cobaltstrike | 8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51

Analysis

max time kernel
168s
max time network
165s
platform
windows7_x64
resource
win7v20201028
submitted
19-11-2020 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads.exe
Size

164.0MB
MD5

2e5f0d7f3b1505978fa81cf1e70d02d5
SHA1

99a6086d8a23ea12aba3a8ddd7f67c427981622f
SHA256

8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
SHA512

9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f

Malware Config

Extracted

Family

revengerat

Botnet

Victime

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family

revengerat

Botnet

samay

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

system

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

revengerat

Botnet

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

INSERT-COIN

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

cobaltstrike

http://47.91.237.42:8443/__utm.gif

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
47.91.237.42,/__utm.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
0
maxdns
255
month
0
pipe_name
polling_time
60000
port_number
8443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.018915346e+09
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
year
0

Extracted

Family

zloader

Botnet

07/04

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family

zloader

Botnet

25/03

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

smokeloader

Version

2017

http://92.53.105.14/

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\senate.m4a	cryptone
C:\Users\Admin\Desktop\SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869	cryptone

RevengeRat Executable 8 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe	revengerat
C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe	revengerat
C:\Users\Admin\Desktop\KLwC6vii.exe	revengerat
C:\Users\Admin\Desktop\file.exe	revengerat
C:\Users\Admin\Desktop\file(1).exe	revengerat
C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe	revengerat
C:\Users\Admin\Desktop\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	revengerat
C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe	revengerat

Executes dropped EXE 17 IoCs

Processes:

HYDRA.exeyaya.exeva.exeufx.exesant.exestarter.exepower.exeusc.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exef4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exefb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exehyundai steel-pipe- job 8010.exegjMEi6eG.exehyundai steel-pipe- job 8010(1).exeKeygen.exe

pid	process
320	HYDRA.exe
1776	yaya.exe
1300	va.exe
1160	ufx.exe
1672	sant.exe
1952	starter.exe
1660	power.exe
2020	usc.exe
952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
112	948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
2292	f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
2280	fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
2548	hyundai steel-pipe- job 8010.exe
2400	gjMEi6eG.exe
1212	hyundai steel-pipe- job 8010(1).exe
3012	Keygen.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\good.exe	upx
C:\Users\Admin\Desktop\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	upx

Drops startup file 3 IoCs

Processes:

va.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs	va.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Loads dropped DLL 18 IoCs

Processes:

HYDRA.exeyaya.exeufx.exe

pid	process
1272
1272
320	HYDRA.exe
320	HYDRA.exe
320	HYDRA.exe
320	HYDRA.exe
320	HYDRA.exe
320	HYDRA.exe
320	HYDRA.exe
320	HYDRA.exe
1776	yaya.exe
1160	ufx.exe
1160	ufx.exe
1160	ufx.exe
1272
1272
1272
1272

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sant.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	sant.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\HYDRA.exe	nsis_installer_1
C:\Users\Admin\Desktop\HYDRA.exe	nsis_installer_2
C:\Users\Admin\Desktop\HYDRA.exe	nsis_installer_1
C:\Users\Admin\Desktop\HYDRA.exe	nsis_installer_2
C:\Users\Admin\Desktop\VyprVPN.exe	nsis_installer_1
C:\Users\Admin\Desktop\VyprVPN.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

