ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76

Analysis

max time kernel
91s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
Size

669KB
MD5

6b3ced3247b49068977a4be805854324
SHA1

1579d63100e3b44a6b9981dd4c97242b20ceba35
SHA256

ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76
SHA512

7b58806c580b7edb88308076cb182fd9cbc4028b322e9b5688b36d0478b512971970c300c324069239e1b9bce2eb650cbff93d4fa161d89f78839e48d45125c5
SSDEEP

12288:QQjNB/yfdkYTZ5soj01t6FKCpoWKmxi89PUos:QQ5NcxT7J84poWKmxB9Q

Score

10^/10

bootkit persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4812 created 532	4812	regsougoupy.exe	26
PID 4576 created 532	4576	regsougoupy.exe	26

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/memory/2260-158-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/3212-161-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Executes dropped EXE 10 IoCs

pid	Process
4812	regsougoupy.exe
4576	regsougoupy.exe
2260	RtkSYUdp.exe
3212	RtkSYUdp.exe
5044	RtkSYUdp.exe
4584	RtkSYUdp.exe
980	RtkSYUdp.exe
4460	RtkSYUdp.exe
3412	RtkSYUdp.exe
1788	RtkSYUdp.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3908-132-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/3908-133-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/3908-148-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/files/0x00030000000006ff-154.dat	upx
behavioral2/files/0x00030000000006ff-155.dat	upx
behavioral2/memory/2260-157-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2260-158-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/files/0x00030000000006ff-160.dat	upx
behavioral2/memory/3212-161-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/files/0x00030000000006ff-163.dat	upx
behavioral2/files/0x00030000000006ff-165.dat	upx
behavioral2/files/0x00030000000006ff-167.dat	upx
behavioral2/files/0x00030000000006ff-169.dat	upx
behavioral2/files/0x00030000000006ff-171.dat	upx
behavioral2/files/0x00030000000006ff-173.dat	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	RtkSYUdp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\regsougoupy.exe	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
File created	C:\Windows\RtkSYUdp.exe	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1252	4780	WerFault.exe	91
4288	3364	WerFault.exe	85

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\internet explorer\version Vector	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe

Runs regedit.exe 3 IoCs

pid	Process
3916	regedit.exe
3364	regedit.exe
4780	regedit.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
4812	regsougoupy.exe
4812	regsougoupy.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
4576	regsougoupy.exe
4576	regsougoupy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 3916	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	78
PID 3908 wrote to memory of 3916	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	78
PID 3908 wrote to memory of 3916	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	78
PID 3908 wrote to memory of 3816	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	79
PID 3908 wrote to memory of 3816	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	79
PID 3908 wrote to memory of 3816	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	79
PID 3908 wrote to memory of 4812	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	81
PID 3908 wrote to memory of 4812	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	81
PID 3908 wrote to memory of 4812	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	81
PID 3908 wrote to memory of 1152	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	82
PID 3908 wrote to memory of 1152	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	82
PID 3908 wrote to memory of 1152	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	82
PID 4812 wrote to memory of 3364	4812	regsougoupy.exe	85
PID 4812 wrote to memory of 3364	4812	regsougoupy.exe	85
PID 4812 wrote to memory of 3364	4812	regsougoupy.exe	85
PID 3908 wrote to memory of 744	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	87
PID 3908 wrote to memory of 744	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	87
PID 3908 wrote to memory of 744	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	87
PID 3908 wrote to memory of 4576	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	88
PID 3908 wrote to memory of 4576	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	88
PID 3908 wrote to memory of 4576	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	88
PID 4576 wrote to memory of 4780	4576	regsougoupy.exe	91
PID 4576 wrote to memory of 4780	4576	regsougoupy.exe	91
PID 4576 wrote to memory of 4780	4576	regsougoupy.exe	91
PID 3908 wrote to memory of 1280	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	92
PID 3908 wrote to memory of 1280	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	92
PID 3908 wrote to memory of 1280	3908	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	92
PID 1280 wrote to memory of 952	1280	cmd.exe	99
PID 1280 wrote to memory of 952	1280	cmd.exe	99
PID 1280 wrote to memory of 952	1280	cmd.exe	99
PID 744 wrote to memory of 2260	744	cmd.exe	100
PID 744 wrote to memory of 2260	744	cmd.exe	100
PID 744 wrote to memory of 2260	744	cmd.exe	100
PID 744 wrote to memory of 3212	744	cmd.exe	101
PID 744 wrote to memory of 3212	744	cmd.exe	101
PID 744 wrote to memory of 3212	744	cmd.exe	101
PID 744 wrote to memory of 5044	744	cmd.exe	102
PID 744 wrote to memory of 5044	744	cmd.exe	102
PID 744 wrote to memory of 5044	744	cmd.exe	102
PID 744 wrote to memory of 4584	744	cmd.exe	103
PID 744 wrote to memory of 4584	744	cmd.exe	103
PID 744 wrote to memory of 4584	744	cmd.exe	103
PID 744 wrote to memory of 980	744	cmd.exe	104
PID 744 wrote to memory of 980	744	cmd.exe	104
PID 744 wrote to memory of 980	744	cmd.exe	104
PID 744 wrote to memory of 4460	744	cmd.exe	105
PID 744 wrote to memory of 4460	744	cmd.exe	105
PID 744 wrote to memory of 4460	744	cmd.exe	105
PID 744 wrote to memory of 3412	744	cmd.exe	106
PID 744 wrote to memory of 3412	744	cmd.exe	106
PID 744 wrote to memory of 3412	744	cmd.exe	106
PID 744 wrote to memory of 1788	744	cmd.exe	107
PID 744 wrote to memory of 1788	744	cmd.exe	107
PID 744 wrote to memory of 1788	744	cmd.exe	107

