hxxps://krnl[.]vip/executor/

Analysis

max time kernel
114s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2022, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://krnl.vip/executor/

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
4080	krnl_beta.exe
1160	7za.exe
1256	7za.exe
992	KrnlUI.exe
1988	krnl_beta.exe
528	7za.exe
1576	KrnlUI.exe
1188	krnl_beta.exe
4840	7za.exe
2292	KrnlUI.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	krnl_beta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	krnl_beta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	krnl_beta.exe

Loads dropped DLL 6 IoCs

pid	Process
4080	krnl_beta.exe
4080	krnl_beta.exe
1988	krnl_beta.exe
1988	krnl_beta.exe
1188	krnl_beta.exe
1188	krnl_beta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3584	992	WerFault.exe	107
4308	1576	WerFault.exe	122
3944	2292	WerFault.exe	131

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 89be75672cbed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30983091"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "55"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip\ = "55"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3540468031"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3540468031"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90e840d6b3c3d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FE780A19-2FA6-11ED-A0EE-E2272FE8D9C1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip\ = "87"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000f92585899821365972df8a5a517ec327fdcae21ddb0f1395dabb266d0366811b000000000e800000000200002000000061580bac75e836f0e4a6b144b0c88af597f890c415bddb779bf9f6a8631b97c7200000008a9774991d10c480a22344da1151f828911df41e7a74766836fc667f49ab24f0400000002105927392afe213b4fe85a9fb847f759d9b82563b193772e1308ae639d860d8fb42cac31f8e44246d6c28a95c8eebf2d204fa8f15d53785c4c9ed35233036ef	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30983091"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip\Total = "55"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip\Total = "87"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "139"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip\Total = "29"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000051c7eb04279f15dc2b0cb81b91cc475b3037c955b7767cf6923932178c598038000000000e800000000200002000000073d024803a04610de71dc677a680eb2c48e75a3fb62057fc1632bdac8927b50f20000000837f6c0523420291a35c4c2572ce3ce0458f2b6b48ae1b8b20d0bd9a2d5e608540000000c19eccf6de1d3415713a2a2f502401b8489cb831cb593c5ba835904913ab8e0ea8661a8ee61877ab3f9e267c4e02e1cbf86b5ce97921d51f4cf9f06d4d97d273	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30983091"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c04630d6b3c3d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\krnl.vip	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "87"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "29"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip\Total = "139"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "369427964"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip\ = "139"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{4FE2EA82-8418-4059-B43C-0F601EFB613F}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3564061182"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\krnl.vip\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	krnl_beta.exe
Token: SeRestorePrivilege	1160	7za.exe
Token: 35	1160	7za.exe
Token: SeSecurityPrivilege	1160	7za.exe
Token: SeSecurityPrivilege	1160	7za.exe
Token: SeRestorePrivilege	1256	7za.exe
Token: 35	1256	7za.exe
Token: SeSecurityPrivilege	1256	7za.exe
Token: SeSecurityPrivilege	1256	7za.exe
Token: SeDebugPrivilege	1988	krnl_beta.exe
Token: SeRestorePrivilege	528	7za.exe
Token: 35	528	7za.exe
Token: SeSecurityPrivilege	528	7za.exe
Token: SeSecurityPrivilege	528	7za.exe
Token: SeDebugPrivilege	1188	krnl_beta.exe
Token: SeRestorePrivilege	4840	7za.exe
Token: 35	4840	7za.exe
Token: SeSecurityPrivilege	4840	7za.exe
Token: SeSecurityPrivilege	4840	7za.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4196	iexplore.exe
4196	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4196	iexplore.exe
4196	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 2748	4196	iexplore.exe	85
PID 4196 wrote to memory of 2748	4196	iexplore.exe	85
PID 4196 wrote to memory of 2748	4196	iexplore.exe	85
PID 4196 wrote to memory of 4080	4196	iexplore.exe	100
PID 4196 wrote to memory of 4080	4196	iexplore.exe	100
PID 4196 wrote to memory of 4080	4196	iexplore.exe	100
PID 4080 wrote to memory of 1160	4080	krnl_beta.exe	103
PID 4080 wrote to memory of 1160	4080	krnl_beta.exe	103
PID 4080 wrote to memory of 1160	4080	krnl_beta.exe	103
PID 4080 wrote to memory of 1256	4080	krnl_beta.exe	105
PID 4080 wrote to memory of 1256	4080	krnl_beta.exe	105
PID 4080 wrote to memory of 1256	4080	krnl_beta.exe	105
PID 4080 wrote to memory of 992	4080	krnl_beta.exe	107
PID 4080 wrote to memory of 992	4080	krnl_beta.exe	107
PID 4080 wrote to memory of 992	4080	krnl_beta.exe	107
PID 1988 wrote to memory of 528	1988	krnl_beta.exe	120
PID 1988 wrote to memory of 528	1988	krnl_beta.exe	120
PID 1988 wrote to memory of 528	1988	krnl_beta.exe	120
PID 1988 wrote to memory of 1576	1988	krnl_beta.exe	122
PID 1988 wrote to memory of 1576	1988	krnl_beta.exe	122
PID 1988 wrote to memory of 1576	1988	krnl_beta.exe	122
PID 1188 wrote to memory of 4840	1188	krnl_beta.exe	129
PID 1188 wrote to memory of 4840	1188	krnl_beta.exe	129
PID 1188 wrote to memory of 4840	1188	krnl_beta.exe	129
PID 1188 wrote to memory of 2292	1188	krnl_beta.exe	131
PID 1188 wrote to memory of 2292	1188	krnl_beta.exe	131
PID 1188 wrote to memory of 2292	1188	krnl_beta.exe	131