1200 SCHTASKS.exe

pid	process
1200	SCHTASKS.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2336	taskkill.exe
3636	taskkill.exe
956	taskkill.exe
1192	taskkill.exe
680	taskkill.exe
2272	taskkill.exe
2756	taskkill.exe
2792	taskkill.exe
2948	taskkill.exe
1624	taskkill.exe
3452	taskkill.exe
3600	taskkill.exe
3652	taskkill.exe
4060	taskkill.exe
1768	taskkill.exe
2392	taskkill.exe
2540	taskkill.exe
3468	taskkill.exe
2768	taskkill.exe
3000	taskkill.exe
3440	taskkill.exe
3508	taskkill.exe
2156	taskkill.exe
2324	taskkill.exe
2480	taskkill.exe
956	taskkill.exe
3708	taskkill.exe
3840	taskkill.exe
2932	taskkill.exe
3676	taskkill.exe
3924	taskkill.exe
4012	taskkill.exe
2140	taskkill.exe
2824	taskkill.exe
2368	taskkill.exe
3800	taskkill.exe
4044	taskkill.exe
2180	taskkill.exe
2248	taskkill.exe
2580	taskkill.exe
2224	taskkill.exe
2644	taskkill.exe
2872	taskkill.exe
3620	taskkill.exe
2216	taskkill.exe
3488	taskkill.exe
3788	taskkill.exe
1608	taskkill.exe
2100	taskkill.exe
3868	taskkill.exe
948	taskkill.exe
2680	taskkill.exe
2716	taskkill.exe
2920	taskkill.exe
2516	taskkill.exe
2456	taskkill.exe
2500	taskkill.exe
2652	taskkill.exe
3200	taskkill.exe
744	taskkill.exe
1180	taskkill.exe
3564	taskkill.exe
2372	taskkill.exe
2440	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

Downloads.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main Downloads.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	Downloads.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sant.exe

pid	process
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe
1672	sant.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Downloads.exe

pid process

1852 Downloads.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sant.exe

pid process

1672 sant.exe
1672 sant.exe

pid	process
1852	Downloads.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

usc.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2020	usc.exe
Token: SeDebugPrivilege	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	112	948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	2280	fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2824	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	688	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

1940 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Downloads.exexpsrchvw.exe

pid process

1852 Downloads.exe
1852 Downloads.exe
2308 xpsrchvw.exe
2308 xpsrchvw.exe
2308 xpsrchvw.exe
2308 xpsrchvw.exe

pid	process
1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid	process
1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid	process
1852	Downloads.exe
1852	Downloads.exe
2308	xpsrchvw.exe
2308	xpsrchvw.exe
2308	xpsrchvw.exe
2308	xpsrchvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HYDRA.exeyaya.exeufx.exeusc.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	pid	process	target process
PID 320 wrote to memory of 1776	320	HYDRA.exe	yaya.exe
PID 320 wrote to memory of 1776	320	HYDRA.exe	yaya.exe
PID 320 wrote to memory of 1776	320	HYDRA.exe	yaya.exe
PID 320 wrote to memory of 1776	320	HYDRA.exe	yaya.exe
PID 320 wrote to memory of 1300	320	HYDRA.exe	va.exe
PID 320 wrote to memory of 1300	320	HYDRA.exe	va.exe
PID 320 wrote to memory of 1300	320	HYDRA.exe	va.exe
PID 320 wrote to memory of 1300	320	HYDRA.exe	va.exe
PID 320 wrote to memory of 1160	320	HYDRA.exe	ufx.exe
PID 320 wrote to memory of 1160	320	HYDRA.exe	ufx.exe
PID 320 wrote to memory of 1160	320	HYDRA.exe	ufx.exe
PID 320 wrote to memory of 1160	320	HYDRA.exe	ufx.exe
PID 320 wrote to memory of 1160	320	HYDRA.exe	ufx.exe
PID 320 wrote to memory of 1160	320	HYDRA.exe	ufx.exe
PID 320 wrote to memory of 1160	320	HYDRA.exe	ufx.exe
PID 320 wrote to memory of 1672	320	HYDRA.exe	sant.exe
PID 320 wrote to memory of 1672	320	HYDRA.exe	sant.exe
PID 320 wrote to memory of 1672	320	HYDRA.exe	sant.exe
PID 320 wrote to memory of 1672	320	HYDRA.exe	sant.exe
PID 320 wrote to memory of 1660	320	HYDRA.exe	power.exe
PID 320 wrote to memory of 1660	320	HYDRA.exe	power.exe
PID 320 wrote to memory of 1660	320	HYDRA.exe	power.exe
PID 320 wrote to memory of 1660	320	HYDRA.exe	power.exe
PID 1776 wrote to memory of 1952	1776	yaya.exe	starter.exe
PID 1776 wrote to memory of 1952	1776	yaya.exe	starter.exe
PID 1776 wrote to memory of 1952	1776	yaya.exe	starter.exe
PID 1776 wrote to memory of 1952	1776	yaya.exe	starter.exe
PID 1160 wrote to memory of 2020	1160	ufx.exe	usc.exe
PID 1160 wrote to memory of 2020	1160	ufx.exe	usc.exe
PID 1160 wrote to memory of 2020	1160	ufx.exe	usc.exe
PID 1160 wrote to memory of 2020	1160	ufx.exe	usc.exe
PID 1160 wrote to memory of 2020	1160	ufx.exe	usc.exe
PID 1160 wrote to memory of 2020	1160	ufx.exe	usc.exe
PID 1160 wrote to memory of 2020	1160	ufx.exe	usc.exe
PID 2020 wrote to memory of 1200	2020	usc.exe	SCHTASKS.exe
PID 2020 wrote to memory of 1200	2020	usc.exe	SCHTASKS.exe
PID 2020 wrote to memory of 1200	2020	usc.exe	SCHTASKS.exe
PID 2020 wrote to memory of 1200	2020	usc.exe	SCHTASKS.exe
PID 2020 wrote to memory of 1200	2020	usc.exe	SCHTASKS.exe
PID 2020 wrote to memory of 1200	2020	usc.exe	SCHTASKS.exe
PID 2020 wrote to memory of 1200	2020	usc.exe	SCHTASKS.exe
PID 952 wrote to memory of 1896	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 952 wrote to memory of 1896	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 952 wrote to memory of 1896	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 668	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 1940 wrote to memory of 668	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 1940 wrote to memory of 668	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 952 wrote to memory of 608	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 952 wrote to memory of 608	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 952 wrote to memory of 608	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 952 wrote to memory of 1736	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 952 wrote to memory of 1736	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 952 wrote to memory of 1736	952	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 1148	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 1148	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 1148	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 1644	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 1644	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 1644	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 1708	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 1708	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 1708	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 456	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1940 wrote to memory of 456	1940	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\Downloads.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:432

