Overview
overview
10Static
static
32016-08-26...e2.exe
windows7-x64
102016-08-30...e2.exe
windows7-x64
102016-09-14...re.exe
windows7-x64
102016-09-16...e2.exe
windows7-x64
102016-09-19...e2.exe
windows7-x64
102016-09-21...om.exe
windows7-x64
102016-09-27...er.exe
windows7-x64
72016-09-28...om.exe
windows7-x64
102016-09-28...om.exe
windows7-x64
102016-09-29...e2.exe
windows7-x64
102016-09-29...e2.exe
windows7-x64
102016-10-04...er.exe
windows7-x64
72016-10-05...e2.exe
windows7-x64
102016-10-06...e2.exe
windows7-x64
102016-10-12...er.exe
windows7-x64
72016-10-14...er.exe
windows7-x64
72016-10-18...e2.exe
windows7-x64
102016-10-23...er.exe
windows7-x64
72016-10-28...e2.exe
windows7-x64
102016-11-07...e2.exe
windows7-x64
102016-11-08...e2.exe
windows7-x64
102016-11-09...e2.exe
windows7-x64
102016-11-15...e2.exe
windows7-x64
102016-11-16...e2.exe
windows7-x64
102016-11-21...e2.exe
windows7-x64
102017-03-15...si.exe
windows7-x64
102017-04-07...re.exe
windows7-x64
102017-04-07...re.exe
windows7-x64
102017-04-07...re.exe
windows7-x64
102018-01-28...re.exe
windows7-x64
10Analysis
-
max time kernel
1562s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 07:17
Static task
static1
Behavioral task
behavioral1
Sample
2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Resource
win7-20241023-en
Behavioral task
behavioral7
Sample
2016-09-27-Afraidgate-Rig-EK-payload-Locky-downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-beyondrpoxy.com.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-orfab.com.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
2016-09-29-EITest-Rig-EK-payload-1st-run-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
2016-10-04-Afraidgate-Rig-EK-payload-Locky-downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
2016-10-05-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
2016-10-06-EITest-Rig-EK-payload-second-run-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
2016-10-12-Afraidgate-Rig-EK-payload-locky-downloader.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
2016-10-14-Afraidgate-Rig-EK-payload-Locky-downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
2016-10-18-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
2016-10-23-Afraidgate-Rig-EK-payload-Locky-downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
2016-10-28-EITest-Rig-EK-payload-first-run-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
2016-11-08-3rd-run-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
2016-11-09-1st-run-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
2016-11-15-2nd-run-Rig-standard-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
Resource
win7-20241010-en
Behavioral task
behavioral29
Sample
2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
2018-01-28-Seamless-campaign-Rig-EK-payload-GandCrab-ransomware.exe
Resource
win7-20241023-en
General
-
Target
2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe
-
Size
77KB
-
MD5
1b96a20d2b8a062f538eb40aef3e8ec8
-
SHA1
3ba495326b2a6e59e91814a8f5e713a5fa327ee7
-
SHA256
1809aa1e4d1ed14722417ee284cea229fac1c09b8c14434f7e1b2ea8547c5aeb
-
SHA512
81560a82fc2a0df21274adfcd126193b939f3323e29498b109a698f1a3626e860cc323e36385ab3db43b8760d822acfe098e1dde62cbfc71def26e5e1379bb71
-
SSDEEP
1536:5JJIPV0EfELXWcEJXYMxJ06pifrpE/Aw1w:53IZhVphpif611w
