44aa2372d01d2f5199a9149debab54dc1ac6105b613cd145933d09f305ffb941

Analysis

max time kernel
91s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2022 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f90bb86007a525c51606f541d23f17d.exe
Size

124KB
MD5

0f90bb86007a525c51606f541d23f17d
SHA1

61b24dc1fe848eab720bc4f5371dd963afb1c22c
SHA256

44aa2372d01d2f5199a9149debab54dc1ac6105b613cd145933d09f305ffb941
SHA512

4c3e641db45fc829f9729ff20ccd3967cbc59f072638932fd712eae80243941ded9e2fc921b711a1a70d066a9997aec214cea3fb2e22216738b32a177343bdf9

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	0f90bb86007a525c51606f541d23f17d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	0f90bb86007a525c51606f541d23f17d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	0f90bb86007a525c51606f541d23f17d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\qx.bat	0f90bb86007a525c51606f541d23f17d.exe
File created	C:\WINDOWS\SysWOW64\ie.bat	0f90bb86007a525c51606f541d23f17d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	0f90bb86007a525c51606f541d23f17d.exe
File opened for modification	C:\WINDOWS\windows.exe	0f90bb86007a525c51606f541d23f17d.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dfb0ccd4fedb0e4198e28dd1a4bf61e900000000020000000000106600000001000020000000bd81388e340acf5b04a4d0a844bd654e38197081c4a9d119b00ff4a26d614d59000000000e800000000200002000000016b3ce39fcc76c41ea78fbef49698a6c3ddffb9765dcff07fde09a322758d2c620000000e8304a79d9b7253c35197caf964d1e08d34678b475dc7f2db8063df191ca2aad400000008a74495ee0e2fd8f0a8747200c274cb4a4b92d1a1999ec8533f2df25d461f705b30f1ea7f8091043c347e1cccd07970e3dc882be37da75933da5830f26dea2f4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30978892"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\Main	0f90bb86007a525c51606f541d23f17d.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{48BBCBEA-1F3F-11ED-8D88-E64E24383C5C} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30978892"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "508049603"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "488204576"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "367624194"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30978892"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dfb0ccd4fedb0e4198e28dd1a4bf61e900000000020000000000106600000001000020000000f5440299c75f67c4b4a3f81a0cb5602a56af51086b32283cefcb017539f4e84f000000000e800000000200002000000087645bece662c65e8ce55886f19c1f7fc2ea03f45c6b42987b75874f7fb971a6200000006f1de49198f3574dc8029992d47662cb703e68d27e1b230c32917f0c49dd22f340000000fbd7c92ff2863161bfc314ff5e0540105340682f4865e270134e2a2ccf872df9c85fd396f64a8e99a6c36c15f5d61d7390152fd43183573064ddaaee8f229ee7	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 106fbe1f4cb3d801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c6cc1f4cb3d801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "488204576"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	0f90bb86007a525c51606f541d23f17d.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2060	0f90bb86007a525c51606f541d23f17d.exe
2060	0f90bb86007a525c51606f541d23f17d.exe
2060	0f90bb86007a525c51606f541d23f17d.exe
2060	0f90bb86007a525c51606f541d23f17d.exe
2060	0f90bb86007a525c51606f541d23f17d.exe
2060	0f90bb86007a525c51606f541d23f17d.exe
2060	0f90bb86007a525c51606f541d23f17d.exe
2060	0f90bb86007a525c51606f541d23f17d.exe
2060	0f90bb86007a525c51606f541d23f17d.exe
2060	0f90bb86007a525c51606f541d23f17d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1752	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1752	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2060	0f90bb86007a525c51606f541d23f17d.exe
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
5016	IEXPLORE.EXE
5016	IEXPLORE.EXE
5016	IEXPLORE.EXE
5016	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1752	2060	0f90bb86007a525c51606f541d23f17d.exe	81
PID 2060 wrote to memory of 1752	2060	0f90bb86007a525c51606f541d23f17d.exe	81
PID 1752 wrote to memory of 5016	1752	IEXPLORE.EXE	82
PID 1752 wrote to memory of 5016	1752	IEXPLORE.EXE	82
PID 1752 wrote to memory of 5016	1752	IEXPLORE.EXE	82
PID 2060 wrote to memory of 2624	2060	0f90bb86007a525c51606f541d23f17d.exe	83
PID 2060 wrote to memory of 2624	2060	0f90bb86007a525c51606f541d23f17d.exe	83
PID 2060 wrote to memory of 4888	2060	0f90bb86007a525c51606f541d23f17d.exe	84
PID 2060 wrote to memory of 4888	2060	0f90bb86007a525c51606f541d23f17d.exe	84
PID 2060 wrote to memory of 4888	2060	0f90bb86007a525c51606f541d23f17d.exe	84
PID 4888 wrote to memory of 4944	4888	cmd.exe	86
PID 4888 wrote to memory of 4944	4888	cmd.exe	86
PID 4888 wrote to memory of 4944	4888	cmd.exe	86
PID 2060 wrote to memory of 1844	2060	0f90bb86007a525c51606f541d23f17d.exe	87
PID 2060 wrote to memory of 1844	2060	0f90bb86007a525c51606f541d23f17d.exe	87
PID 2060 wrote to memory of 1844	2060	0f90bb86007a525c51606f541d23f17d.exe	87
PID 1844 wrote to memory of 1788	1844	cmd.exe	89
PID 1844 wrote to memory of 1788	1844	cmd.exe	89
PID 1844 wrote to memory of 1788	1844	cmd.exe	89
PID 2060 wrote to memory of 2000	2060	0f90bb86007a525c51606f541d23f17d.exe	90
PID 2060 wrote to memory of 2000	2060	0f90bb86007a525c51606f541d23f17d.exe	90
PID 2060 wrote to memory of 2000	2060	0f90bb86007a525c51606f541d23f17d.exe	90
PID 2000 wrote to memory of 4140	2000	cmd.exe	92
PID 2000 wrote to memory of 4140	2000	cmd.exe	92
PID 2000 wrote to memory of 4140	2000	cmd.exe	92
PID 2060 wrote to memory of 1924	2060	0f90bb86007a525c51606f541d23f17d.exe	93
PID 2060 wrote to memory of 1924	2060	0f90bb86007a525c51606f541d23f17d.exe	93
PID 2060 wrote to memory of 1924	2060	0f90bb86007a525c51606f541d23f17d.exe	93
PID 1924 wrote to memory of 1792	1924	cmd.exe	95
PID 1924 wrote to memory of 1792	1924	cmd.exe	95
PID 1924 wrote to memory of 1792	1924	cmd.exe	95
PID 2060 wrote to memory of 3488	2060	0f90bb86007a525c51606f541d23f17d.exe	96
PID 2060 wrote to memory of 3488	2060	0f90bb86007a525c51606f541d23f17d.exe	96
PID 2060 wrote to memory of 3488	2060	0f90bb86007a525c51606f541d23f17d.exe	96
PID 3488 wrote to memory of 224	3488	cmd.exe	98
PID 3488 wrote to memory of 224	3488	cmd.exe	98
PID 3488 wrote to memory of 224	3488	cmd.exe	98
PID 2060 wrote to memory of 4400	2060	0f90bb86007a525c51606f541d23f17d.exe	99
PID 2060 wrote to memory of 4400	2060	0f90bb86007a525c51606f541d23f17d.exe	99
PID 2060 wrote to memory of 4400	2060	0f90bb86007a525c51606f541d23f17d.exe	99
PID 4400 wrote to memory of 3916	4400	cmd.exe	101
PID 4400 wrote to memory of 3916	4400	cmd.exe	101
PID 4400 wrote to memory of 3916	4400	cmd.exe	101
PID 2060 wrote to memory of 1524	2060	0f90bb86007a525c51606f541d23f17d.exe	102
PID 2060 wrote to memory of 1524	2060	0f90bb86007a525c51606f541d23f17d.exe	102
PID 2060 wrote to memory of 1524	2060	0f90bb86007a525c51606f541d23f17d.exe	102
PID 1524 wrote to memory of 3972	1524	cmd.exe	104
PID 1524 wrote to memory of 3972	1524	cmd.exe	104
PID 1524 wrote to memory of 3972	1524	cmd.exe	104