C:\Users\Admin\Desktop\HYDRA.exe
"C:\Users\Admin\Desktop\HYDRA.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Roaming\yaya.exe
C:\Users\Admin\AppData\Roaming\yaya.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"
3⤵
- Executes dropped EXE
PID:1952

C:\Users\Admin\AppData\Roaming\va.exe
C:\Users\Admin\AppData\Roaming\va.exe
2⤵
- Executes dropped EXE
- Drops startup file
PID:1300

C:\Users\Admin\AppData\Roaming\ufx.exe
C:\Users\Admin\AppData\Roaming\ufx.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160

C:\ProgramData\ucp\usc.exe
"C:\ProgramData\ucp\usc.exe" /ucp/usc.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
4⤵
- Creates scheduled task(s)
PID:1200

C:\Users\Admin\AppData\Roaming\sant.exe
C:\Users\Admin\AppData\Roaming\sant.exe
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1672

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:2688

C:\Users\Admin\AppData\Roaming\power.exe
C:\Users\Admin\AppData\Roaming\power.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1896

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:608

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1736

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
2⤵
PID:304

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:2088

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:1608

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
PID:744

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
PID:3452

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
PID:3468

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
PID:3508

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
PID:3564

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
PID:3600

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
PID:3652

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
PID:3676

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
PID:3708

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
PID:3788

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
PID:3840

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
PID:3868

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:4012

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
PID:4060

C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
2⤵
PID:668

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1148

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1644

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1708

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:456

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:956

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
PID:1180

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
PID:3440

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
PID:3488

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
PID:3620

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
PID:3800

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
PID:3856

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
PID:3924

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
PID:4044

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
PID:3200

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
PID:804

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
PID:3636

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
PID:1624

C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
"C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
PID:524

C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
"C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe"
1⤵
- Executes dropped EXE
PID:2292

C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
"C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe
"C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe"
1⤵
- Executes dropped EXE
PID:2548

C:\Users\Admin\Desktop\gjMEi6eG.exe
"C:\Users\Admin\Desktop\gjMEi6eG.exe"
1⤵
- Executes dropped EXE
PID:2400

C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe
"C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe"
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\System32\xpsrchvw.exe
"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\MergeExpand.eprtx"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\june9.dll
1⤵
PID:964