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2000 cmd.exe 34 -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\US170-0CXOT-OTHTX-HTOHT-RYYYY.html 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1784 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000cd2e7c2e80fa8aaa45dd497d6f690672d93caeb4b958ca205713d6dec3d9b016000000000e80000000020000200000006bd38586da477d2bbca52724d7a973e0dca891e1802eb051aa594a01092e3d69200000008d6626127ad1e2129bf1a3cef5f61f9156dae7ed4ea7e2edf6ca4c6a8dd4eb40400000004f4659344dc868db5a723ce6b57366c601e76f0bf8fa3711d8bb1faca9a185f6f4bbed01284faba6a637b7facb6f4d74f27c2cd8a83da2323edf090be77f9e53 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000056f92a50d17ba0d7e47af6ff1f448212c48822ea67eff10e2ead2b329c12664a000000000e8000000002000020000000a1f5a27e42c96b4c8babd67d001d50d8476497529d4d5ad2e005cce4d3fb59069000000026c8a58b9150dbf5ea289682ff41f839f763c4a044907497d5a31830e9fed087cb156a9e0af90d3328a48503b314990a347b1ab53be6aa30af4f0954b90cef048972688d15c3fd7441a6283f93e994d74387b74aa93cb972643615ceb4d8f24c367470678e976f15b075ec77ec67d641228b9ab23f496d531469980d43d3c3d033e2d77378e8479d5f4f63384a2608db4000000048f110ef0b8cdda2f653368f8fba12a16143a04d7ad772e737884aefe0b8b25d6f3129d7608f3f104a03be7f59b7fd9aeff115f66f72d59a7237bdbb6801182e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437471328" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09ED3EA1-9FFD-11EF-8BB8-FA59FB4FA467} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 501867de0934db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3068 WMIC.exe Token: SeSecurityPrivilege 3068 WMIC.exe Token: SeTakeOwnershipPrivilege 3068 WMIC.exe Token: SeLoadDriverPrivilege 3068 WMIC.exe Token: SeSystemProfilePrivilege 3068 WMIC.exe Token: SeSystemtimePrivilege 3068 WMIC.exe Token: SeProfSingleProcessPrivilege 3068 WMIC.exe Token: SeIncBasePriorityPrivilege 3068 WMIC.exe Token: SeCreatePagefilePrivilege 3068 WMIC.exe Token: SeBackupPrivilege 3068 WMIC.exe Token: SeRestorePrivilege 3068 WMIC.exe Token: SeShutdownPrivilege 3068 WMIC.exe Token: SeDebugPrivilege 3068 WMIC.exe Token: SeSystemEnvironmentPrivilege 3068 WMIC.exe Token: SeRemoteShutdownPrivilege 3068 WMIC.exe Token: SeUndockPrivilege 3068 WMIC.exe Token: SeManageVolumePrivilege 3068 WMIC.exe Token: 33 3068 WMIC.exe Token: 34 3068 WMIC.exe Token: 35 3068 WMIC.exe Token: SeIncreaseQuotaPrivilege 3068 WMIC.exe Token: SeSecurityPrivilege 3068 WMIC.exe Token: SeTakeOwnershipPrivilege 3068 WMIC.exe Token: SeLoadDriverPrivilege 3068 WMIC.exe Token: SeSystemProfilePrivilege 3068 WMIC.exe Token: SeSystemtimePrivilege 3068 WMIC.exe Token: SeProfSingleProcessPrivilege 3068 WMIC.exe Token: SeIncBasePriorityPrivilege 3068 WMIC.exe Token: SeCreatePagefilePrivilege 3068 WMIC.exe Token: SeBackupPrivilege 3068 WMIC.exe Token: SeRestorePrivilege 3068 WMIC.exe Token: SeShutdownPrivilege 3068 WMIC.exe Token: SeDebugPrivilege 3068 WMIC.exe Token: SeSystemEnvironmentPrivilege 3068 WMIC.exe Token: SeRemoteShutdownPrivilege 3068 WMIC.exe Token: SeUndockPrivilege 3068 WMIC.exe Token: SeManageVolumePrivilege 3068 WMIC.exe Token: 33 3068 WMIC.exe Token: 34 3068 WMIC.exe Token: 35 3068 WMIC.exe Token: SeBackupPrivilege 1508 vssvc.exe Token: SeRestorePrivilege 1508 vssvc.exe Token: SeAuditPrivilege 1508 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2188 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2188 iexplore.exe 2188 iexplore.exe 1408 IEXPLORE.EXE 1408 IEXPLORE.EXE 1408 IEXPLORE.EXE 1408 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2352 wrote to memory of 3068 2352 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe 30 PID 2352 wrote to memory of 3068 2352 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe 30 PID 2352 wrote to memory of 3068 2352 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe 30 PID 2352 wrote to memory of 3068 2352 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe 30 PID 2352 wrote to memory of 2188 2352 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe 32 PID 2352 wrote to memory of 2188 2352 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe 32 PID 2352 wrote to memory of 2188 2352 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe 32 PID 2352 wrote to memory of 2188 2352 2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe 32 PID 2188 wrote to memory of 1408 2188 iexplore.exe 33 PID 2188 wrote to memory of 1408 2188 iexplore.exe 33 PID 2188 wrote to memory of 1408 2188 iexplore.exe 33 PID 2188 wrote to memory of 1408 2188 iexplore.exe 33 PID 2660 wrote to memory of 1784 2660 cmd.exe 37 PID 2660 wrote to memory of 1784 2660 cmd.exe 37 PID 2660 wrote to memory of 1784 2660 cmd.