Analysis

  • max time kernel
    168s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-11-2020 17:21

General

  • Target

    Downloads.exe

  • Size

    163MB

  • MD5

    2e5f0d7f3b1505978fa81cf1e70d02d5

  • SHA1

    99a6086d8a23ea12aba3a8ddd7f67c427981622f

  • SHA256

    8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51

  • SHA512

    9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f

Malware Config

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Extracted

Family

cobaltstrike

C2

http://47.91.237.42:8443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • create_remote_thread

    0

  • day

    0

  • dns_idle

    0

  • dns_sleep

    0

  • host

    47.91.237.42,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • injection_process

  • jitter

    0

  • maxdns

    255

  • month

    0

  • pipe_name

  • polling_time

    60000

  • port_number

    8443

  • proxy_password

  • proxy_server

  • proxy_username

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    0

  • unknown4

    0

  • unknown5

    2.018915346e+09

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)

  • year

    0

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Extracted

Family

smokeloader

Version

2017

C2

http://92.53.105.14/

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

  • CryptOne packer ⋅ 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • RevengeRat Executable ⋅ 8 IoCs
  • Executes dropped EXE ⋅ 17 IoCs
  • UPX packed file ⋅ 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file ⋅ 3 IoCs
  • Loads dropped DLL ⋅ 18 IoCs
  • Maps connected drives based on registry ⋅ 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer ⋅ 6 IoCs
  • Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill ⋅ 64 IoCs
  • Modifies Internet Explorer settings ⋅ 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs
  • Suspicious behavior: MapViewOfSection ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 52 IoCs
  • Suspicious use of FindShellTrayWindow ⋅ 1 IoCs
  • Suspicious use of SendNotifyMessage ⋅ 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 6 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Downloads.exe
    "C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
    Modifies Internet Explorer settings
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of SetWindowsHookEx
    PID:1852
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
    PID:432
  • C:\Users\Admin\Desktop\HYDRA.exe
    "C:\Users\Admin\Desktop\HYDRA.exe"
    Executes dropped EXE
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:320
    • C:\Users\Admin\AppData\Roaming\yaya.exe
      C:\Users\Admin\AppData\Roaming\yaya.exe
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
        "C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"
        Executes dropped EXE
        PID:1952
    • C:\Users\Admin\AppData\Roaming\va.exe
      C:\Users\Admin\AppData\Roaming\va.exe
      Executes dropped EXE
      Drops startup file
      PID:1300
    • C:\Users\Admin\AppData\Roaming\ufx.exe
      C:\Users\Admin\AppData\Roaming\ufx.exe
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1160
      • C:\ProgramData\ucp\usc.exe
        "C:\ProgramData\ucp\usc.exe" /ucp/usc.exe
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\SCHTASKS.exe
          SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
          Creates scheduled task(s)
          PID:1200
    • C:\Users\Admin\AppData\Roaming\sant.exe
      C:\Users\Admin\AppData\Roaming\sant.exe
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1672
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        PID:2688
    • C:\Users\Admin\AppData\Roaming\power.exe
      C:\Users\Admin\AppData\Roaming\power.exe
      Executes dropped EXE
      PID:1660
  • C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    Executes dropped EXE
    Drops startup file
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:952
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      PID:1896
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      PID:608
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      PID:1736
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      PID:304
    • C:\Windows\system32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      PID:2088
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2156
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2216
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2272
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2324
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2440
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2500
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      Suspicious use of AdjustPrivilegeToken
      PID:2436
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      Kills process with taskkill
      PID:1608
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM xfssvccon.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      Kills process with taskkill
      PID:744
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM Ntrtscan.exe /F
      Kills process with taskkill
      PID:3452
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      Kills process with taskkill
      PID:3468
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      Kills process with taskkill
      PID:3508
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM PccNTMon.exe /F
      Kills process with taskkill
      PID:3564
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM msaccess.exe /F
      Kills process with taskkill
      PID:3600
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM outlook.exe /F
      Kills process with taskkill
      PID:3652
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tmlisten.exe /F
      Kills process with taskkill
      PID:3676
