meduza | d78d8879a87115794cab50ea760af9b769f77bd21789be9d7ff920742302edf6

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kraken Cheat/Kraken.exe
Size

3.7MB
MD5

2efb1d6f632c13e3be57d710f190f8d0
SHA1

19437cafa11c6ae5fa27e35de3369cf0817a7dbb
SHA256

ca54bdbbd6238be2040eb965561f078e573569d8d2fa0756d02e2795276c62bf
SHA512

ae3a3fa1c142c5d57f641da0941364189ffe01daac6a4739d5d84508f0461451ef4c818cc1164d9cfab3ddbc6f613f94e26046fd7d613e42a7ec858dec29b38b
SSDEEP

49152:PQusxfstVERf60TI/s4U/cAjuvWjbQVLu3:gCu3

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
444
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 47 IoCs

resource	yara_rule
behavioral1/memory/3004-9-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-11-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-12-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-6-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-5-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-4-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-3-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-19-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-15-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-21-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-23-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-22-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-27-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-25-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-20-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-14-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-17-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-16-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-47-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-72-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-84-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-90-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-88-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-86-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-82-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-80-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-78-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-77-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-73-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-68-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-67-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-62-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-60-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-58-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-57-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-55-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-54-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-53-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-51-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-49-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-48-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-63-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-52-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-46-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-43-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-44-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/3004-93-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	Kraken.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 3004	2848	Kraken.exe	30

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2244	cmd.exe
1472	PING.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0597b954b3edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C10D6EC1-AA3E-11EF-9906-CA806D3F5BF8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000009489c955ce432f89ad7f226ce285e1cdc63928357b2016039f3e2a63887ece000000000e80000000020000200000005be9aa936d2403a806b17092d6d9a3df70327bb14405819d49bfe994d7a188862000000084066df797ab14ed3c24cfefd954864c22220bdaf41dfb4ad0fa7388de00c2e84000000003d716f6d8d6f798b5ecb761e470eaf49f5483395061345a9dc29e7f7aff3b6bd1f9e5af27f346767ee8c2dec25a386c13b769a17804dedb34d0a617ffd8c2fc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000c5031fffe065f7c30c8987cac1a82c35c96029d75ef6c38b96a5d1b019fa1cbf000000000e8000000002000020000000cfeb4a8ad23d58521c16d6a3881c93f74c27b2aee83fa1a87bf1ae189c8868da90000000c73cdca4f76bcf81d56ef2b16771c09b6d2f145cf6a5bc46ffe16ebb0b5ef169dfe8f6ea3fbec8381d5a4227381b9f0bd2b7aaba79d029e6db4bcfb8e2951d20a09a79d29485d99e19be437f5108cbdee805275f1972a4b52f614497b02ccfaa49fc6f0907d3b35977769f37f49bea935ec0ed446554e8e0ee2e3ba3a948580d992aeba35506972e8cbe39b618ee25e74000000038c326cf1384cfd159133f9eb77ea4ce91ae38d75afeba01aa46d9648ab36a1edd38b8755fbaad687193894d5ea07ddc93fd2ac2ebae5760d4bb83562d5ab0cc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1472	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3004	Kraken.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	Kraken.exe
Token: SeImpersonatePrivilege	3004	Kraken.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2008	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2008	iexplore.exe
2008	iexplore.exe
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2848 wrote to memory of 3004	2848	Kraken.exe	30
PID 2008 wrote to memory of 2180	2008	iexplore.exe	35
PID 2008 wrote to memory of 2180	2008	iexplore.exe	35
PID 2008 wrote to memory of 2180	2008	iexplore.exe	35
PID 2008 wrote to memory of 2180	2008	iexplore.exe	35
PID 3004 wrote to memory of 2244	3004	Kraken.exe	36
PID 3004 wrote to memory of 2244	3004	Kraken.exe	36
PID 3004 wrote to memory of 2244	3004	Kraken.exe	36
PID 2244 wrote to memory of 1472	2244	cmd.exe	38
PID 2244 wrote to memory of 1472	2244	cmd.exe	38
PID 2244 wrote to memory of 1472	2244	cmd.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe

C:\Users\Admin\AppData\Local\Temp\Kraken Cheat\Kraken.exe
"C:\Users\Admin\AppData\Local\Temp\Kraken Cheat\Kraken.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\Kraken Cheat\Kraken.exe
  "C:\Users\Admin\AppData\Local\Temp\Kraken Cheat\Kraken.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3004
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Kraken Cheat\Kraken.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1472

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\ConvertSubmit.xht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afc3a704430d641cd1378b5eb6c2b3a3

SHA1
a64c611078db18a2270064edb3b8e556b71bc4f0

SHA256
538c5a5ea019868cce6250cd3de1d9aecb914097ffd059927a3bbc941a629880

SHA512
f5d350f20135a9b73aefd01715435459df79fa917e058c69b874bc6ea0bb024160c5b725e4557a33b78c9a9a97bef0fd0c14efd6bc32b226e3192b5a3956f268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e16a71d823e5c477f3db7cf2c9efd27d