C:\Users\Admin\Desktop\Keygen.exe
"C:\Users\Admin\Desktop\Keygen.exe"
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FEE8.tmp\start.bat" C:\Users\Admin\Desktop\Keygen.exe"
2⤵
PID:3664

C:\Users\Admin\Desktop\KLwC6vii.exe
"C:\Users\Admin\Desktop\KLwC6vii.exe"
1⤵
PID:3920

C:\Users\Admin\Desktop\infected dot net installer.exe
"C:\Users\Admin\Desktop\infected dot net installer.exe"
1⤵
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ucp\usc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk

Download Submit
C:\Users\Admin\AppData\Roaming\power.exe

Download Submit
C:\Users\Admin\AppData\Roaming\sant.exe

Download Submit
C:\Users\Admin\AppData\Roaming\ufx.exe

Download Submit
C:\Users\Admin\AppData\Roaming\ufx.exe

Download Submit
C:\Users\Admin\AppData\Roaming\va.exe

Download Submit
C:\Users\Admin\AppData\Roaming\yaya.exe

Download Submit
C:\Users\Admin\AppData\Roaming\yaya.exe

Download Submit
C:\Users\Admin\Desktop\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe
MD5
9e9bb42a965b89a9dce86c8b36b24799

SHA1
e2d1161ac7fa3420648ba59f7a5315ed0acb04c2

SHA256
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

SHA512
e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

Download Submit
C:\Users\Admin\Desktop\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

Download Submit
C:\Users\Admin\Desktop\0di3x.exe

Download Submit
C:\Users\Admin\Desktop\201106-9sxjh7tvxj_pw_infected.zip

Download Submit
C:\Users\Admin\Desktop\201106-9sxjh7tvxj_pw_infected.zip.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\2019-09-02_22-41-10.exe

Download Submit
C:\Users\Admin\Desktop\2c01b007729230c415420ad641ad92eb.exe

Download Submit
C:\Users\Admin\Desktop\31.exe

Download Submit
C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe

Download Submit
C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe

Download Submit
C:\Users\Admin\Desktop\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Download Submit
C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Download Submit
C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Download Submit
C:\Users\Admin\Desktop\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
MD5
aa0a434f00c138ef445bf89493a6d731

SHA1
2e798c079b179b736247cf20d1346657db9632c7

SHA256
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654

SHA512
e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

Download Submit
C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
MD5
aa0a434f00c138ef445bf89493a6d731

SHA1
2e798c079b179b736247cf20d1346657db9632c7

SHA256
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654

SHA512
e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

Download Submit
C:\Users\Admin\Desktop\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe
MD5
9e9719483cc24dc0ab94b31f76981f42

SHA1
dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b

SHA256
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9

SHA512
83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309

Download Submit
C:\Users\Admin\Desktop\Archive.zip__ccacaxs2tbz2t6ob3e.exe

Download Submit
C:\Users\Admin\Desktop\BlockShow.au.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\CVE-2018-15982_PoC.swf

Download Submit
C:\Users\Admin\Desktop\CVE-2018-15982_PoC.swf.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\ConvertRegister.ini.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\DisableRepair.vsw.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\DiskInternals_Uneraser_v5_keygen.exe

Download Submit
C:\Users\Admin\Desktop\DismountMove.xps.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\E2-20201118_141759.zip

Download Submit
C:\Users\Admin\Desktop\E2-20201118_141759.zip.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\FindUnblock.ppsx.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\ForceOp 2.8.7 - By RaiSence.exe

Download Submit
C:\Users\Admin\Desktop\GrantAssert.emz.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\HYDRA.exe
MD5
c52bc39684c52886712971a92f339b23

SHA1
c5cb39850affb7ed322bfb0a4900e17c54f95a11

SHA256
f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

SHA512
2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

Download Submit
C:\Users\Admin\Desktop\HYDRA.exe
MD5
c52bc39684c52886712971a92f339b23

SHA1
c5cb39850affb7ed322bfb0a4900e17c54f95a11

SHA256
f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

SHA512
2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

Download Submit
C:\Users\Admin\Desktop\HideSync.mp3.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\KLwC6vii.exe
MD5
1ded740b925aa0c370e4e5bd02c0741f

