hxxps://attack-on-titane[.]com/

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://attack-on-titane.com/

Score

8^/10

discovery execution motw persistence phishing spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Attack-On-Titan-Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Attack-On-Titan-Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Attack-On-Titan-Setup.exe

Executes dropped EXE 4 IoCs

pid	Process
880	Attack-On-Titan-Setup.exe
4496	Attack-On-Titan-Setup.exe
2812	Attack-On-Titan-Setup.exe
1392	Attack-On-Titan-Setup.exe

Loads dropped DLL 8 IoCs

pid	Process
880	Attack-On-Titan-Setup.exe
880	Attack-On-Titan-Setup.exe
4496	Attack-On-Titan-Setup.exe
4496	Attack-On-Titan-Setup.exe
2812	Attack-On-Titan-Setup.exe
2812	Attack-On-Titan-Setup.exe
1392	Attack-On-Titan-Setup.exe
1392	Attack-On-Titan-Setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwcbBNF = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp\ = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwcbBNF = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwcbBNF = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwcbBNF = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp\ = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwcbBNF = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp\ = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jwcbBNF = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
95	discord.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
112	ifconfig.me
116	ifconfig.me
117	ifconfig.me
97	ifconfig.me
98	ifconfig.me
104	ifconfig.me

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
8	https://www.youtube.com/embed/Y5FxbrZjGZQ

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4600	tasklist.exe
2328	tasklist.exe
4272	tasklist.exe
5116	tasklist.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4948	sc.exe
1168	sc.exe
412	sc.exe
4168	sc.exe
4420	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
412	powershell.exe
3912	powershell.exe
4580	powershell.exe
5060	powershell.exe

