bb559e393dfd758a6a4fea745fcd651cff5363025d632b53d81d8111d4843f4e

Analysis

max time kernel
102s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Conti-0xb.exe
Size

225KB
MD5

4cd1bdd51aad677e34b28eb8fdbb8713
SHA1

15f0d03511fb8b97e8e25e2c88ce287a3daeacd7
SHA256

8cc0af07f6a734190daa831d3636db4d88a5c9e74872ebcfb3aa9b5beea77804
SHA512

a41f63165c721db042ed7be26f93c7703dbaca0e502051ea9723ffa077285f21683138d3874a6854264a4d0b5c46be02a0590113475fd8366c6e08f5ab1de52b
SSDEEP

3072:n6syAG2L/wgMrxFSbY3Fq5dQWQC0F0+aLTZtjaPPZMtcdlrRMC/T2wc:6iG2EgwFSc3U5dv0FOTDaPPZMEfBc

Score

10^/10

credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\readme.txt

Ransom Note

All your files are encrypted and the backup is corrupted. Don't worry, only our team can recover files. We only accept BTC transactions for payment. Before payment, you can submit 1 file for decryption testing. The file cannot be a backup, database, key, and the file cannot exceed 80kb. Hopefully the head of the organization will contact us directly. We have no other purpose. We just want money. We have always been honest. There has been a period of time in your organization and obtained almost all of your applications, people, dealers, products and other data. If we are ignored, this incident will be made public. Sell your data. Contacting us as soon as possible is the best way for everyone. Contact us tox.id: "F03697478C23619141468DF39D14C3EBAECF1D93EF0AE14A14338741141C566671CB3F4C3A1A" If you do not contact us to pay the ransom within 7 days, the amount will double. 1. Do not restart the operating system or isolate the LAN. 2. Do not modify the encrypted file without authorization. If an encryption barrier occurs, some files cannot be recovered by the decryption key and we will not be held responsible. ---BEGIN ID--- bLkGYvN43a3tVNzPJrQGfNEQgFhqFSSmCdCSQABgOyLPZNKGgmfYktRw510bKGsR ---END ID---

Signatures

Renames multiple (8702) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	Conti-0xb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Conti-0xb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Program Files\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Public\desktop.ini	Conti-0xb.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Conti-0xb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ui-strings.js	Conti-0xb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\gu.pak	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js	Conti-0xb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\mi.pak	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITS	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close_dark.svg	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\de.pak	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\da_get.svg	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\ui-strings.js	Conti-0xb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin	Conti-0xb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\ui-strings.js	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ms.pak	Conti-0xb.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\readme.txt	Conti-0xb.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg	Conti-0xb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\readme.txt	Conti-0xb.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\nl_get.svg	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\eu.pak.DATA	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\THMBNAIL.PNG	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_200_percent.pak	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\PREVIEW.GIF	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\fr.pak	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\PREVIEW.GIF	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr.png	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\ui-strings.js	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	Conti-0xb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms	Conti-0xb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\readme.txt	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	Conti-0xb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\readme.txt	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js	Conti-0xb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif	Conti-0xb.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe
5988	Conti-0xb.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	4120	vssvc.exe
Token: SeRestorePrivilege	4120	vssvc.exe
Token: SeAuditPrivilege	4120	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe
Token: 35	1792	WMIC.exe
Token: 36	1792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe
Token: 35	1792	WMIC.exe
Token: 36	1792	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5988 wrote to memory of 1032	5988	Conti-0xb.exe	89
PID 5988 wrote to memory of 1032	5988	Conti-0xb.exe	89
PID 1032 wrote to memory of 1792	1032	cmd.exe	91
PID 1032 wrote to memory of 1792	1032	cmd.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Conti-0xb.exe
"C:\Users\Admin\AppData\Local\Temp\Conti-0xb.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5988
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79F6F000-E03E-451B-8DE5-CB62582963BB}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79F6F000-E03E-451B-8DE5-CB62582963BB}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\readme.txt

Filesize
1KB

MD5
660eda8beb19aa786aef553e4acd5e2d

SHA1
af91338ae07c572c63f6a8be6b545b8cbc622033

SHA256
5e6358684bdebf64d888bc73fae8d96322eaf58902cbe8c6242680b1f1055fcd

SHA512
eb39284f206be8b4b5ad1b6662770d86ef3d9dba540cddf44b82a2e227d0cb594cce469745d6d9d2ba912aea2fde0b9784c081460d1c694710cafbe77b3e7b4a

Download Submit