SHA1
64731e77b65da3eb192783c074afdcb6a0a245a8

SHA256
a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db

SHA512
fdaaa6633196851725fe088fafd539eb17483555d9b926338a7caeb961354c12cabcd3f55aa51f32297ce4a884806fbc337dfa725583cc1c86b8ca6c97218d4e

Download Submit
C:\Users\Admin\Desktop\Keygen.exe

Download Submit
C:\Users\Admin\Desktop\Keygen.exe

Download Submit
C:\Users\Admin\Desktop\LockExit.au3.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\Lonelyscreen.1.2.9.keygen.by.Paradox.exe

Download Submit
C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe

Download Submit
C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe

Download Submit
C:\Users\Admin\Desktop\OnlineInstaller.exe

Download Submit
C:\Users\Admin\Desktop\PublishUpdate.docx.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\PublishWait.wmv.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\REVENGE-RAT.js.zip

Download Submit
C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

Download Submit
C:\Users\Admin\Desktop\RequestEdit.vbe.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985

Download Submit
C:\Users\Admin\Desktop\SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869
MD5
cde56cf0169830ee0059ee385c0c5eaf

SHA1
08aacb48ffcdc6b49af18d01155982984de230f7

SHA256
cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e

SHA512
234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd

Download Submit
C:\Users\Admin\Desktop\SecurityTaskManager_Setup.exe

Download Submit
C:\Users\Admin\Desktop\ShowAssert.aif

Download Submit
C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

Download Submit
C:\Users\Admin\Desktop\VyprVPN.exe
MD5
f1d5f022e71b8bc9e3241fbb72e87be2

SHA1
1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

SHA256
08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

SHA512
f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

Download Submit
C:\Users\Admin\Desktop\WSHSetup[1].exe

Download Submit
C:\Users\Admin\Desktop\Yard.dll

Download Submit
C:\Users\Admin\Desktop\api.exe

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).xls

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).xls.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (4).exe
MD5
6d2864f9d3349fc4292884e7baab4bcc

SHA1
b4e7df23ccd50f4d136f66e62d56815eab09e720

SHA256
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba

SHA512
dcfc50105df4ea00add6dc3d121baa3ff93180a0be71e444e89e3a8249d1fd2103eb34aa61aa57ada45c5a86ed5783a67e10f21eeb9dda802a49f627aaa0cec0

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.exe

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip

Download Submit
C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe

Download Submit
C:\Users\Admin\Desktop\cobaltstrike_shellcode.exe
MD5
8e4d8b8796d2188324a0cfd6fdc8de92

SHA1
9e7a053d34eb00e732e470bc28cc1fa4aa030b8f

SHA256
1ae532cc0fa2e16cac4f23e289741e256cf517afbbb536aeeb0d7cd601bc05a1

SHA512
db4ced8b71b63a7bd48a5bf96270e99c7380865ec31e875b9e0862535298828f4bbae3a4feeb52ef507a8ba461b744c1ce338e3ed191e90cb7079f209ecdbcf3

Download Submit
C:\Users\Admin\Desktop\default.exe

Download Submit
C:\Users\Admin\Desktop\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

Download Submit
C:\Users\Admin\Desktop\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504._exe

Download Submit
C:\Users\Admin\Desktop\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe

Download Submit
C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

Download Submit
C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

Download Submit
C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
MD5
6029c37a32d7e4951449e197d4850213

SHA1
6ed7bb726b1e04d6858c084bc9bf475a13b77c95

SHA256
fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c

SHA512
bf3639710e259aa38d0cd028071408bdd41c01ee1bd0ea70a16ada78b848c63886854ed40407242e3a68fd9b5444fce2e6ddc050e0c8a2f578b00f43b6c52b6f

Download Submit
C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
MD5
6029c37a32d7e4951449e197d4850213

SHA1
6ed7bb726b1e04d6858c084bc9bf475a13b77c95

SHA256
fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c

SHA512
bf3639710e259aa38d0cd028071408bdd41c01ee1bd0ea70a16ada78b848c63886854ed40407242e3a68fd9b5444fce2e6ddc050e0c8a2f578b00f43b6c52b6f