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://krnl.vip/executor/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4196 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Users\Admin\Downloads\krnl_beta.exe
  "C:\Users\Admin\Downloads\krnl_beta.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe
    "C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe" x "C:\Users\Admin\AppData\Roaming\Krnl\krnl.7z" -o"C:\Users\Admin\AppData\Roaming\Krnl" -aoa -bsp1
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe
    "C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe" x "C:\Users\Admin\AppData\Roaming\Krnl\Data\Community.7z" -o"C:\Users\Admin\AppData\Roaming\Krnl\Community" -aoa -bsp1
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe
    "C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe"
    3⤵
    - Executes dropped EXE
    PID:992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1092
      4⤵
      Program crash
      PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 992 -ip 992
1⤵
PID:4856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2384

C:\Users\Admin\Downloads\krnl_beta.exe
"C:\Users\Admin\Downloads\krnl_beta.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe
  "C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe" x "C:\Users\Admin\AppData\Roaming\Krnl\Data\Community.7z" -o"C:\Users\Admin\AppData\Roaming\Krnl\Community" -aoa -bsp1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe
  "C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe"
  2⤵
  - Executes dropped EXE
  PID:1576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1056
    3⤵
    - Program crash
    PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1576 -ip 1576
1⤵
PID:1008

C:\Users\Admin\Downloads\krnl_beta.exe
"C:\Users\Admin\Downloads\krnl_beta.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe
  "C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe" x "C:\Users\Admin\AppData\Roaming\Krnl\Data\Community.7z" -o"C:\Users\Admin\AppData\Roaming\Krnl\Community" -aoa -bsp1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe
  "C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe"
  2⤵
  - Executes dropped EXE
  PID:2292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1056
    3⤵
    - Program crash
    PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2292 -ip 2292
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
c8a2d143b6aea04cb5e328c8bd46956c

SHA1
8cac006cdc9d239da7d894e4fd5f30f4af3f9c06

SHA256
d30217f12a5046445df75b40c50cf9946c639edc09947351b76d30db6df84830

SHA512
2976258b4273cd9b7347cd8f927dc3046f8b26135c02f69d530b170947bd6dd72ddc59a20e3c9b69dea81c0edcd18bc3e0893020e1fd99d3b9150ff5345d6862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
4fffa581ea086de09d74040bdc7c0653

SHA1
7e8d5fd8f6c6f60fbbabcdb6a2b1801a5dc7d5b5

SHA256
7036ce6b0a74c060452b80d8db9775ec9b4a911fc7eb029652699de7601addc0

SHA512
e579a34de03d6dd95e491d3afd544f697e048ef412880439b0b6789f06464e68667e2473d31009a98db8ed1149f5a68cfb424687c672c05ed9a20fc8ce6614c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\krnl_beta.exe.log

Filesize
2KB

MD5
e3152798ee190e4fc7411c64955c7eed

SHA1
5e6ceb9361df35a5a0fac32b604d3fdd9f65c650

SHA256
bd13a78aa4b2084742da4adf1f239308081ec9f6e47c8ffb070c4a2c0d39a569

SHA512
bdee879b69e620c7927caee863cb7f93fdfad14236b667aef59e1f1c01550fe6d09940ef36961014e8426b8accd91b8ab0c1ff72e492cc745525a652a8833758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat

Filesize
1KB

MD5
fce477e4507739796a6585a8aa951df1

SHA1
5b1e01c453678c4fef23b5b64da9ec4b4eb4b206

SHA256
0a8137c681aeb0ed5a7d3dc97007aab54b4b9678af867da41bd052a0234c32b8

SHA512
ee195b9cdfcdc3c1e37d8e53584bb43b83d2339dbf761a78c01796377bc703b55b8f53820d9091423f7981b79fe9d64150c17f9ab0f7cdcb766680263b11a20f

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Cmdx\card.config

Filesize
12B

MD5
773229091774b2b77583da0f15a718ac

SHA1
fcdbebdefc85658d65e23dcc52cd1a3ae9a12ee3

SHA256
f70e955a67aad2ee28ac0c8b1c0882c9bd9991da51b87b224a4e22eefb8956f9

SHA512
7762bbbc14bdc679c51b5d9b75b1c19b0977d70c98a1edcbceaa950e7ba42c991ae4e81768a9bd80bb1bb2bd1eed4e6a18e98e16a2ec974464850d9c14a9fc2b

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Cmdx\card.config

Filesize
12B

MD5
773229091774b2b77583da0f15a718ac

SHA1
fcdbebdefc85658d65e23dcc52cd1a3ae9a12ee3

SHA256
f70e955a67aad2ee28ac0c8b1c0882c9bd9991da51b87b224a4e22eefb8956f9

SHA512
7762bbbc14bdc679c51b5d9b75b1c19b0977d70c98a1edcbceaa950e7ba42c991ae4e81768a9bd80bb1bb2bd1eed4e6a18e98e16a2ec974464850d9c14a9fc2b

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Cmdx\preview.png

Filesize
155KB

MD5
971fcb67b3ed9746cfd5c12032c8f54a

SHA1
378d56a2909c9b4dacc1a679664de7a3b9b48109

SHA256
94d47c3270fd8af9431722aac704778dd0e157fcffe7e24435a25368272e6bfc

SHA512
3d5e2f7112462049cd84fabce244cd51cbc341e8adc4fa27e5516855dd6f1d9727d6dde463812f6c552a732ebb2dad87ea6eed38a9bf7a1ea55800068fecfa63

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Cmdx\preview.png

Filesize
155KB

MD5
971fcb67b3ed9746cfd5c12032c8f54a

SHA1
378d56a2909c9b4dacc1a679664de7a3b9b48109

SHA256
94d47c3270fd8af9431722aac704778dd0e157fcffe7e24435a25368272e6bfc

SHA512
3d5e2f7112462049cd84fabce244cd51cbc341e8adc4fa27e5516855dd6f1d9727d6dde463812f6c552a732ebb2dad87ea6eed38a9bf7a1ea55800068fecfa63

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Cmdx\profile.png

Filesize
7KB

MD5
fe0cf96f57839cdd21191af66c241b96

SHA1
fba1b795f839c0fbaa4e47dfd9ad79ac6c2a4562

SHA256
bafaba91b68e495a6946cfae26a1f194dd8e556c1fb28dcf1e220721eb0ecbfc

SHA512
5adf6c8fc4b24f5af253c0f03c5b57ac7243008765b3854ed4b83d758a1901997ff4e6d9e0e1918383bce19832b72fc68cc7005c8a53a329df41b2ad91162ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Cmdx\script.lua

Filesize
1KB

MD5
4417aa7a7b95b7e9d91ffa8e5983577c

SHA1
367b923829db8fecf2c638fb500f161d22631715

SHA256
eafd7bc4f8aeacd998f6ffa38c8fc2ec2fb043ca97c956a0949aebb9bbbdbbe6

SHA512
04a5f440a6e00ea0aa8491ae4c6dd6aa68f704db54a43a5d6bf4c99446ae2c7792be8dcaee6542a93280eb35dc93acb60e8e4065f13c885e4186d80824feb04e

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\DomainX\card.config

Filesize
11B

MD5
a3d8125d741db04d38a0c2c56eb9521f

SHA1
69729d39c0b4ff201d2aa7c6a77ecb4652b22aa3

SHA256
e2e623686b91cc0075b0f86b4c4577e45d4ee2ac6fce0aeae7326550675d1a96

SHA512
014cb710f3ad4264bc6cb524c33569e297ff6eee5dd417d10e4a1519951fcc739663a794f373a86eae4a0280002b4ce2d90715e4d9328bfe18f669e98878a994