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3448	WMIC.exe
3520	WMIC.exe
1380	WMIC.exe
2076	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1484	taskkill.exe
4940	taskkill.exe
2076	taskkill.exe
4860	taskkill.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\jwcbBNF = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\MyApp	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\jwcbBNF = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\jwcbBNF = 03000000010000000100000000000000	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\MyApp\ = "C:\\Users\\Admin\\Downloads\\Attack-On-Titan-Setup.exe"	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 649072.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2476	schtasks.exe
4272	schtasks.exe
4848	schtasks.exe
3684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
5068	msedge.exe
5068	msedge.exe
2644	identity_helper.exe
2644	identity_helper.exe
4164	msedge.exe
4164	msedge.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe
Token: SeSystemProfilePrivilege	1640	WMIC.exe
Token: SeSystemtimePrivilege	1640	WMIC.exe
Token: SeProfSingleProcessPrivilege	1640	WMIC.exe
Token: SeIncBasePriorityPrivilege	1640	WMIC.exe
Token: SeCreatePagefilePrivilege	1640	WMIC.exe
Token: SeBackupPrivilege	1640	WMIC.exe
Token: SeRestorePrivilege	1640	WMIC.exe
Token: SeShutdownPrivilege	1640	WMIC.exe
Token: SeDebugPrivilege	1640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1640	WMIC.exe
Token: SeRemoteShutdownPrivilege	1640	WMIC.exe
Token: SeUndockPrivilege	1640	WMIC.exe
Token: SeManageVolumePrivilege	1640	WMIC.exe
Token: 33	1640	WMIC.exe
Token: 34	1640	WMIC.exe
Token: 35	1640	WMIC.exe
Token: 36	1640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe
Token: SeSystemProfilePrivilege	1640	WMIC.exe
Token: SeSystemtimePrivilege	1640	WMIC.exe
Token: SeProfSingleProcessPrivilege	1640	WMIC.exe
Token: SeIncBasePriorityPrivilege	1640	WMIC.exe
Token: SeCreatePagefilePrivilege	1640	WMIC.exe
Token: SeBackupPrivilege	1640	WMIC.exe
Token: SeRestorePrivilege	1640	WMIC.exe
Token: SeShutdownPrivilege	1640	WMIC.exe
Token: SeDebugPrivilege	1640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1640	WMIC.exe
Token: SeRemoteShutdownPrivilege	1640	WMIC.exe
Token: SeUndockPrivilege	1640	WMIC.exe
Token: SeManageVolumePrivilege	1640	WMIC.exe
Token: 33	1640	WMIC.exe
Token: 34	1640	WMIC.exe
Token: 35	1640	WMIC.exe
Token: 36	1640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2256	5068	msedge.exe	83
PID 5068 wrote to memory of 2256	5068	msedge.exe	83
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 4996	5068	msedge.exe	84
PID 5068 wrote to memory of 3184	5068	msedge.exe	85
PID 5068 wrote to memory of 3184	5068	msedge.exe	85
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86
PID 5068 wrote to memory of 2936	5068	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://attack-on-titane.com/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff765646f8,0x7fff76564708,0x7fff76564718
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe
  "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:1236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:3888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get model,manufacturer /format:list"
    3⤵
    PID:4616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get model,manufacturer /format:list
      4⤵
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path SoftwareLicensingService get OA3xOriginalProductKey"
    3⤵
    PID:4840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get OA3xOriginalProductKey
      4⤵
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get serialnumber"
    3⤵
    PID:4280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get serialnumber
      4⤵
      PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get freespace"
    3⤵
    PID:3520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get freespace
      4⤵
      PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get size"
    3⤵
    PID:4072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get size
      4⤵
      PID:3752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "getmac"
    3⤵
    PID:1984
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:3100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5088
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command " $ws = New-Object -ComObject WScript.Shell; $shortcut = $ws.CreateShortcut("C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jwcbBNF.lnk"); $shortcut.TargetPath = "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"; $shortcut.Save(); ""
    3⤵
    PID:428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "schtasks /Create /F /SC ONLOGON /TN "jwcbBNF" /TR "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe""
    3⤵
    PID:4364
  - - C:\Windows\system32\schtasks.exe
      schtasks /Create /F /SC ONLOGON /TN "jwcbBNF" /TR "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
    3⤵
    PID:3752
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
      4⤵
      Adds Run key to start application
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "jwcbBNF" /t REG_BINARY /d 03000000010000000100000000000000 /f"
    3⤵
    PID:2076
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "jwcbBNF" /t REG_BINARY /d 03000000010000000100000000000000 /f
      4⤵
      PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
    3⤵
    PID:5116
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
      4⤵
      Adds Run key to start application
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc create "jwcbBNF" binPath= "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" start= auto"
    3⤵
    PID:3360
  - - C:\Windows\system32\sc.exe
      sc create "jwcbBNF" binPath= "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" start= auto
      4⤵
      Launches sc.exe
      PID:412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "sc start "jwcbBNF""
    3⤵
    PID:2352
  - - C:\Windows\system32\sc.exe
      sc start "jwcbBNF"
      4⤵
      Launches sc.exe
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyApp" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
    3⤵
    PID:4696
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyApp" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
      4⤵
      Adds Run key to start application
      PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im Discord.exe"
    3⤵
    PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      Kills process with taskkill
      PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4540492056040426480,1674959861287242821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe
C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:4656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4280
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get model,manufacturer /format:list"
  2⤵
  PID:1812
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get model,manufacturer /format:list
    3⤵
    PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path SoftwareLicensingService get OA3xOriginalProductKey"
  2⤵
  PID:4032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService get OA3xOriginalProductKey
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get serialnumber"
  2⤵
  PID:4420
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get freespace"
  2⤵
  PID:5116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get freespace
    3⤵
    PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get size"
  2⤵
  PID:1576
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get size
    3⤵
    PID:3452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac"
  2⤵
  PID:4924
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:3716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command " $ws = New-Object -ComObject WScript.Shell; $shortcut = $ws.CreateShortcut("C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jwcbBNF.lnk"); $shortcut.TargetPath = "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"; $shortcut.Save(); ""
  2⤵
  PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /Create /F /SC ONLOGON /TN "jwcbBNF" /TR "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe""
  2⤵
  PID:4684
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /F /SC ONLOGON /TN "jwcbBNF" /TR "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
  2⤵
  PID:3172
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "jwcbBNF" /t REG_BINARY /d 03000000010000000100000000000000 /f"
  2⤵
  PID:4316
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "jwcbBNF" /t REG_BINARY /d 03000000010000000100000000000000 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
  2⤵
  PID:4584
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "sc create "jwcbBNF" binPath= "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" start= auto"
  2⤵
  PID:1236
- - C:\Windows\system32\sc.exe
    sc create "jwcbBNF" binPath= "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyApp" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
  2⤵
  PID:392
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyApp" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im Discord.exe"
  2⤵
  PID:3044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Discord.exe
    3⤵
    - Kills process with taskkill
    PID:4940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2620