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM msftesql.exe /F
      Kills process with taskkill
      PID:3708
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM powerpnt.exe /F
      Kills process with taskkill
      PID:3788
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      Kills process with taskkill
      PID:3840
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM visio.exe /F
      Kills process with taskkill
      PID:3868
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      Kills process with taskkill
      PID:4012
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM winword.exe /F
      Kills process with taskkill
      PID:4060
  • C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    Executes dropped EXE
    Drops startup file
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      PID:668
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      PID:1148
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      PID:1644
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      PID:1708
    • C:\Windows\system32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      PID:456
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      Suspicious use of AdjustPrivilegeToken
      PID:1328
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1192
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:948
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:680
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      Suspicious use of AdjustPrivilegeToken
      PID:2076
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2140
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2516
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2224
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      Kills process with taskkill
      PID:956
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM xfssvccon.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2336
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3000
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM Ntrtscan.exe /F
      Suspicious use of AdjustPrivilegeToken
      PID:688
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2368
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      Kills process with taskkill
      PID:1180
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM PccNTMon.exe /F
      Kills process with taskkill
      PID:3440
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM msaccess.exe /F
      Kills process with taskkill
      PID:3488
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM outlook.exe /F
      Kills process with taskkill
      PID:3620
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tmlisten.exe /F
      Kills process with taskkill
      PID:3800
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM msftesql.exe /F
      PID:3856
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM powerpnt.exe /F
      Kills process with taskkill
      PID:3924
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      Kills process with taskkill
      PID:4044
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM visio.exe /F
      Kills process with taskkill
      PID:3200
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      PID:804
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM winword.exe /F
      Kills process with taskkill
      PID:3636
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mysqld-nt.exe /F
      Kills process with taskkill
      PID:1624
  • C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
    "C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    PID:112
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
    PID:524
  • C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
    "C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe"
    Executes dropped EXE
    PID:2292
  • C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
    "C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe"
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    PID:2280
  • C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe
    "C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe"
    Executes dropped EXE
    PID:2548
  • C:\Users\Admin\Desktop\gjMEi6eG.exe
    "C:\Users\Admin\Desktop\gjMEi6eG.exe"
    Executes dropped EXE
    PID:2400
  • C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe
    "C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe"
    Executes dropped EXE
    PID:1212
  • C:\Windows\System32\xpsrchvw.exe
    "C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\MergeExpand.eprtx"
    Suspicious use of SetWindowsHookEx
    PID:2308
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\june9.dll
    PID:964
  • C:\Users\Admin\Desktop\Keygen.exe
    "C:\Users\Admin\Desktop\Keygen.exe"
    Executes dropped EXE
    PID:3012
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FEE8.tmp\start.bat" C:\Users\Admin\Desktop\Keygen.exe"
      PID:3664
  • C:\Users\Admin\Desktop\KLwC6vii.exe
    "C:\Users\Admin\Desktop\KLwC6vii.exe"
    PID:3920
  • C:\Users\Admin\Desktop\infected dot net installer.exe
    "C:\Users\Admin\Desktop\infected dot net installer.exe"
    PID:3948

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\ProgramData\ucp\usc.exe
                    • C:\Users\Admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk
                    • C:\Users\Admin\AppData\Roaming\power.exe
                    • C:\Users\Admin\AppData\Roaming\sant.exe
                    • C:\Users\Admin\AppData\Roaming\ufx.exe
                    • C:\Users\Admin\AppData\Roaming\ufx.exe
                    • C:\Users\Admin\AppData\Roaming\va.exe
                    • C:\Users\Admin\AppData\Roaming\yaya.exe
                    • C:\Users\Admin\AppData\Roaming\yaya.exe
                    • C:\Users\Admin\Desktop\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe
                      MD5