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\DomainX\preview.png

Filesize
534KB

MD5
1ea0fccbceecbcfbe9c57bf230241889

SHA1
4b538297c419731bed21e7f0f8c1f921c6c3f389

SHA256
79eb0dcb2cff8cb7a620fa87284fdf79a1bfd97690d193c8caa15ffa3068c9cd

SHA512
6229d6084be3f3368a98ffa4b0aaa5899fdd85d5dd2f538987a8abce2bf1d3c378731c1b1b37e2d555e47d8812f8b5e8fef0d68241dfbf2c8952ffb1737a6909

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\DomainX\profile.png

Filesize
19KB

MD5
be676e5468366d6f34839bab1a2be5dd

SHA1
14424fc881b910a406f364d1dffb22ee0dc28e04

SHA256
196c3db248754cab84491e35496aa7d2dbd93bd1f1dce0b20462c2310b13265e

SHA512
3e87468cd2fd4669a59f2a18a4a968a32414ea788eaee0f341b93387b852fcab3c0d4c5fa6a29f884520b6fa10916b39eb7791e82bc951355378356955bf2ca7

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\DomainX\script.lua

Filesize
98B

MD5
1f74e0539c4f0816badd444b487dbda9

SHA1
07fc32012374195023f00353c12d800a5ed8d07b

SHA256
f01656ce161b59d49730ced251f20cea8a4aac04efbd85152e3c89e0f182a41d

SHA512
d068fb33ff098e7db909784985bd7a47b62ba607119d976c7084db8260d05b1aacb984543b556cb002f53fbb14c9107477e9d1b51a78648e6bd040840a87c55b

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Hydroxide\card.config

Filesize
6B

MD5
af55765f33160409360ffefd60211d32

SHA1
f16b23456ff82b6875e996c252c92eac375c5c54

SHA256
adfe3a9eb182052dabd7530e315fc5c0784bf5d115002b9a1a6f76dddf35773d

SHA512
1488a18106ed2dbb1502f218f8a543eb45fb5d12fc5867dfbd7d0bb500915c9705a5a8e2a21e964f5aeadc460d69d0f39bc729fee8d66e75e08907bcd0adbc4b

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Hydroxide\preview.png

Filesize
10KB

MD5
6c5d6e01657cf543c2211452ff43f52f

SHA1
7f4735960b3128f279aa42c4351ee50b32580788

SHA256
014920b3352e755b1608681e3dc613ce68e7875527ac8372a8edf5f875d32f5f

SHA512
f01c45f42f9e55982e9191979c3f0854a064b7455f65141e9feeebb72432ebe3d784263ac81d67c4cdf48e4eb49b39787eca2fe3a4964a799b130ac79a6b4b04

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Hydroxide\profile.png

Filesize
12KB

MD5
516a58f5a912ea4cbef1098f8fd5ebc3

SHA1
217162ba93d4c94d7b9389694734e365a91905df

SHA256
c9d71e41f4103780f381c11ce608f797ffbbe3f92f20922cc8576203543aa461

SHA512
ec211867be06425d54e6c70aa60b99dd209b949cf70ed6922689645bc86e9508ce234c14e3a1c37f2950a95387eef7424a518abd82cd2ac4e6680fcc329ab5d7

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Hydroxide\script.lua

Filesize
281B

MD5
c0baed80a080fcfbcbde7dc86d38b14e

SHA1
1d81bb414f6853c313b6eea6169a7b68001dca68

SHA256
0109c27defe896cf9cccf23e0dc8765d705e8660360c3eca2a2f30599b46d77b

SHA512
3397e3b5bf3591e8ae5ac4b41be05973c484279151d1239d1976ba1267441809e2addc04f74fb61f7ec6f82fa1c3b6f92acab90eb620095e11f55c9f3f2edb2c

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Hydroxide\tags.config

Filesize
33B

MD5
b042ffedee19500bf6d971c456ec3655

SHA1
077c12ca4595d02a810a592f8cc85bc961676f4d

SHA256
83167cc46576dd7ff84b1f107e9024238395d2a6016f88b9cb911292d52ec2a9

SHA512
0010593f27183cc66acaeba66c0cc4bf82c8faa821c1f5ee75bc78552792068eaec6b120f17112a3df267784dbf8975d6fce2f394e5b616c7f719148e68e0d86