C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe
"C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2824
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get model,manufacturer /format:list"
  2⤵
  PID:1096
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get model,manufacturer /format:list
    3⤵
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path SoftwareLicensingService get OA3xOriginalProductKey"
  2⤵
  PID:3272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService get OA3xOriginalProductKey
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get serialnumber"
  2⤵
  PID:3748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get freespace"
  2⤵
  PID:4420
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get freespace
    3⤵
    PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get size"
  2⤵
  PID:2824
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get size
    3⤵
    PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac"
  2⤵
  PID:4364
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1416
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4324
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command " $ws = New-Object -ComObject WScript.Shell; $shortcut = $ws.CreateShortcut("C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jwcbBNF.lnk"); $shortcut.TargetPath = "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"; $shortcut.Save(); ""
  2⤵
  PID:904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /Create /F /SC ONLOGON /TN "jwcbBNF" /TR "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe""
  2⤵
  PID:1132
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /F /SC ONLOGON /TN "jwcbBNF" /TR "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
  2⤵
  PID:3208
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
    3⤵
    - Adds Run key to start application
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "jwcbBNF" /t REG_BINARY /d 03000000010000000100000000000000 /f"
  2⤵
  PID:2744
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "jwcbBNF" /t REG_BINARY /d 03000000010000000100000000000000 /f
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
  2⤵
  PID:1228
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "sc create "jwcbBNF" binPath= "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" start= auto"
  2⤵
  PID:2476
- - C:\Windows\system32\sc.exe
    sc create "jwcbBNF" binPath= "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyApp" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
  2⤵
  PID:1768
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyApp" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im Discord.exe"
  2⤵
  PID:3612
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Discord.exe
    3⤵
    - Kills process with taskkill
    PID:2076

C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe
"C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get model,manufacturer /format:list"
  2⤵
  PID:3288
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get model,manufacturer /format:list
    3⤵
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path SoftwareLicensingService get OA3xOriginalProductKey"
  2⤵
  PID:2744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService get OA3xOriginalProductKey
    3⤵
    PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get serialnumber"
  2⤵
  PID:5060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get freespace"
  2⤵
  PID:2600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get freespace
    3⤵
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get size"
  2⤵
  PID:3428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get size
    3⤵
    PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac"
  2⤵
  PID:2812
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1128
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2076
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command " $ws = New-Object -ComObject WScript.Shell; $shortcut = $ws.CreateShortcut("C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jwcbBNF.lnk"); $shortcut.TargetPath = "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"; $shortcut.Save(); ""
  2⤵
  PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /Create /F /SC ONLOGON /TN "jwcbBNF" /TR "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe""
  2⤵
  PID:2928
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /F /SC ONLOGON /TN "jwcbBNF" /TR "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
  2⤵
  PID:5060
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
    3⤵
    - Adds Run key to start application
    PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "jwcbBNF" /t REG_BINARY /d 03000000010000000100000000000000 /f"
  2⤵
  PID:1972
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "jwcbBNF" /t REG_BINARY /d 03000000010000000100000000000000 /f
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
  2⤵
  PID:1056
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "jwcbBNF" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "sc create "jwcbBNF" binPath= "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" start= auto"
  2⤵
  PID:1380
- - C:\Windows\system32\sc.exe
    sc create "jwcbBNF" binPath= "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyApp" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f"
  2⤵
  PID:3792
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyApp" /t REG_SZ /d "C:\Users\Admin\Downloads\Attack-On-Titan-Setup.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im Discord.exe"
  2⤵
  PID:2972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Discord.exe
    3⤵
    - Kills process with taskkill
    PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0682a14f-75af-4770-b620-93e267486720.tmp

Filesize
11KB

MD5
10a89e06711fc735b3ec34f5ed6fe3dc

SHA1
ad8daf40609849540cc5e1a8e744d89cb434d6c5

SHA256
bdc87b20bb2e7031cc3810a8d081c1081d7a675f2241469b32d75d66eaf362d3

SHA512
12ebdf3da3eacd1daf37c688aad2c455232a354f28b4a511e6981fd34be84fe958840b336d3cc8dcccd8feec00f5fa0c52db5722ac37a22219d842446d1beefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\09f9b113-29f1-4f99-bd36-32e4f88ae2d2.tmp

Filesize
5KB

MD5
03c248ca47d1ca10fa1a513b22e29f2f

SHA1
2b7ca0c79464a19f1aa56a03969ef46283af4e23

SHA256
52f3c521c019d2ca4273cbecb72f0f4b75f9b60cea3e39eadb0b14d9e055bdf9

SHA512
d10f20c88ebfa31b0d7be575094083c900257b4aa85a02ca1a73a5f43e555c48fc9147e666ac945868cf02f244faede22a93c96ec3245b8c9fed9289f003c78c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7c6f95ee-2fca-4c5e-a628-3586332c9545.tmp