Download Submit
C:\Users\Admin\Desktop\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe

Download Submit
C:\Users\Admin\Desktop\file(1).exe
MD5
9ca9044bbac6aa39072da89d05cb3dcf

SHA1
7cb6ec980704bf7eb109918a1cb037deed4341fe

SHA256
3ac39ece6e1953f03e88fdfb942bf9f0dcb8d1da643cbd9677032f2ac7861d03

SHA512
5f6cfae5220c219455a180ee6a6fe094fe73475be6acdef24f33476a995097c355af0cf147fd6b986ca3bd84eee0b4928a6d08cabfab63f101259e05d037d9bd

Download Submit
C:\Users\Admin\Desktop\file.exe
MD5
88dbffbc0062b913cbddfde8249ef2f3

SHA1
e2534efda3080e7e5f3419c24ea663fe9d35b4cc

SHA256
275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06

SHA512
036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4

Download Submit
C:\Users\Admin\Desktop\gjMEi6eG.exe

Download Submit
C:\Users\Admin\Desktop\gjMEi6eG.exe

Download Submit
C:\Users\Admin\Desktop\good.exe
MD5
b034e2a7cd76b757b7c62ce514b378b4

SHA1
27d15f36cb5e3338a19a7f6441ece58439f830f2

SHA256
90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

SHA512
1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

Download Submit
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe

Download Submit
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe

Download Submit
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe

Download Submit
C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe

Download Submit
C:\Users\Admin\Desktop\infected dot net installer.exe

Download Submit
C:\Users\Admin\Desktop\inps_979.xls

Download Submit
C:\Users\Admin\Desktop\inps_979.xls.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\jar.jar

Download Submit
C:\Users\Admin\Desktop\jar.jar.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Admin\Desktop\june9.dll

Download Submit
C:\Users\Admin\Desktop\mouse_2.exe

Download Submit
C:\Users\Admin\Desktop\oof.exe

Download Submit
C:\Users\Admin\Desktop\openme.exe

Download Submit
C:\Users\Admin\Desktop\ou55sg33s_1.exe

Download Submit
C:\Users\Admin\Desktop\senate.m4a
MD5
8bdb30d9f3c697d3f12aea9dd3d83a60

SHA1
f89fc63457ce4914b5e41ed0b17af0a9e1ac6119

SHA256
3bc843b534c96a38ab8f4b785f902f70dc8ebd48164aa0870562da285c49a9ec

SHA512
bc7f688736b607baea107ea20d1e6686aed9619b7f10b81b95a74ac652c09696a83160f603c5b106498643c10c8eb60572ffbdcd23db6c12e68c15d9dec5f905

Download Submit
C:\Users\Admin\Desktop\str.dll

Download Submit
C:\Users\Admin\Desktop\svchost.exe

Download Submit
C:\Users\Admin\Desktop\update.exe

Download Submit
C:\Users\Admin\Desktop\vir1.xls

Download Submit
C:\Users\Admin\Desktop\wwf[1].exe

Download Submit
C:\Users\Admin\Desktop\xNet.dll

Download Submit
C:\Users\Admin\Desktop\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe

Download Submit
C:\Users\Admin\Desktop\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Download Submit
C:\Users\Public\Music\Sample Music\Sleep Away.mp3

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.energy[potentialenergy@mail.ru]

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.energy[potentialenergy@mail.ru]

Download Submit
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

Download Submit
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

Download Submit
C:\\vcredist2010_x64.log-MSI_vc_red.msi.txt.energy[potentialenergy@mail.ru]

Download Submit
C:\\vcredist2010_x64.log.html.energy[potentialenergy@mail.ru]

Download Submit
C:\\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.energy[potentialenergy@mail.ru]

Download Submit
C:\\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.energy[potentialenergy@mail.ru]

Download Submit
C:\\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.energy[potentialenergy@mail.ru]

Download Submit
C:\\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.energy[potentialenergy@mail.ru]

Download Submit
C:\\vcredist2019_x64_001_vcRuntimeMinimum_x64.log.energy[potentialenergy@mail.ru]

Download Submit
C:\\vcredist2019_x64_002_vcRuntimeAdditional_x64.log.energy[potentialenergy@mail.ru]