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Infinite Yield\card.config

Filesize
11B

MD5
5e42cc2c2e0f1e430aa404314afa53e4

SHA1
794be48d0f018d9ef67a9dddb4dd4b6ba66d020e

SHA256
4f94d5d922df31f5611e97f785b3f7bae178268b0f0727e733590ddd6de13bc2

SHA512
e38a0e93a5f7b9d0f3f09d8408fd29450a88672382e828a5926239ce926782fab49692178ba4614e0683bf4ae50d4ebb6491e6bb6e85372972ef4b1b5435639d

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Infinite Yield\preview.png

Filesize
49KB

MD5
7b0d11f82c6d558ddccda8a4563f6238

SHA1
615e90c3d799e58850efb189bc220a621dc56e96

SHA256
24f687838f65b20e4f826cc6ab709124a8a91c43789a0b71cb6fc8a58ce8273e

SHA512
5a8dce1fc5c9e2d47634b888bc51ca0ed73eef0f305993979f380e2597a3f5fa45facf0639a2a7d3410c40b29f2ce2b40fbb222660babf009382475cde1e676f

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Infinite Yield\profile.png

Filesize
237KB

MD5
6cef901a51f67313821f9f7ccca5d38f

SHA1
6a612a1918e94c08b54af9e7e63356d41eff2d82

SHA256
1461d4e5cc1d955721e68d745c900c56c3c28490d86e00cab39f0bcaedc702d8

SHA512
818314e8bbb20fc0fc7ca7884a930063c8c906e8af39abe6c507b96ddeaf5515a9de0c0408bc2483eea067dcd1102bc63095cfd27a6a1af2f628a1bd26929522

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Infinite Yield\script.lua

Filesize
451KB

MD5
1cf55875084e2163bbdfbf66452b29e6

SHA1
f28c38a655dd68075ade6b915f683968e77bee97

SHA256
177d8cf42fee5c6012f6571b20e7e17e55df8564af59b9be5dddcdbd879b5c5d

SHA512
3e72263077a032688770f08e181d8786c1248bec31a5f69fdbbff2c127b49466909ecd68a5dd7e1061542bf1900a6f7a6ab498310a460c8fbfaeae81aa5f5db3

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Orca\card.config

Filesize
4B

MD5
656626d3691e02c2c2e83276a94add4f

SHA1
258635defa94ec462fbe0c1af91c7b59bef1d1e4

SHA256
0fcf591eb63af5717e253be0931f2e09747df34a27b3ba8d092faf0e55318920

SHA512
2878ceeff7c9d8225006bea6f280587d84d0be316aae41c9c859b632ae71043af52dd2ff1cf50a0804a0a5120da4a500a468170b710e6bb53cc18a391fdf514f

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Orca\preview.png

Filesize
465KB

MD5
4178311492a7c89b085dd0f9e16059d1

SHA1
a8c09191f29ba3538bec9ae2ba14aa4eeb59b5ef

SHA256
7a6e75f8f2a3ed7ba1b3ddb2b34b56ff751053896f37c02d527ba496504563be

SHA512
770cc5a277455c4a6f6da2dcc0ab4951580cde25ba1524194967dc1dff8d5d0cc81c9131313f131fd83f7569b2e56bbd55673fad8ff5f1a847e1ddd7f750a4e3

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Orca\profile.png

Filesize
8KB

MD5
5f7201b94d86517399ee2a8de627cbeb

SHA1
0028f36c47b6dd36e7e5a1b24ee41f965be3671c

SHA256
6acc361fca4ef73d7a0bdd39482f3d2938eab6d2d942db995666e0978c0f59a4

SHA512
8037df886217f45330630205090724fd2a1c5e66b6084c9ac746cb52e5d653f3d1816e1feb236df760bf72090b8a880ac6391daae5253ac99e9489551ffd1526

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Orca\script.lua

Filesize
115B

MD5
ef0dfaca318853907f49290a828e73f9

SHA1
e4c200f30ed72a6b384c712ba1304fa2dbe72a73

SHA256
80c4123264cd0e6ae4d5308b8c451ef89cd35ab3bbe214f034a34d243abeb8c5

SHA512
b5fec7a5b7c446f6ed8802740b8afbe948ed24c5d677a8748819988e4501e94deead3e7c933e33e19dbce0e10260dc43ac7710435c3864576b38fd27bc35503b