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
224	attrib.exe
3916	attrib.exe
3972	attrib.exe
4944	attrib.exe
1788	attrib.exe
4140	attrib.exe
1792	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0f90bb86007a525c51606f541d23f17d.exe
"C:\Users\Admin\AppData\Local\Temp\0f90bb86007a525c51606f541d23f17d.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5016
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:3916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\windows.exe

Filesize
124KB

MD5
9ad827df975fe745eaf0149afc93d1a3

SHA1
902fd6e4f88802b4e92071d34e2159a8b3f371c0

SHA256
7ba8698a2c8026290d067fe71fc3871342671f39b33214c2b9b82cc1e0a685d4

SHA512
bc25545f65626108ce3b2979feec29703c1870a480553936a44507e9e5e961ea4c8da1b9c54e128f882179382a582dfb7afd55b31b08353f2371aef972fd464b

Download Submit
C:\system.exe

Filesize
124KB

MD5
be7dee46bcfb072b6d0428b811637d71

SHA1
a970807bf04c34015c390544f285e06a0c876253

SHA256
8e840cb03730ef0ab1d1fa5c42c5c8402239d236b4deee5881d7d7328cefd0eb

SHA512
48c5375c8705c8f748cda8d8ec9ab261f4d347590feeff6148011f71ac6bad04fbcab9b838146eabea557ad327625984a5685690bbc8d8ce79c29d20a4426a4b

Download Submit