0a2978886a84607d086df4c97328e8f3b19e0c2cd5cc2ff1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\8152c103-ddda-4e2e-b63c-569062757784

Filesize
671B

MD5
9c4a57032d77b04136e5b61940174e85

SHA1
f1818c593cc84d03fe2a934529d05ca2d99819ca

SHA256
4cbcb4ba5a5b96d60b6b1c10cd26af96620e66e878d205ca5245553c595f45c0

SHA512
a23ba48974bb14b4f18b5b65d7452aa40b1e5b4bed7b00506474c5d433db447f228eebd06020a5e7fb6ed6b319c596c1f4ad0bc20ad47547f5f8a6d30c661bf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\ff01763c-6d59-4b34-910b-14e9f274e436

Filesize
25KB

MD5
92c553d5e72019958b542e2e6e7dee6a

SHA1
6155307f75383270a2f9c3487c7c576ab22c6b4b

SHA256
1b7d886e0ed63d1fcffe35476b52a536b33d3f658d4f197a7f70862de9b60340

SHA512
7e5600389da6441aa9a5e516e27d893fe66dc87cce2b94c29a7ad3e73fa8632ca97c605093e8236a6b34b2d8ef007ef29f6da8c760301ecd26494b1eb96684f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

Filesize
11KB

MD5
3864e6b7db0505539c5946a09fb299be

SHA1
877c05073e07d8fe158867c342838eea59e7a50f

SHA256
5b382024d813c8e3942b2e8e5a424e93f9d5c1d6ac0a7c1a967a524951dd572f

SHA512
e7883f661d9844a286fd122f8a9d2545677d13046c704fb7216cc9275b9885692709e2394e820ad205bc0c7d436563db92791a55b1b600a28b102a4dbacedf43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

Filesize
12KB

MD5
7ede21d04f6d1c1495de1a705f837543

SHA1
a55b4cc772bfdf4adbb84d45babbdbbadd36b629

SHA256
f28549c6bbc877b706e1405956fe6e64c5168b40df5da4646e212e0a0e8fb8be

SHA512
1e2db490fd230ea185b8549ee8b594aab7de24ecff272207a4bf412c86530d111cfe7d4dfeddb09d335148de492d2d43765e1a5080549698b8d449ff1ed9422e

Download Submit
C:\Windows\6745.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/4220-4-0x0000000001480000-0x00000000014E8000-memory.dmp

Filesize
416KB

Download
memory/4220-11-0x0000000001480000-0x00000000014E8000-memory.dmp

Filesize
416KB

Download
memory/4220-14-0x0000000001480000-0x00000000014E8000-memory.dmp

Filesize
416KB

Download
memory/5872-454-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download
memory/5872-455-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download
memory/5872-456-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download
memory/5872-465-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download
memory/5872-466-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download
memory/5872-464-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download
memory/5872-463-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download
memory/5872-462-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download
memory/5872-461-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download
memory/5872-460-0x0000024C91BE0000-0x0000024C91BE1000-memory.dmp

Filesize
4KB

Download