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Secure Dex\card.config

Filesize
10B

MD5
cdf58d0e1b6b0dd3f523e7817a0ea0b5

SHA1
a87a1bfa5593ccb6ce553543526b06c7b39c3330

SHA256
a9292bc3beaf23e06a4cb67c4bd213737754f9b5c1538876da059b0ca71e03fe

SHA512
ae1b344d078af79886c7d2d0bc4c103d5873621b3d549362ee416fb6c43f5bfe5d9c43b5073b034bb1ee5b4413689a93dde12f9a8408e4051a39f0f089500784

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Secure Dex\preview.png

Filesize
171KB

MD5
220cf576403c96a12e4831c4e1aff13a

SHA1
b6ff4cb1a6aec90ea01f3807a66ff1b0864d10bf

SHA256
1bc331bf9cfe7a2ec83fea1d9d67cfd2754239edc4dda5a17f99b420b75d6fd9

SHA512
103aab3a35694076ab14874c1f826a51bf8db59349f66765528d70484a4f5a4c6d751e2af3b5c4b832df68233ea33c5b08662d009fc9f2897c4414d61e0f4e41

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Secure Dex\profile.png

Filesize
19KB

MD5
20f7c123960c173546b91a9147be8a98

SHA1
d83534a97c5ff8e917bcd92f2e31d558e863796a

SHA256
d132445e583c7e8662fa48a83c35074d91557c34ea713d1812040c33ce8b89dc

SHA512
1f3b3897f21599f99f89846fb92783fad0c2018a4d20da12c9ae1789bc8b284987433c183582dfc5914f3d3b176ecf9f70de036f032b24e78054869ada87826b

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Secure Dex\script.lua

Filesize
130B

MD5
6473198fb2bc362815ad8321c437fe28

SHA1
baa832e136a2d644a466d49fa02af5d20aa77314

SHA256
0b6b0bbe86d18aec7e1127bd6e8ea14b66aaf9283348e7ede6d0c8a09c7ea6e5

SHA512
306188fd1e9c48392340d2773d582ba126453c5cb053396f84d12f78db63537ff8b3ffc1600177025edea977edb2fb72e68ee194097f28c1ea1fdadee5d71f00

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Solaris Hub\card.config

Filesize
16B

MD5
760f1d0fecd0061b6b248da3a589147d

SHA1
a0a57fb9d709a039bc8c3faebb038bb6bfa65f5e

SHA256
617211e3318c228cc79a2df1490725b2ab5bb7aaee9c5bc8e6c42221ab5cc55b

SHA512
5f51a115711f533d4534df2867a1b3f0a4c6c9cb1f97604fd4cf62fa6877df4ec993eaee9464ff1ca59d69e3cbc1d8f70c379396d84f78e816272a8f94bfbacb

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Solaris Hub\preview.png

Filesize
529KB

MD5
d6a8ba7d779cb566b9fa4fd03c5ffdf7

SHA1
e60be15ebda2e8752f65c2ea812afe36524ca85b

SHA256
99305b07892745f62552fb8da563cb94d2642ed2a826819b7c08bd818b7d8f2c

SHA512
79281ba7cca5d4a4a3898b63e26fa32196c0cab1185cb5fdf99ea1f19dd0e33e038fe4afb6f0920eed9459591e985b07d02992b569de7962c7525ad39c3c5c51

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Solaris Hub\profile.png

Filesize
19KB

MD5
d7c8038ab513a9d16b83f890a8697caa

SHA1
099a5ddcd95e26e7a6a7483d5782f08fa8996d79

SHA256
8e475ab0d93e584bf1627f77c98370da18caacab0262a691902e12fdc17f49ce

SHA512
cb4ed398c609d042ff2575598b8cee713af5d091800b99b74384f23ae3d7eedddd492d5d809262d78b1e0046bff8288940359098fc661dcec6c587dc376e4f9f

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Solaris Hub\script.lua

Filesize
68B

MD5
cf3344e8b0066d56c3fdad6fc260e8d1

SHA1
9402d010a0e369dbc81684aea26397d894efb891

SHA256
9311bcfa73c2c7be870a3e37d74dd97aca3ea88148b249f0199693c1b2cf9d13

SHA512
a8b4572a16a229a113f76960d2501c6b3f0ae6d49b237bd01bbb7b67e36298d9ad01018c97189b23c123a816017834f5c432fd2ad8d734ab38580f620228f3c2