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe"C:\Users\Admin\AppData\Local\Temp\2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /quiet /all"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\US170-0CXOT-OTHTX-HTOHT-RYYYY.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1408
-
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /quiet /all1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /quiet /all2⤵
- Interacts with shadow copies
PID:1784
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba4506ec2053849438faf740ae6d1dc5
SHA1bbf32c763558b4165f0bac7109dacdea863e8089
SHA2569d93f5f2841c71cc90f62437129fc36a403a79f26f0d1b88b663aed1c51c9d0b
SHA512a17ccd101f6bf777999c4669c237d14ce1a07cacac3d1b3e41dd96806ca203c8198eae74880fcdca469fb6612482815c226a1df97fcb917bf4302f270c33cf78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bf8fa72a3faa74b5b7310df2d667aee7
SHA1944729d0ca2a432601c90ee8b29e2e182a24c43c
SHA256f7e80c0c44bd9090c0d24e2efb7a7cc27d207b5cd168e4b313d9731c40ac7a46
SHA512760f72be922fa050fc091896b49f891236e19a29a7138e9aa1bd20c8d917817c3ed28985236a385ca3991b85bd46c535ca822cf0bdebc2d4b493e98167949829
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d4184e46ee088b18d9e2831e4f8c60d2
SHA192e7f70fa38c3d0a296d75f68d8ce7faf70f04b4
SHA25611d5acba4c900737af6d525b22a4033f109d3cc4a7fefd05c63261455291b0ac
SHA512d9f3bc98adda9377e39aef847c4f9c5fc90cb1c8bffcff6cfbe7464387c06cfcccf4c3367e7bc1847e7d20d54b15f0a660a9491d8495b67026fd1e451b1f2c70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5afb41117cc14cace3a282e8712b135c3
SHA1e2fc8fe735178e5d4da2f04cd9df5efde31f307e
SHA2567b50fb4535f21de9606b555ee96f0e58780a190006db201f4af6ae97385ddda4
SHA5121398d6129c024da122fdb560fce6544e02c6f7b17ebdd4c4cadf9b6e88a92b8cf35ec39a675323e99c956cabb52124c71126075115d2dc1b84c5ed6074400f24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5940d76ad8a740afe933de32b4d06740b
SHA16a9d0dec3d86a82e4c5052f0ece7a7a44ba7e766
SHA256b826bd91d5ae9ffec5a6a458b5f4dab47320138d7a2ac5f2914e6d6a485276c0
SHA5127ec7e2306285fa0d9c420a8626057356a63c058393ea3d2a88e2f7a6e732e1af1d1c894dc7b6b2d3c13c40f6caf9e66cb2f04761845120b4b50ab5a71856a2eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5330071c7b5490c8e6e820dfcbd027489
SHA14b88a9cb1b90fd45a7b67d2e4f6f2fbf054f8bd6
SHA25621c5885d6b7a7281d518809894aaf1bcc9a11f662ed0b8d6394ed878c65be313
SHA5127bf1779b9fbe2457e84fd4da90ed3751f57691df7f8fc810bc5cf1ad3559fc92cbc048f2edea30409924f2971bfaa81d877918f4b1f991edd604babf838eac41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7d4caec1b3fa4c79c3f7534c05b1e44
SHA117971e0ad39b92f6d7da8a24eb78c4ff202b0a0b
SHA25693a63a3ddefddf0d0a1fa1819e5b8a015716c30f69e8063961d8d6be6842c8d4
SHA5120676737fdc08695d0e87c8f31e3bae117693db1820ccba0039463920ab92394e54a065c99bca43bb44022fd3691edf66f1ad615ddedddc4e716d58c89cd1141b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50d598fe4dd5cc2e4681669753e0672e1
SHA123d554a85a32c896c752857b61e2cd18a62dc1f7
SHA2568a799fe327d7ace0274f8f64c5e2fb7c26be699df2bd881bc9662b65ab450af3
SHA5120cfa48f7d460eb60bee7399c8b34d3718b0a5b2ceeb569bcd0cc889c320031643b0129a0e3211ae67ddd0e74216d67cf353d7d3849082804f0bdb15f0ddafdeb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57c17e488670f8c04d8f77771133e80b0