                      9e9bb42a965b89a9dce86c8b36b24799

                      SHA1

                      e2d1161ac7fa3420648ba59f7a5315ed0acb04c2

                      SHA256

                      08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

                      SHA512

                      e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

                    • C:\Users\Admin\Desktop\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
                    • C:\Users\Admin\Desktop\0di3x.exe
                    • C:\Users\Admin\Desktop\201106-9sxjh7tvxj_pw_infected.zip
                    • C:\Users\Admin\Desktop\201106-9sxjh7tvxj_pw_infected.zip.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\2019-09-02_22-41-10.exe
                    • C:\Users\Admin\Desktop\2c01b007729230c415420ad641ad92eb.exe
                    • C:\Users\Admin\Desktop\31.exe
                    • C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe
                    • C:\Users\Admin\Desktop\42f972925508a82236e8533567487761.exe
                    • C:\Users\Admin\Desktop\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                    • C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
                    • C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
                    • C:\Users\Admin\Desktop\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
                    • C:\Users\Admin\Desktop\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
                      MD5

                      6fe3fb85216045fdf8186429c27458a7

                      SHA1

                      ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                      SHA256

                      905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                      SHA512

                      d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                    • C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
                      MD5

                      aa0a434f00c138ef445bf89493a6d731

                      SHA1

                      2e798c079b179b736247cf20d1346657db9632c7

                      SHA256

                      948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654

                      SHA512

                      e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

                    • C:\Users\Admin\Desktop\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
                      MD5

                      aa0a434f00c138ef445bf89493a6d731

                      SHA1

                      2e798c079b179b736247cf20d1346657db9632c7

                      SHA256

                      948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654

                      SHA512

                      e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

                    • C:\Users\Admin\Desktop\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe
                      MD5

                      9e9719483cc24dc0ab94b31f76981f42

                      SHA1

                      dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b

                      SHA256

                      95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9

                      SHA512

                      83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309

                    • C:\Users\Admin\Desktop\Archive.zip__ccacaxs2tbz2t6ob3e.exe
                    • C:\Users\Admin\Desktop\BlockShow.au.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\CVE-2018-15982_PoC.swf
                    • C:\Users\Admin\Desktop\CVE-2018-15982_PoC.swf.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\ConvertRegister.ini.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\DisableRepair.vsw.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\DiskInternals_Uneraser_v5_keygen.exe
                    • C:\Users\Admin\Desktop\DismountMove.xps.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\E2-20201118_141759.zip
                    • C:\Users\Admin\Desktop\E2-20201118_141759.zip.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\FindUnblock.ppsx.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\ForceOp 2.8.7 - By RaiSence.exe
                    • C:\Users\Admin\Desktop\GrantAssert.emz.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\HYDRA.exe
                      MD5

                      c52bc39684c52886712971a92f339b23

                      SHA1

                      c5cb39850affb7ed322bfb0a4900e17c54f95a11

                      SHA256

                      f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

                      SHA512

                      2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

                    • C:\Users\Admin\Desktop\HYDRA.exe
                      MD5

                      c52bc39684c52886712971a92f339b23

                      SHA1

                      c5cb39850affb7ed322bfb0a4900e17c54f95a11

                      SHA256

                      f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

                      SHA512

                      2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

                    • C:\Users\Admin\Desktop\HideSync.mp3.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\KLwC6vii.exe
                      MD5

                      1ded740b925aa0c370e4e5bd02c0741f

                      SHA1

                      64731e77b65da3eb192783c074afdcb6a0a245a8

                      SHA256

                      a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db

                      SHA512

                      fdaaa6633196851725fe088fafd539eb17483555d9b926338a7caeb961354c12cabcd3f55aa51f32297ce4a884806fbc337dfa725583cc1c86b8ca6c97218d4e