SHA1
ae3c08168305d1e8d42256c0289e4c5f928fd1a9

SHA256
9847c1b0b164274fc004eb5ca0b9790f0572b0c1613b6b8284de39a52706ec7d

SHA512
0cfed50382d45bc4b2653a57823b96e39de785d87fd34f892f1d6298fd3c61772f53efed650429b33e78e666e46814b857f85c53c3fcfa2b201912e806acfbf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53fc37a864b46b6f5aace30681829ffa

SHA1
6fbd61af14efb69fa1698f28f1ea126087ecb2db

SHA256
2583e3e836665bacf2431705ced3a048bbbd5d4d32165a64d444dc3ed37bae28

SHA512
99afea98b3baf1bd9c7710949736311c75710c19e4931a4989f41e570e43b8b3c9ff79ba9f848f3a442efbb4f82c7345e2288ff3a9cca490693738fbd7315e7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a282d60e828956771aab594a15a9692

SHA1
b4e50e81bfe63f4d27624847185ebe666c00a34e

SHA256
3bd72718e6b8a2ae3b6e1e3118b1315a5a0d28e639e21dc4ebe2f07d7c0cd516

SHA512
14b4a244a615847672e999c627ec77368e3995253c4c9e00f30ddb28093ecf0cf0d41ad3415c87e89d53d7af0c6c3fa35ee53936552246d31d428b105b1ab5a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f59c34c61de393203132824daa97e5d1

SHA1
dbdca64da10c4f74245a29e7fbd7cb64f6184089

SHA256
404724cf304a85d403c587f48a8b179b322731f2547ccdeecf9ec521d9fd8288

SHA512
53ef07c44575aa7259250dbf4c355a1f27bc15464d3214fca6b77d0781bca93d5234a1cdd19ba5108240d1291d8336f0330841f1fc7e24898a2418bc2c7914a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72295b78a0d43165b820013bd78aafa3

SHA1
2fc502d462bb754c2490c53fab8a4114bb062c03

SHA256
ac199c2750990fb3becdf0203fb00ba856b144ae846a85cbdef0d39e11986f94

SHA512
bc593558fc3e64c47fb0ff8c6611ff8c642df8eef236add27ad7c8253edb77720d16356e20a069a69973ecf1eaf955a8fe743887a0e7441d2cf339efd0224026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70f485c1536020382df04a658b8a9d03

SHA1
e8750a5923087fb375af6d77935270291aa494fb

SHA256
e097ebbdbab2b1cc6c0398d65d99abbf84e79ef8d9e097e5491abc978808027f

SHA512
d231a60868ac1b2e8e03688b2051451fd74bdfe81c3bd0b5c6bbe168ce26e9c2abad4315daafcf8495ae98510c590656871db22e256ef571f4cef477080ca234

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4017c3141c5bebda1a316d4b2f61fc1f

SHA1
48d1ccb28666b27a5db02bce4b71586ea7643f24

SHA256
3a2e7d2aa1549c27db174c3b21b798c6a94515c850350c5bf4902ff0cc7fc23a

SHA512
d4cccc738c718426ca5c0cf96981e6e1f60af7f436bab701d612b895580e3d3f27b3e3bb257a844dc8ccbe59a5785462c8fc425926e2afdeeec28c2e47144391

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27b0c1bcca96049d2f4bf4a817360951

SHA1
58dbb48eeb11337dde332efdca4a404d2ac7e082

SHA256
9d006fc9450f99431eb1347b27f1b7a16d5c984d6381d3c0f4a3fd62ee59a82d

SHA512
013e2a11f9aca0c3bb69404a80091ed4bcffd407ff9d28da5cc7df29b32bbb1dab14210c79d3da0c0c0eb2c8a67c3f20148975293c4f3b7f314132cdce773d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96603640a9e3417ef78754303fb45dec

SHA1
8a3e9a78e3543d04fb7212628fc20a27b335a201

SHA256
eb390da76cd62b045a060f937de2c8b76c89409a582909dd103472247910a964

SHA512
df71695b232192fd45b5317586e3012eb92dc4ad20d2be4d34adb9afff7eb95ac5027f4a3db7fea9302c8a2eb8f173e834f9340984a6d10ddf7a8cd963f227d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCBCA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCBCB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/3004-86-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-67-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-2-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-0-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-19-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-15-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-21-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-23-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-22-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-27-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-25-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-20-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-14-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-17-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-16-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-47-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-72-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-84-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-90-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-88-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-4-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-82-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-80-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-78-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-77-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-73-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-68-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-3-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-66-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/3004-62-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-60-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-58-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-57-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-56-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/3004-55-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-54-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-53-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-51-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-49-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-48-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-63-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-52-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-5-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-6-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-7-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/3004-12-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-11-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-9-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-1-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-46-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-45-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/3004-43-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-44-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3004-93-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download