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:532
- C:\Users\Admin\AppData\Local\Temp\ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
  "C:\Users\Admin\AppData\Local\Temp\ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
    3⤵
    - Modifies registry class
    - Runs regedit.exe
    PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
    3⤵
    PID:3816
- - C:\Windows\regsougoupy.exe
    C:\Windows\regsougoupy.exe \??\C:\Windows\regedit.exe 532 C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
      4⤵
      Executes dropped EXE
      PID:2260
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
      4⤵
      Executes dropped EXE
      PID:3212
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      PID:5044
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
      4⤵
      Executes dropped EXE
      PID:4584
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\MICROS~1.LNK"
      4⤵
      Executes dropped EXE
      PID:980
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
      4⤵
      Executes dropped EXE
      PID:4460
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
      4⤵
      Executes dropped EXE
      PID:3412
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1788
- - C:\Windows\regsougoupy.exe
    C:\Windows\regsougoupy.exe \??\C:\Windows\regedit.exe 532 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
      4⤵
      PID:952
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:3364
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3364 -s 8
    3⤵
    - Program crash
    PID:4288
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:4780
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4780 -s 8
    3⤵
    - Program crash
    PID:1252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 4780 -ip 4780
1⤵
PID:2732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 3364 -ip 3364
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat

Filesize
253B

MD5
cb350b29233b3440633123bb77692140

SHA1
52793f1ba4c7925d41c6e79a109080c3d12b69e6

SHA256
7031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3

SHA512
0e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
639B

MD5
b1600f55340d6b58315a32e81a4dde47

SHA1
465921b1b1613cd17addbe6c4ffd67ec51360b7c

SHA256
72d7ae26f58a3b282c372822139034f6237ad2b65571d06f930bce22da3b3898

SHA512
8a8ac3bbe6500e2dacd104b7f8d863ec7d0411801ecd8dfaf1370b6dbcbe8496683e5019d4f6292f231f6393bbed46198d38ac4b7e520f31e3b6df1b1f08f3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat

Filesize
1KB

MD5
95457d5629ea8e2e826c36393a3479a6

SHA1
0190011fc3613e735179a9501e72d732cb92ac3c

SHA256
ec3b4324057e9bd22e0542473afbdcd45f1077f91c862d208e8b3a4e1ced6c45

SHA512
9c4c7340307412863dfece7847532b6976cb7096c47fd3e8a557c8d3413a642a26a1645f460db4bcbda009bd322b082df80c0786bbf14a968038b19324d6d4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp

Filesize
1KB

MD5
185038ec1cc9a69a109726c8989e4cf5

SHA1
bfb62037297e8533e5f3940a32fb9505acf4fe26

SHA256
48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

SHA512
bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp

Filesize
1KB

MD5
93abb412c5afaa779fe1720103a36e3c

SHA1
a2f709b149e750c5089dbfbfc508f67bdf27d65a

SHA256
032d765d9743c124a2cc21a1607a2d6fd78772773fef3a5c6f60a1ae5596b1b8

SHA512
1d3de7dc68333ee8bf71558aee9739dce7b32af9f0233aa77f7667af230f86c0246e08a9b278af0f2efdd3d42fd90e369eb2d5f29e98dab590ef84ca29dd6b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
4KB

MD5
62c0937f8894411495238c5bc542a3e9

SHA1
92fd3e6010465478086ab3da0935783af9038ebf

SHA256
8ec231d59bc419b015536e29bbabf2dd19b5e86703c0ef9658606d6737589631

SHA512
1ff86febe4b2cb8e0bc7af60cf60bd6854ef482a459d583a8e2e1f83527fddfc7e30218755d214c51bc456687db4ef58ed5b73d323860368ce3121c584fa17ab

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
memory/2260-158-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2260-157-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3212-161-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3908-133-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3908-132-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3908-148-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download