Download Submit
\ProgramData\ucp\usc.exe

Download Submit
\ProgramData\ucp\usc.exe

Download Submit
\ProgramData\ucp\usc.exe

Download Submit
\Users\Admin\AppData\Roaming\power.exe

Download Submit
\Users\Admin\AppData\Roaming\power.exe

Download Submit
\Users\Admin\AppData\Roaming\sant.exe

Download Submit
\Users\Admin\AppData\Roaming\sant.exe

Download Submit
\Users\Admin\AppData\Roaming\ufx.exe

Download Submit
\Users\Admin\AppData\Roaming\va.exe

Download Submit
\Users\Admin\AppData\Roaming\va.exe

Download Submit
\Users\Admin\AppData\Roaming\yaya.exe

Download Submit
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

Download Submit
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

Download Submit
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

Download Submit
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

Download Submit
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

Download Submit
\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

Download Submit
\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

Download Submit
memory/112-62-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/112-60-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/304-78-0x0000000000000000-mapping.dmp

Download
memory/456-74-0x0000000000000000-mapping.dmp

Download
memory/608-69-0x0000000000000000-mapping.dmp

Download
memory/668-68-0x0000000000000000-mapping.dmp

Download
memory/680-80-0x0000000000000000-mapping.dmp

Download
memory/688-203-0x0000000000000000-mapping.dmp

Download
memory/744-207-0x0000000000000000-mapping.dmp

Download
memory/804-233-0x0000000000000000-mapping.dmp

Download
memory/948-79-0x0000000000000000-mapping.dmp

Download
memory/952-55-0x000007FEF42C0000-0x000007FEF4CAC000-memory.dmp

Filesize
9.9MB

Download
memory/952-63-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/956-189-0x0000000000000000-mapping.dmp

Download
memory/956-76-0x0000000000000000-mapping.dmp

Download
memory/1100-201-0x0000000000000000-mapping.dmp

Download
memory/1148-71-0x0000000000000000-mapping.dmp

Download
memory/1160-26-0x0000000000000000-mapping.dmp

Download
memory/1180-209-0x0000000000000000-mapping.dmp

Download
memory/1192-77-0x0000000000000000-mapping.dmp

Download
memory/1200-52-0x0000000000000000-mapping.dmp

Download
memory/1296-0-0x000007FEF7120000-0x000007FEF739A000-memory.dmp

Filesize
2.5MB

Download
memory/1300-22-0x0000000000000000-mapping.dmp

Download
memory/1328-75-0x0000000000000000-mapping.dmp

Download
memory/1608-190-0x0000000000000000-mapping.dmp

Download
memory/1624-237-0x0000000000000000-mapping.dmp

Download
memory/1644-72-0x0000000000000000-mapping.dmp

Download
memory/1660-40-0x0000000000000000-mapping.dmp

Download
memory/1672-34-0x0000000000000000-mapping.dmp

Download
memory/1708-73-0x0000000000000000-mapping.dmp

Download
memory/1736-70-0x0000000000000000-mapping.dmp

Download
memory/1768-81-0x0000000000000000-mapping.dmp

Download
memory/1776-35-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1776-27-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1776-18-0x0000000000000000-mapping.dmp

Download
memory/1852-8-0x00000000055C0000-0x00000000055E3000-memory.dmp

Filesize
140KB

Download
memory/1896-67-0x0000000000000000-mapping.dmp

Download
memory/1940-59-0x000007FEF42C0000-0x000007FEF4CAC000-memory.dmp

Filesize
9.9MB

Download
memory/1952-61-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/1952-46-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/1952-42-0x0000000000000000-mapping.dmp

Download
memory/2020-50-0x0000000000000000-mapping.dmp

Download
memory/2076-82-0x0000000000000000-mapping.dmp

Download
memory/2088-84-0x0000000000000000-mapping.dmp

Download
memory/2100-202-0x0000000000000000-mapping.dmp

Download
memory/2140-85-0x0000000000000000-mapping.dmp

Download
memory/2156-86-0x0000000000000000-mapping.dmp

Download
memory/2180-87-0x0000000000000000-mapping.dmp

Download
memory/2216-88-0x0000000000000000-mapping.dmp

Download
memory/2224-183-0x0000000000000000-mapping.dmp

Download
memory/2248-89-0x0000000000000000-mapping.dmp

Download
memory/2272-90-0x0000000000000000-mapping.dmp

Download
memory/2280-197-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/2280-199-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-92-0x0000000000000000-mapping.dmp

