471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
301s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
Size

151KB
MD5

993135dacbff2607839ee5a76ca06c61
SHA1

c1a9a8cdad293887214605ca0e47f3ddfa4e1a52
SHA256

98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7
SHA512

69472dc86d5d3c44742b209fb0a57ab3afd8f93d0c5adfdcd48c2e4828828309101fcb9500813044712b1bc3e85e6a2ad3e5dde5f3818fb8772f0ff5d0b873ea
SSDEEP

3072:aMAr2Q8LH/r1GgDwheOj9Pm4uX2QZJiU8ypfoAWe:aMAaQ0D1VDwheuhJmJiU8y90

Score

10^/10

discovery persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\How to restore files.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="windows-1251"> <title>GLOBE</title> <HTA:APPLICATION ICON="msiexec.exe" SINGLEINSTANCE="yes"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">YOUR FILES HAVE BEEN ENCRYPTED! </div> <div class="note private"> <div class="title">You personal ID</div> <pre>0178939591092578510096713288732734444436291030185111743159249877518849824774525780010420486703547306 4652603242890427289402157602390455027228145456585345657734661767927182934824784938044688982522451884 2620491262784131357266215950492358629941402487830576900203840833202399044220143367661121649632629301 5179074928560462574007465013958853843624259358386489262940377839951938122385622534242951108648983031 8880908644210114037550933639458208337240403693102170667425911540428961429569026846183735086129319325 3554270790458608138933805365087188517064690041601048024281544630417835654425448174464853540195663395 457396003521030681</pre> </div> <div class=bold>Your files have been been encrypted with a powerfull strain of a virus called ransomware.</div> <div> Your files are encrytped using rsa encryption, the same standard used by the military and banks. It is currently impossible to decrypt files encrypted with rsa encryption..</div> <div>Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info neccessary to decrypt all your files, quickly and easilly. </div> <div>In order to get in touch with us email us at <span class="mark">[email protected]</span>.In your email write your personal ID (its located at the up of the page, it is a string of random characters). Once we receive your personal ID, we will send you payment instructions. </div> <div>As proff we can decrypt you files we may decrypt 1 small file for test. </div> <div class="note info"> <div class="title">If you dont get answer from [email protected] in 10 hours</div> <ul> <li>Register here: <a href="http://bitmsg.me">http://bitmsg.me</a> (online sending message service Bitmessage)</li> <li>Write to adress <span class="mark">BM-2cUrKsazEKiamN9cZ17xQq9c5JpRpokca5</span> with you email and personal ID</li> </ul> </div> <div>When you payment will bee confirmed, You will get decrypter of files on you computer.</div> <div>After you run decrypter software all you files will be decryped and restored.</div> <div class="note alert"> <div class="title">IMPORTANT!</div> <ul> <li>Do not try restore files without our help, this is useless and you may lose data permanetly</li> <li>Decrypters of others clients are unique and work only on PC with they personal ID.</li> <li>We can not keep your decryption keys forever, meaning after 1 week after you have been infected, if you have not paid, we will not be able to decrypt your files. Email us as soon as you see this message, we know exactly when everyone has been encrypted and the longer you wait, the higher the payment gets. </li> </ul> </div> </body> </html>

Emails

class="mark">[email protected]</span>.In

[email protected]

Signatures

Renames multiple (1038) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 1 IoCs

Processes:

msiscan.exe

pid process

1976 msiscan.exe

pid	process
1976	msiscan.exe

Loads dropped DLL 2 IoCs

Processes:

98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe

pid	process
2564	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
2564	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{7EE83558-92B4-4741-8714-1DE414DEA489} = "C:\\Users\\Admin\\AppData\\Local\\msiscan.exe"	mshta.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral27/memory/2564-0-0x0000000000400000-0x000000000044B000-memory.dmp	upx
\Users\Admin\AppData\Local\msiscan.exe	upx
behavioral27/memory/2564-5-0x0000000002620000-0x000000000266B000-memory.dmp	upx
behavioral27/memory/1976-13-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2564-11-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-16-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-141-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-256-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-308-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-378-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-481-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-586-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-634-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-689-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-743-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-794-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-862-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-916-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-962-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1014-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1064-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1113-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1163-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1213-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1264-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1308-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1356-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1414-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1459-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1518-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1677-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1816-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-1901-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/1976-2005-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

msiscan.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.purge	msiscan.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.purge	msiscan.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt.purge	msiscan.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.purge	msiscan.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\How to restore files.hta	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt.purge	msiscan.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.purge	msiscan.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.purge	msiscan.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.purge	msiscan.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\How to restore files.hta	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.purge	msiscan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.purge	msiscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exemsiscan.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exemsiscan.exe

description	pid	process	target process
PID 2564 wrote to memory of 1976	2564	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe	msiscan.exe
PID 2564 wrote to memory of 1976	2564	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe	msiscan.exe
PID 2564 wrote to memory of 1976	2564	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe	msiscan.exe
PID 2564 wrote to memory of 1976	2564	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe	msiscan.exe
PID 1976 wrote to memory of 2780	1976	msiscan.exe	mshta.exe
PID 1976 wrote to memory of 2780	1976	msiscan.exe	mshta.exe
PID 1976 wrote to memory of 2780	1976	msiscan.exe	mshta.exe
PID 1976 wrote to memory of 2780	1976	msiscan.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
"C:\Users\Admin\AppData\Local\Temp\98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\msiscan.exe
  "C:\Users\Admin\AppData\Local\msiscan.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7EE83558-92B4-4741-8714-1DE414DEA489}','C:\\Users\\Admin\\AppData\\Local\\msiscan.exe');}catch(e){}},10);"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\How to restore files.hta

Filesize
4KB

MD5
e782c9ef89d5d86dcaf8bffbeb57e245

SHA1
d005170cf92710229ea9d71ee7afefa49878d177

SHA256
40fbd7431fe37d62547b0d8a383b98a32a8027e90201b68a0235e91962ffa084

SHA512
7ea1679546e198e27cc504b9444b5109d0b02a49cb56fa187d6c84ed58460ff4501426665ac9f6e1ba2f9d741617686ba150b1216b8e7d637996f3276eb2a000

Download Submit
\Users\Admin\AppData\Local\msiscan.exe

Filesize
151KB

MD5
993135dacbff2607839ee5a76ca06c61

SHA1
c1a9a8cdad293887214605ca0e47f3ddfa4e1a52

SHA256
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7

SHA512
69472dc86d5d3c44742b209fb0a57ab3afd8f93d0c5adfdcd48c2e4828828309101fcb9500813044712b1bc3e85e6a2ad3e5dde5f3818fb8772f0ff5d0b873ea

Download Submit
memory/1976-862-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-256-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-2005-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-16-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1901-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1816-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-141-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-916-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-308-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-962-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-481-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-586-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-634-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-689-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-743-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-794-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-378-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1014-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1064-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1113-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1163-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1213-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1264-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1308-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1356-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1414-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1459-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1518-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1976-1677-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2564-5-0x0000000002620000-0x000000000266B000-memory.dmp

Filesize
300KB

Download
memory/2564-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2564-11-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download