Filesize
6KB

MD5
c4643290f23247e6b6f91ecdf467f6de

SHA1
abe464e6d429ad32dfd0893abec2861866156428

SHA256
942a5e88d6fec99e9ea01d262bbd115e9e461bcb590526ca26463bf6641e01ac

SHA512
5f58178e8c21d7160f4dd20dd2a03185f53293200d166f5a5372d12f1e0e3c0e2f72602e3fe39f5b8eb63f56cace856ca40e8e1ffb2ea0b684663e3ffaa30671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
dee3f67d4aea0db6cdb47cf865b25695

SHA1
0917be6c85a117386c3dd3d7409a4a28797f2c87

SHA256
b2e161193c81767949c21e98b37d234980c32c5d7d8fdbd64c7eeaad8299d895

SHA512
f9a0b2778e119d4e2b781a16523c69afa3204e0f5d6cbc2c4127996992dd96a2da8edadeb4451ced192922cc7f3c0840a8f8e9b966d04c62b5aab5c310ab9b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
264B

MD5
3ce083c6d6b4857848180cf1b45c4c06

SHA1
eeefba987ce34bb7492c8f0cbde0ef005ec3e295

SHA256
0639c96df56cf272772168eca8123a0882fc651c36d9fa8af13c0c6d89789c50

SHA512
e76dd2d0964420b47baa9d8b6c6570a70e3e7525642a4f7e333e1f5f5aaaceeb4d46f7068a066f9b4715f15203bb75ce7983cb16b5833ba9ffdd8d0d167d0b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ca6d7f80cbeb7a11aeed4fe07427a685

SHA1
33271d60a647af16fe0710f539fef114b06af401

SHA256
643b7610cadb59675a5b15d11e384af7e605bbc1d3a9d442e8d95c1441b9347b

SHA512
3714610b977e7da191c58b0addc5448e371f95b825a182979e051e5fc5342203808af732b33b5806b2a0f1ea14384ae50ce5deda3ad1dda660d1a13700160702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4ab896337b9b7d513d06999302255fae

SHA1
38129b4b54601466292b0f0aee6d163048190823

SHA256
b4cf028ea38af0a947bfb76942b7c4d8dbf5c1c70d835c361e9944c7f7a7fe91

SHA512
993354af9d89a5991baeae450e65b5a1f86b6dcf9b057867893e60382ef8b1dfb2d489051d74111d735659b16e18a372b9270052355ded61d325aad131ca6eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d705621d15c6485bf0af9327b815fe42c1b2e039\index.txt

Filesize
31B

MD5
f16c1f2c4caead2a4691e259075b8a87

SHA1
b5f5a0cd87559ed266a3c13cfde6000c8ac6f71f

SHA256
785a827fdfe4b6ea42dc6524995799415c971d827330d8a662d0e7212b4537ed

SHA512
fac1e14e46cdc66dfadcaf7ab829bf9ca20f7bf470ad6d822ac4d3f582ddc83fa069f983df6f132b6ec9853338054824110a77f71e640509ee93f69f7bc205f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d705621d15c6485bf0af9327b815fe42c1b2e039\index.txt~RFe578230.TMP

Filesize
95B

MD5
c16edf3dc7bebe292821b03a15a11cd5

SHA1
dd6351a785d2e45cde08cec82f013cf9e257ee37

SHA256
2b97d0db80343a2bd40c58fc7d451b5697896de7724ae21636483dc2b677e448

SHA512
0ec63ef949c0cf20f862d5399f1a3fe09e87b187fb01989ae5f8c391ed1566eff14e4d462c1c283a3c75f3065950868e3749c2826288619d823342670f11b679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
77582d6236863dc8dd3cc9ad9ddd6c94

SHA1
31fdb64161552bc3d3c14ea2c1ee7f72811ae15b

SHA256
9bf47c07e1c413f11a3ebca75ff734d5df1f90a235499be8ae501d87288cdae3

SHA512
f2468c3110d49e4a4195310274f4ed4557c30eeee43438a6a3d2a23bc4d002c6c3c32ba05ad348ddf76394c4cb8c1b1068ec1e3dc7957abc377e07c11fa59169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
107c9ea0459b76e6c47964ddff04314e

SHA1
adbbe7605c9df7be07c58434006455641c8b386a

SHA256
a6df3937bfc8168461fa96140efaa94d9455992ee74bcd724a39aad34775ade7

SHA512
3471c1b833013b382851b1bfe6ad84787066fc4bd78df8bec1da5589dbd0340cfd70de71cb522567210055840879db6144b5e9d8759f266f359cdcaec429051a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1154016276.node