                    • C:\Users\Admin\Desktop\Keygen.exe
                    • C:\Users\Admin\Desktop\Keygen.exe
                    • C:\Users\Admin\Desktop\LockExit.au3.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
                    • C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe
                    • C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe
                    • C:\Users\Admin\Desktop\OnlineInstaller.exe
                    • C:\Users\Admin\Desktop\PublishUpdate.docx.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\PublishWait.wmv.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\REVENGE-RAT.js.zip
                    • C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
                    • C:\Users\Admin\Desktop\RequestEdit.vbe.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\SecuriteInfo.com.Gen.NN.ZexaF.34108.xy1@amqiedE.17985
                    • C:\Users\Admin\Desktop\SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869
                      MD5

                      cde56cf0169830ee0059ee385c0c5eaf

                      SHA1

                      08aacb48ffcdc6b49af18d01155982984de230f7

                      SHA256

                      cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e

                      SHA512

                      234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd

                    • C:\Users\Admin\Desktop\SecurityTaskManager_Setup.exe
                    • C:\Users\Admin\Desktop\ShowAssert.aif
                    • C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
                    • C:\Users\Admin\Desktop\VyprVPN.exe
                      MD5

                      f1d5f022e71b8bc9e3241fbb72e87be2

                      SHA1

                      1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c

                      SHA256

                      08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d

                      SHA512

                      f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f

                    • C:\Users\Admin\Desktop\WSHSetup[1].exe
                    • C:\Users\Admin\Desktop\Yard.dll
                    • C:\Users\Admin\Desktop\api.exe
                    • C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (2).exe
                    • C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).xls
                    • C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (3).xls.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb (4).exe
                      MD5

                      6d2864f9d3349fc4292884e7baab4bcc

                      SHA1

                      b4e7df23ccd50f4d136f66e62d56815eab09e720

                      SHA256

                      2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba

                      SHA512

                      dcfc50105df4ea00add6dc3d121baa3ff93180a0be71e444e89e3a8249d1fd2103eb34aa61aa57ada45c5a86ed5783a67e10f21eeb9dda802a49f627aaa0cec0

                    • C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.exe
                    • C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip
                    • C:\Users\Admin\Desktop\b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.zip.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe
                    • C:\Users\Admin\Desktop\cobaltstrike_shellcode.exe
                      MD5

                      8e4d8b8796d2188324a0cfd6fdc8de92

                      SHA1

                      9e7a053d34eb00e732e470bc28cc1fa4aa030b8f

                      SHA256

                      1ae532cc0fa2e16cac4f23e289741e256cf517afbbb536aeeb0d7cd601bc05a1

                      SHA512

                      db4ced8b71b63a7bd48a5bf96270e99c7380865ec31e875b9e0862535298828f4bbae3a4feeb52ef507a8ba461b744c1ce338e3ed191e90cb7079f209ecdbcf3

                    • C:\Users\Admin\Desktop\default.exe
                    • C:\Users\Admin\Desktop\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
                    • C:\Users\Admin\Desktop\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504._exe
                    • C:\Users\Admin\Desktop\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
                    • C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
                    • C:\Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
                    • C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
                      MD5

                      6029c37a32d7e4951449e197d4850213

                      SHA1

                      6ed7bb726b1e04d6858c084bc9bf475a13b77c95

                      SHA256

                      fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c

                      SHA512

                      bf3639710e259aa38d0cd028071408bdd41c01ee1bd0ea70a16ada78b848c63886854ed40407242e3a68fd9b5444fce2e6ddc050e0c8a2f578b00f43b6c52b6f

                    • C:\Users\Admin\Desktop\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
                      MD5

                      6029c37a32d7e4951449e197d4850213

                      SHA1

                      6ed7bb726b1e04d6858c084bc9bf475a13b77c95

                      SHA256

                      fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c

                      SHA512

                      bf3639710e259aa38d0cd028071408bdd41c01ee1bd0ea70a16ada78b848c63886854ed40407242e3a68fd9b5444fce2e6ddc050e0c8a2f578b00f43b6c52b6f

                    • C:\Users\Admin\Desktop\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
                    • C:\Users\Admin\Desktop\file(1).exe
                      MD5

                      9ca9044bbac6aa39072da89d05cb3dcf

                      SHA1

                      7cb6ec980704bf7eb109918a1cb037deed4341fe

                      SHA256

                      3ac39ece6e1953f03e88fdfb942bf9f0dcb8d1da643cbd9677032f2ac7861d03

                      SHA512

                      5f6cfae5220c219455a180ee6a6fe094fe73475be6acdef24f33476a995097c355af0cf147fd6b986ca3bd84eee0b4928a6d08cabfab63f101259e05d037d9bd

                    • C:\Users\Admin\Desktop\file.exe
                      MD5

                      88dbffbc0062b913cbddfde8249ef2f3

                      SHA1

                      e2534efda3080e7e5f3419c24ea663fe9d35b4cc

                      SHA256

                      275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06

                      SHA512

                      036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4

                    • C:\Users\Admin\Desktop\gjMEi6eG.exe
                    • C:\Users\Admin\Desktop\gjMEi6eG.exe
                    • C:\Users\Admin\Desktop\good.exe
                      MD5

                      b034e2a7cd76b757b7c62ce514b378b4

                      SHA1

                      27d15f36cb5e3338a19a7f6441ece58439f830f2

                      SHA256

                      90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

                      SHA512

                      1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

                    • C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe
                    • C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010(1).exe
                    • C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe
                    • C:\Users\Admin\Desktop\hyundai steel-pipe- job 8010.exe
                    • C:\Users\Admin\Desktop\infected dot net installer.exe
                    • C:\Users\Admin\Desktop\inps_979.xls
                    • C:\Users\Admin\Desktop\inps_979.xls.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\jar.jar
                    • C:\Users\Admin\Desktop\jar.jar.energy[potentialenergy@mail.ru]
                    • C:\Users\Admin\Desktop\june9.dll
                    • C:\Users\Admin\Desktop\mouse_2.exe
                    • C:\Users\Admin\Desktop\oof.exe
                    • C:\Users\Admin\Desktop\openme.exe
                    • C:\Users\Admin\Desktop\ou55sg33s_1.exe
                    • C:\Users\Admin\Desktop\senate.m4a
                      MD5

                      8bdb30d9f3c697d3f12aea9dd3d83a60

                      SHA1

                      f89fc63457ce4914b5e41ed0b17af0a9e1ac6119

                      SHA256

                      3bc843b534c96a38ab8f4b785f902f70dc8ebd48164aa0870562da285c49a9ec

                      SHA512

                      bc7f688736b607baea107ea20d1e6686aed9619b7f10b81b95a74ac652c09696a83160f603c5b106498643c10c8eb60572ffbdcd23db6c12e68c15d9dec5f905