SHA1d54a8ad595a3f69ba7b46f5f40f5170f8541c77e
SHA2563a063b4eec69cd4d8e0b68e600005f08c057e4b6815972c1651f15e073a890b2
SHA51293bc3942d86ef53bb41bba16b0e8aaac67f848af4d1c6faefce5dc6f1d0fdbde266f1a103e601c061332c62ee9abef7f37412cee1b2231836fc30838a1ca7071
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51bee12d9f0474e12ccd11a7ae71e91b0
SHA1bacbc8f92fcd786cea6d43abcc18f2c0717a81da
SHA25636dada612d6c57cc969f520b843e7aa3c1fe0d09551fdaf52d0deb840c66b738
SHA5120cca82d5d92ee101054fd8e8795d3be0386e4627b14daa691c4713920a1fb7526767daf29f99496f1aa8de56ff243f607bfe595f41bf2a22d2566d2ba43b2fe8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5accb56b8c996510f8d141969da78be82
SHA15b73d1419727581b4ffc390654505f23c5ba3cb0
SHA2562e8ec3157c279902b99ff874843a7ce8be4ed11512f50728555d5bae4c6c72a5
SHA512ccf633281cd94121e8e693cce2bfbbb71e73e9e2cc78fdb2a5cf45b859b292f627d5c7c447290e7e2738c9c2c5fad6d685917a29a45a8c584d1bb83d70ab779a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5300ccc801f8d1594b20002c66cdf6a61
SHA1f3c39b88aef36835523d511db60a392bc35f9a51
SHA256447e5430c46cc06d00d02fbc56d2be91df2a23cff4eeaf30782fcf131facbf06
SHA51221d526f0fa7edbaf85cfb16ad036d8676020c9bcebf9f959d98c5a8c40a0d796b6423640c8f3d1f78e5e8b00066922d11daaf5b31be18bd72b18fff40550e572
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b650b5090e75e2b9868b56a5f385e50
SHA1d6e1201c1200a31ba02753aca1815170f102c9b1
SHA256d4de836be364f577d603c9f5c45a6669fa565ef54edd8888083c943b419aac5f
SHA5124959151b1038e636f5ad94fff4d57a4a37a3563d017f3531de3e6fc85fd7f87dafa559de356a8e3a7dcb7639717885414501510b2601ce8fbefaec133ac9c6c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f79d1dc0a31d98a153a87357bfecd4e5
SHA126bc9f2740ccc71c972e5d9e99a1642b03b45e8f
SHA256352be5d8af4666fb3429f45300a3b7498dfccfe26fa930cbef5ae08942b2852c
SHA512f18bde1819c02f36dc338a0b862e48bcab2c7be514cdefbe7d6dcdf74c1b442f39882abdd06b491eb94918a346ebd42dbd6a38f676ac620d8994e63af9a566e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD570d44b9766e3011de6768f4a5fea0b02
SHA164ede5dc79f312ad398d9ab70939cd1a5880eba8
SHA2561c925ef83b2a8ee1aaa04aa06b90098c96123e937c2114ab0f646b93cd7cd63e
SHA512bf08640ed230cb1219ebd4b4f046b15c9a9ca4586120cbec05ddd4133276ba7debb601c362306b54b32bcf8e270b66d7ad81e46fb9cbebc9dec3320b30151b35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f11ebdeb347e66fb44c46ebfd098fa7
SHA1164697af3274c3b6a73d9caf735739bf770194db
SHA2564c5db4ccadf795ee65bb9dfe9ed9d0ef7378357dd11b300556391266ed997110
SHA51212ef088038a5875c36742bb5e2b689034240be9b9af9006a2a25f10324da4c38f4cbf48463486fb15042e78578bce580f3232d9d3e3b22297e0a21a16ca10a24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbfd12138248d6617f675d77513e50f8
SHA19b0020724d74395c71c4ef20c47a972321dadacb
SHA256b5407e8950b073cc6117620600fecd98b9b64d599eb880ce3adc02dc341d1237
SHA512bd169a325955518d9975aed6e0e9fdf1acf288ad2a175145927cc70284fafb886549618ebce402ec2709301a647636586054d71f099cd0505fa553a869481ae8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD594cd6c0db10ac35ef9dd83f958739833
SHA1add88e02420a0f4b421f241db0b28606fe86beb2
SHA25659680333a4811ecf3403dc02d9315f3a03e4494cfbdb26a21dbb7670588e1446
SHA512dff70cf402e16b992177eb111a1bd1138561ee535715d1f78ba7fda787fee31adca2127445ab99333525cd3f5aa226f1c0e6dbfa128bcc4377ce392a7b3517e8
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD5b92d18e48498c37f7c05327b021dcd5c
SHA1dbf63be4b2f9f9f2f43a1d18726e019d905787a6
SHA256974768b89237946651ef91bc9d89fe033f44c56408db87833abcc623035f861e
SHA5120428bc715068b6ecc30f94a6ec976d401196d3d5b4663a0468b8ad14960c90c52de76c2f383a70ce9e52bdf103bc5ef87d69d58fedaa3ed098ff8a95ddecc02e