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Solaris Hub\tags.config

Filesize
103B

MD5
9966ac634c5a7fa32513e1fe3899e54b

SHA1
d40055833db5310803f2693bd0060a7a45a7523e

SHA256
c67400cdc62283862b642f94bc5197a2e05ee6559750dba16910b0601ea34a64

SHA512
61d15ea82412531d915e9857f67829624dea4549415c661cbcf86a20710915c579ff93a6c7b57b03d1e66a0445669784ef08298451733916cd195033c94d9da9

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\Community.7z

Filesize
2.2MB

MD5
e7e69e3bb82e50d10e17fceb8851f1e3

SHA1
ac38d2c834b5ef30feb0b23272ee289779caf14c

SHA256
1f70e675fd69fa7d0efe44a2a6cbade8350ebb1cb3a9a18ff824cfd680b35ddd

SHA512
ba44f453d75ac413f404b89c5dfd1acbdf95aae10beb65599e7e52ecec7eb3ea82b95a6947fcda38e2cb878eb197714be3f3e3d93d5fc09e83ebb952117ded44

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\Community.7z

Filesize
2.2MB

MD5
e7e69e3bb82e50d10e17fceb8851f1e3

SHA1
ac38d2c834b5ef30feb0b23272ee289779caf14c

SHA256
1f70e675fd69fa7d0efe44a2a6cbade8350ebb1cb3a9a18ff824cfd680b35ddd

SHA512
ba44f453d75ac413f404b89c5dfd1acbdf95aae10beb65599e7e52ecec7eb3ea82b95a6947fcda38e2cb878eb197714be3f3e3d93d5fc09e83ebb952117ded44

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\Community.7z

Filesize
2.2MB

MD5
e7e69e3bb82e50d10e17fceb8851f1e3

SHA1
ac38d2c834b5ef30feb0b23272ee289779caf14c

SHA256
1f70e675fd69fa7d0efe44a2a6cbade8350ebb1cb3a9a18ff824cfd680b35ddd

SHA512
ba44f453d75ac413f404b89c5dfd1acbdf95aae10beb65599e7e52ecec7eb3ea82b95a6947fcda38e2cb878eb197714be3f3e3d93d5fc09e83ebb952117ded44

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\krnl.config

Filesize
48B

MD5
37c9974a299fb57f9fce50263122ce79

SHA1
6d4cf6146faa35e8b988d1f5a8a4cda8d3561207

SHA256
254e69fa042031a57c44518636b15ea66ec90d7773253735640db8740610a280

SHA512
942fe85dba4b43c88bfac1a60beffdc8a6319a74897bde11c0464fa9316ed86dd5d1c2ed7750aa755d1fbdfd0eab977bc49ad9b5ddf7cdb534cd9cb385928024

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe

Filesize
1.1MB

MD5
50aeeb9eddf325aa320b1a4d7fb8d8aa

SHA1
3920b90a420543cebb8b41c1bfae36aac2049040

SHA256
52fe0ab835173095183c93ce79ac268c9b314ce786c94c117ce7d4d4fe7df752

SHA512
e4c6ab57b6089373df67eb4b680b81ec0cc02e69690194dc6723b9e0dda697d5ff7a40b7789a763008833fcca63d7b0061062c81de63d58d2ebf1bea980a40d3

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe

Filesize
1.1MB

MD5
50aeeb9eddf325aa320b1a4d7fb8d8aa

SHA1
3920b90a420543cebb8b41c1bfae36aac2049040

SHA256
52fe0ab835173095183c93ce79ac268c9b314ce786c94c117ce7d4d4fe7df752

SHA512
e4c6ab57b6089373df67eb4b680b81ec0cc02e69690194dc6723b9e0dda697d5ff7a40b7789a763008833fcca63d7b0061062c81de63d58d2ebf1bea980a40d3

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe

Filesize
1.1MB

MD5
50aeeb9eddf325aa320b1a4d7fb8d8aa

SHA1
3920b90a420543cebb8b41c1bfae36aac2049040

SHA256
52fe0ab835173095183c93ce79ac268c9b314ce786c94c117ce7d4d4fe7df752

SHA512
e4c6ab57b6089373df67eb4b680b81ec0cc02e69690194dc6723b9e0dda697d5ff7a40b7789a763008833fcca63d7b0061062c81de63d58d2ebf1bea980a40d3

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe.config

Filesize
310B

MD5
28a4d95efb8345d745b1595570b2ad36

SHA1
0969995472e742654709481a47e9a97b1580fe5e

SHA256
9a21d8cbba70cb22678b551bff55f7988cb2b8074cac3a574ce7b91623337ff7

SHA512
de988d642890c80ff579913be53e0e6e83bb96968c47c5d732e29d1717b3ab9654dd30e1a3dd046675d487e9a290dc44a401dd9a42d6e3c4d806da5fbb7b9250