                    • C:\Users\Admin\Desktop\str.dll
                    • C:\Users\Admin\Desktop\svchost.exe
                    • C:\Users\Admin\Desktop\update.exe
                    • C:\Users\Admin\Desktop\vir1.xls
                    • C:\Users\Admin\Desktop\wwf[1].exe
                    • C:\Users\Admin\Desktop\xNet.dll
                    • C:\Users\Admin\Desktop\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
                    • C:\Users\Admin\Desktop\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
                    • C:\Users\Public\Desktop\Adobe Reader 9.lnk
                    • C:\Users\Public\Desktop\Firefox.lnk
                    • C:\Users\Public\Desktop\Google Chrome.lnk
                    • C:\Users\Public\Music\Sample Music\Sleep Away.mp3
                    • C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.energy[potentialenergy@mail.ru]
                    • C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.energy[potentialenergy@mail.ru]
                    • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
                    • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
                    • C:\\vcredist2010_x64.log-MSI_vc_red.msi.txt.energy[potentialenergy@mail.ru]
                    • C:\\vcredist2010_x64.log.html.energy[potentialenergy@mail.ru]
                    • C:\\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.energy[potentialenergy@mail.ru]
                    • C:\\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.energy[potentialenergy@mail.ru]
                    • C:\\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.energy[potentialenergy@mail.ru]
                    • C:\\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.energy[potentialenergy@mail.ru]
                    • C:\\vcredist2019_x64_001_vcRuntimeMinimum_x64.log.energy[potentialenergy@mail.ru]
                    • C:\\vcredist2019_x64_002_vcRuntimeAdditional_x64.log.energy[potentialenergy@mail.ru]
                    • \ProgramData\ucp\usc.exe
                    • \ProgramData\ucp\usc.exe
                    • \ProgramData\ucp\usc.exe
                    • \Users\Admin\AppData\Roaming\power.exe
                    • \Users\Admin\AppData\Roaming\power.exe
                    • \Users\Admin\AppData\Roaming\sant.exe
                    • \Users\Admin\AppData\Roaming\sant.exe
                    • \Users\Admin\AppData\Roaming\ufx.exe
                    • \Users\Admin\AppData\Roaming\va.exe
                    • \Users\Admin\AppData\Roaming\va.exe
                    • \Users\Admin\AppData\Roaming\yaya.exe
                    • \Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
                    • \Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
                    • \Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
                    • \Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
                    • \Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
                    • \Users\Admin\Desktop\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
                    • \Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
                    • memory/112-62-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
                    • memory/112-60-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
                    • memory/304-78-0x0000000000000000-mapping.dmp
                    • memory/456-74-0x0000000000000000-mapping.dmp
                    • memory/608-69-0x0000000000000000-mapping.dmp
                    • memory/668-68-0x0000000000000000-mapping.dmp
                    • memory/680-80-0x0000000000000000-mapping.dmp
                    • memory/688-203-0x0000000000000000-mapping.dmp
                    • memory/744-207-0x0000000000000000-mapping.dmp
                    • memory/804-233-0x0000000000000000-mapping.dmp
                    • memory/948-79-0x0000000000000000-mapping.dmp
                    • memory/952-55-0x000007FEF42C0000-0x000007FEF4CAC000-memory.dmp
                    • memory/952-63-0x0000000001110000-0x0000000001111000-memory.dmp
                    • memory/956-189-0x0000000000000000-mapping.dmp
                    • memory/956-76-0x0000000000000000-mapping.dmp
                    • memory/1100-201-0x0000000000000000-mapping.dmp
                    • memory/1148-71-0x0000000000000000-mapping.dmp
                    • memory/1160-26-0x0000000000000000-mapping.dmp
                    • memory/1180-209-0x0000000000000000-mapping.dmp
                    • memory/1192-77-0x0000000000000000-mapping.dmp
                    • memory/1200-52-0x0000000000000000-mapping.dmp
                    • memory/1296-0-0x000007FEF7120000-0x000007FEF739A000-memory.dmp
                    • memory/1300-22-0x0000000000000000-mapping.dmp
                    • memory/1328-75-0x0000000000000000-mapping.dmp
                    • memory/1608-190-0x0000000000000000-mapping.dmp
                    • memory/1624-237-0x0000000000000000-mapping.dmp
                    • memory/1644-72-0x0000000000000000-mapping.dmp
                    • memory/1660-40-0x0000000000000000-mapping.dmp
                    • memory/1672-34-0x0000000000000000-mapping.dmp
                    • memory/1708-73-0x0000000000000000-mapping.dmp
                    • memory/1736-70-0x0000000000000000-mapping.dmp
                    • memory/1768-81-0x0000000000000000-mapping.dmp
                    • memory/1776-35-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
                    • memory/1776-27-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
                    • memory/1776-18-0x0000000000000000-mapping.dmp
                    • memory/1852-8-0x00000000055C0000-0x00000000055E3000-memory.dmp
                    • memory/1896-67-0x0000000000000000-mapping.dmp
                    • memory/1940-59-0x000007FEF42C0000-0x000007FEF4CAC000-memory.dmp
                    • memory/1952-61-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
                    • memory/1952-46-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
                    • memory/1952-42-0x0000000000000000-mapping.dmp
                    • memory/2020-50-0x0000000000000000-mapping.dmp
                    • memory/2076-82-0x0000000000000000-mapping.dmp
                    • memory/2088-84-0x0000000000000000-mapping.dmp
                    • memory/2100-202-0x0000000000000000-mapping.dmp
                    • memory/2140-85-0x0000000000000000-mapping.dmp
                    • memory/2156-86-0x0000000000000000-mapping.dmp
                    • memory/2180-87-0x0000000000000000-mapping.dmp
                    • memory/2216-88-0x0000000000000000-mapping.dmp
                    • memory/2224-183-0x0000000000000000-mapping.dmp
                    • memory/2248-89-0x0000000000000000-mapping.dmp
                    • memory/2272-90-0x0000000000000000-mapping.dmp
                    • memory/2280-197-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
                    • memory/2280-199-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp
                    • memory/2324-92-0x0000000000000000-mapping.dmp
                    • memory/2336-193-0x0000000000000000-mapping.dmp
                    • memory/2368-204-0x0000000000000000-mapping.dmp
                    • memory/2372-93-0x0000000000000000-mapping.dmp
                    • memory/2392-94-0x0000000000000000-mapping.dmp
                    • memory/2436-182-0x0000000000000000-mapping.dmp
                    • memory/2440-95-0x0000000000000000-mapping.dmp
                    • memory/2456-96-0x0000000000000000-mapping.dmp
                    • memory/2480-187-0x0000000000000000-mapping.dmp
                    • memory/2500-97-0x0000000000000000-mapping.dmp
                    • memory/2516-98-0x0000000000000000-mapping.dmp
                    • memory/2540-99-0x0000000000000000-mapping.dmp
                    • memory/2580-100-0x0000000000000000-mapping.dmp
                    • memory/2600-101-0x0000000000000000-mapping.dmp
                    • memory/2644-102-0x0000000000000000-mapping.dmp
                    • memory/2652-184-0x0000000000000000-mapping.dmp
                    • memory/2680-103-0x0000000000000000-mapping.dmp
                    • memory/2688-196-0x0000000000000000-mapping.dmp
                    • memory/2688-200-0x0000000000910000-0x0000000000B91000-memory.dmp
                    • memory/2716-104-0x0000000000000000-mapping.dmp
                    • memory/2756-105-0x0000000000000000-mapping.dmp
                    • memory/2768-191-0x0000000000000000-mapping.dmp
                    • memory/2788-185-0x0000000000000000-mapping.dmp
                    • memory/2792-106-0x0000000000000000-mapping.dmp
                    • memory/2824-188-0x0000000000000000-mapping.dmp
                    • memory/2860-107-0x0000000000000000-mapping.dmp
                    • memory/2872-108-0x0000000000000000-mapping.dmp
                    • memory/2920-186-0x0000000000000000-mapping.dmp
                    • memory/2932-109-0x0000000000000000-mapping.dmp
                    • memory/2948-110-0x0000000000000000-mapping.dmp
                    • memory/2968-111-0x0000000000000000-mapping.dmp
                    • memory/3000-195-0x0000000000000000-mapping.dmp
                    • memory/3200-232-0x0000000000000000-mapping.dmp
                    • memory/3440-211-0x0000000000000000-mapping.dmp
                    • memory/3452-212-0x0000000000000000-mapping.dmp
                    • memory/3468-213-0x0000000000000000-mapping.dmp
                    • memory/3488-214-0x0000000000000000-mapping.dmp
                    • memory/3508-215-0x0000000000000000-mapping.dmp
                    • memory/3564-216-0x0000000000000000-mapping.dmp
                    • memory/3600-217-0x0000000000000000-mapping.dmp
                    • memory/3620-218-0x0000000000000000-mapping.dmp
                    • memory/3636-234-0x0000000000000000-mapping.dmp
                    • memory/3652-219-0x0000000000000000-mapping.dmp
                    • memory/3676-220-0x0000000000000000-mapping.dmp
                    • memory/3708-221-0x0000000000000000-mapping.dmp
                    • memory/3788-222-0x0000000000000000-mapping.dmp
                    • memory/3800-223-0x0000000000000000-mapping.dmp
                    • memory/3840-224-0x0000000000000000-mapping.dmp
                    • memory/3856-225-0x0000000000000000-mapping.dmp
                    • memory/3868-226-0x0000000000000000-mapping.dmp
                    • memory/3924-227-0x0000000000000000-mapping.dmp
                    • memory/4012-229-0x0000000000000000-mapping.dmp
                    • memory/4044-230-0x0000000000000000-mapping.dmp
                    • memory/4060-231-0x0000000000000000-mapping.dmp