Download
memory/2336-193-0x0000000000000000-mapping.dmp

Download
memory/2368-204-0x0000000000000000-mapping.dmp

Download
memory/2372-93-0x0000000000000000-mapping.dmp

Download
memory/2392-94-0x0000000000000000-mapping.dmp

Download
memory/2436-182-0x0000000000000000-mapping.dmp

Download
memory/2440-95-0x0000000000000000-mapping.dmp

Download
memory/2456-96-0x0000000000000000-mapping.dmp

Download
memory/2480-187-0x0000000000000000-mapping.dmp

Download
memory/2500-97-0x0000000000000000-mapping.dmp

Download
memory/2516-98-0x0000000000000000-mapping.dmp

Download
memory/2540-99-0x0000000000000000-mapping.dmp

Download
memory/2580-100-0x0000000000000000-mapping.dmp

Download
memory/2600-101-0x0000000000000000-mapping.dmp

Download
memory/2644-102-0x0000000000000000-mapping.dmp

Download
memory/2652-184-0x0000000000000000-mapping.dmp

Download
memory/2680-103-0x0000000000000000-mapping.dmp

Download
memory/2688-196-0x0000000000000000-mapping.dmp

Download
memory/2688-200-0x0000000000910000-0x0000000000B91000-memory.dmp

Filesize
2.5MB

Download
memory/2716-104-0x0000000000000000-mapping.dmp

Download
memory/2756-105-0x0000000000000000-mapping.dmp

Download
memory/2768-191-0x0000000000000000-mapping.dmp

Download
memory/2788-185-0x0000000000000000-mapping.dmp

Download
memory/2792-106-0x0000000000000000-mapping.dmp

Download
memory/2824-188-0x0000000000000000-mapping.dmp

Download
memory/2860-107-0x0000000000000000-mapping.dmp

Download
memory/2872-108-0x0000000000000000-mapping.dmp

Download
memory/2920-186-0x0000000000000000-mapping.dmp

Download
memory/2932-109-0x0000000000000000-mapping.dmp

Download
memory/2948-110-0x0000000000000000-mapping.dmp

Download
memory/2968-111-0x0000000000000000-mapping.dmp

Download
memory/3000-195-0x0000000000000000-mapping.dmp

Download
memory/3200-232-0x0000000000000000-mapping.dmp

Download
memory/3440-211-0x0000000000000000-mapping.dmp

Download
memory/3452-212-0x0000000000000000-mapping.dmp

Download
memory/3468-213-0x0000000000000000-mapping.dmp

Download
memory/3488-214-0x0000000000000000-mapping.dmp

Download
memory/3508-215-0x0000000000000000-mapping.dmp

Download
memory/3564-216-0x0000000000000000-mapping.dmp

Download
memory/3600-217-0x0000000000000000-mapping.dmp

Download
memory/3620-218-0x0000000000000000-mapping.dmp

Download
memory/3636-234-0x0000000000000000-mapping.dmp

Download
memory/3652-219-0x0000000000000000-mapping.dmp

Download
memory/3676-220-0x0000000000000000-mapping.dmp

Download
memory/3708-221-0x0000000000000000-mapping.dmp

Download
memory/3788-222-0x0000000000000000-mapping.dmp

Download
memory/3800-223-0x0000000000000000-mapping.dmp

Download
memory/3840-224-0x0000000000000000-mapping.dmp

Download
memory/3856-225-0x0000000000000000-mapping.dmp

Download
memory/3868-226-0x0000000000000000-mapping.dmp

Download
memory/3924-227-0x0000000000000000-mapping.dmp

Download
memory/4012-229-0x0000000000000000-mapping.dmp

Download
memory/4044-230-0x0000000000000000-mapping.dmp

Download
memory/4060-231-0x0000000000000000-mapping.dmp

Download