Filesize
1.6MB

MD5
ed4ba4226ff675bb2b6cc4013eb8869c

SHA1
b95f7a08e140fc96ba3506a6f5f41f41a09b1a3c

SHA256
a0703af5f81284f61b51946b703ccaafcae05c848527d38f1e6d8290f98ff538

SHA512
b3e69235b4fca48163d1604564fefa23fd6be371888bce2a8715506b17ffdaf555ea9368b011d6ef05d7904affa04095f8dc9d9135208ffd113836c714c2c820

Download Submit
C:\Users\Admin\AppData\Local\Temp\2094754714.node

Filesize
275KB

MD5
b0de8894ef937d27715e81eedb6177b9

SHA1
7a3cce84c94c2a7cfc9b260d219d3738f0f93a99

SHA256
89cbacbc842eb08645bf0b2ea5a03f0a0504a213aa123242343e5588e2f0149c

SHA512
9166ddf27a1094817aba685c66bd2fc60d57c4d0961d96931a4e56bac34de339334532196253b676276241d88214e2927b1fc174acaf33296cf8f84e1455b055

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aklg21hv.rld.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-2812-aTzLL4gGgfdD\data\cookies.yaml

Filesize
338B

MD5
fdc87a2b47b8e62832fe28c7577cad54

SHA1
d421b172add0923fc5e0bb0ed377593352787b69

SHA256
9d432adfeefee2e34c083da0c7f6d6f5d4a100f00a95fdadd67df45a2be1b2dd

SHA512
19e4a9a2a7f525c4ddd796c33ca864929a0b5a165d1a4088ab8361a3710c6c1c95c5f480e068d0fa01ae374a1b976cf1eeef94aafca52c8cfe06abbd6653a927

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-2812-aTzLL4gGgfdD\data\passwords.yaml

Filesize
20B

MD5
dc6643d6ebed109592e87acedd431d4a

SHA1
c7364bbcc508f9a7cbf9a910f06188c149b02aed

SHA256
7dc882c81f3633b2c977e6101973d3954ead2fcba43e32cfe2fa6b7cecfde81f

SHA512
dd681bad0f164ef3f0cc00b170e137c488fc7c11c633926678208152b71278322f6248e5b45f65a0b6e8290faabebb51dd4973a824cdbdc89fc8e8ca719cabcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-2812-aTzLL4gGgfdD\passwords-2812-OV0IhBj2ykMd

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-2812-aTzLL4gGgfdD\passwords-2812-gqGulSXjUSW5

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-2812-aTzLL4gGgfdD\tmp-2812-eUlmzTLJqvCI

Filesize
20KB

MD5
0d17cd5cd8f8c3877f45aacd40a5c793

SHA1
a83d32fe7ca8555fa4dc908f4744102e04c5de26

SHA256
0253aeed8b4377b13439051b743c9e669d8aa378a87a5b732ad93a8c08bebbc4

SHA512
c2f8457b9df6064acf808aaeb3ec87fcd97445203c662544da3e76d37b05d867869d1cde704da2e856ea891d029e0dc483ef1ef272f2e0ab735158763444b405

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-880-BEswZZG2ckZB\data\autofill.yaml

Filesize
42B

MD5
9ed4d96b6c3a43d0465aba317cda8be4

SHA1
e1b2a0436c8bb2a1f81fa34eb37cc1e471958108

SHA256
58e4cbae761077493024aba20907f930dccb0570c7c4ddad1ae40a31f39ef105

SHA512
29758ee1a6ae4030fdbcd4a59c59cb2ee0311fecb342fb517f3817006a96345c6144133fed2a999b0c96c1b3533c9c774b62a20bd938d5dacf43a96c892ce1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-880-BEswZZG2ckZB\tmp-880-NF1LnDzPD4gb

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-880-BEswZZG2ckZB\tmp-880-gkZL868mvAjr

Filesize
114KB

MD5
d0150bee5e917cfd7a7152d6c1988919

SHA1
fbcb54efb2fc75f72eaea9605b1a2cae557a121b

SHA256
ea86bc11680540f71d4740429e19804ad5c375e5ceee098981f6aebe691b71c1

SHA512
a3c542917de3538c0a10445f3fd96395cac0f2c572fccc948ed755864d5800af16957d7deb5973a469cde52582d3e3ee6f4d3e87acd7b1084d64441268b2504d

Download Submit
C:\Windows\Temp\tmp-4496-VmvOFZJO46ek\data\autofill.yaml

Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Windows\Temp\tmp-4496-VmvOFZJO46ek\data\discord.yaml

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
memory/3912-372-0x000001B2F6A90000-0x000001B2F6AB2000-memory.dmp

Filesize
136KB

Download