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.pdb

Filesize
205KB

MD5
d7a3411ec8f07bf94193c54e92b65fec

SHA1
e1d77b5f26d69b7a7e1d16bb2ba29e98b616e836

SHA256
67cbc9327466cad79bddc26cad705d54df8fc69644bcfd5a95c6dfdf1e88eabd

SHA512
ed7b6a646033cddd5decc84212b6d9290499cc83edeec9302cc8d691da49d39d6e30ba243d7e52be2e89e520b9572f15d522533008ffa17d3e978e1575126123

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\krnl.7z

Filesize
71.1MB

MD5
c9227844eadc01a5de3856b9ce9437c0

SHA1
e20a363d947eb702bd7d231e457e0113e2bb00cc

SHA256
f69ea8d7148c0ea755acc98dce8a4adb73fc56080dc3cb19fd92c5b8cc24e0fb

SHA512
e26e57593d9a4e923deb02f3c28693730f07ee3ded5e85f6142d1c3db82f2307bb71576cf8b6fe554034f988ea130f79097d2d18d16e87c16ad38188bd83a37c

Download Submit
C:\Users\Admin\Downloads\krnl_beta.exe

Filesize
1.8MB

MD5
3701dc535fb395d6a1fb557a3aeec5e9

SHA1
ef517659229ddc6ecfc02481c3953ac9322dae35

SHA256
ec6df713446a8dd5efb376fbb7b444ed7e09f5cdd98c0494999b64af2e2d5537

SHA512
20dc14387138f913034bd2c265156dca1f36c128c040a99d6904fe6f1830d2f98afb3dcf0553817adb66e480be7d0fb0d7df58f0feb9b007a5a6bab648b081a2

Download Submit
C:\Users\Admin\Downloads\krnl_beta.exe

Filesize
1.8MB

MD5
3701dc535fb395d6a1fb557a3aeec5e9

SHA1
ef517659229ddc6ecfc02481c3953ac9322dae35

SHA256
ec6df713446a8dd5efb376fbb7b444ed7e09f5cdd98c0494999b64af2e2d5537

SHA512
20dc14387138f913034bd2c265156dca1f36c128c040a99d6904fe6f1830d2f98afb3dcf0553817adb66e480be7d0fb0d7df58f0feb9b007a5a6bab648b081a2

Download Submit
C:\Users\Admin\Downloads\krnl_beta.exe

Filesize
1.8MB

MD5
3701dc535fb395d6a1fb557a3aeec5e9

SHA1
ef517659229ddc6ecfc02481c3953ac9322dae35

SHA256
ec6df713446a8dd5efb376fbb7b444ed7e09f5cdd98c0494999b64af2e2d5537

SHA512
20dc14387138f913034bd2c265156dca1f36c128c040a99d6904fe6f1830d2f98afb3dcf0553817adb66e480be7d0fb0d7df58f0feb9b007a5a6bab648b081a2

Download Submit
C:\Users\Admin\Downloads\krnl_beta.exe.hckmi1n.partial

Filesize
1.8MB

MD5
3701dc535fb395d6a1fb557a3aeec5e9

SHA1
ef517659229ddc6ecfc02481c3953ac9322dae35

SHA256
ec6df713446a8dd5efb376fbb7b444ed7e09f5cdd98c0494999b64af2e2d5537

SHA512
20dc14387138f913034bd2c265156dca1f36c128c040a99d6904fe6f1830d2f98afb3dcf0553817adb66e480be7d0fb0d7df58f0feb9b007a5a6bab648b081a2

Download Submit
memory/992-156-0x0000000000E00000-0x0000000000F1E000-memory.dmp

Filesize
1.1MB

Download
memory/4080-136-0x0000000000D00000-0x0000000000EDA000-memory.dmp

Filesize
1.9MB

Download
memory/4080-137-0x0000000008660000-0x0000000008668000-memory.dmp

Filesize
32KB

Download
memory/4080-138-0x0000000009500000-0x0000000009538000-memory.dmp

Filesize
224KB

Download
memory/4080-141-0x00000000094E0000-0x00000000094EE000-memory.dmp

Filesize
56KB

Download
memory/4080-144-0x0000000009690000-0x000000000969A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads