26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90

Analysis

max time kernel
201s
max time network
240s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe
Size

124KB
MD5

16388ffed0efd8dc850b4ec329af81f2
SHA1

3bff3d7351d930daaefa411b9814761adfb01987
SHA256

26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90
SHA512

5107c9c3ee1d62afe66a20c47a97db1cee50f526fc32eb2396691c956b95f5411f934af17f1aef4d5c4376f1216cfe9de6d6a2e3d18f96c94a2092ca5eef372b
SSDEEP

1536:NTsz/5YaPYhRO/N69BH3OoGa+FLHjKceRgrkOSoINeGUmE:hGBYawhkFoN3Oo1+FvfSW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

doiat.exejaajion.exershoid.exevfheow.exexuiim.exe26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exezooavuf.exehgwaoc.exesyxar.exewwnik.exezoooman.exexzbaop.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	doiat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jaajion.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rshoid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vfheow.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xuiim.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zooavuf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hgwaoc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	syxar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wwnik.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zoooman.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xzbaop.exe

Executes dropped EXE 12 IoCs

Processes:

zoooman.exexzbaop.exehgwaoc.exezooavuf.exedoiat.exejaajion.exershoid.exevfheow.exesyxar.exewwnik.exexuiim.exexozul.exe

pid	process
3032	zoooman.exe
2728	xzbaop.exe
2992	hgwaoc.exe
1284	zooavuf.exe
4800	doiat.exe
1216	jaajion.exe
4208	rshoid.exe
2280	vfheow.exe
4824	syxar.exe
2104	wwnik.exe
3208	xuiim.exe
3656	xozul.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zooavuf.exejaajion.exewwnik.exexuiim.exexzbaop.exezoooman.exehgwaoc.exedoiat.exershoid.exevfheow.exesyxar.exe26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	zooavuf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	jaajion.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	wwnik.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	xuiim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	xzbaop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	zoooman.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	hgwaoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	doiat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rshoid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	vfheow.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	syxar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hgwaoc.exezooavuf.exewwnik.exe26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exexzbaop.exershoid.exevfheow.exesyxar.exedoiat.exexuiim.exejaajion.exezoooman.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	hgwaoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zooavuf = "C:\\Users\\Admin\\zooavuf.exe /f"	hgwaoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doiat = "C:\\Users\\Admin\\doiat.exe /b"	zooavuf.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wwnik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoooman = "C:\\Users\\Admin\\zoooman.exe /o"	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hgwaoc = "C:\\Users\\Admin\\hgwaoc.exe /Y"	xzbaop.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	rshoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfheow = "C:\\Users\\Admin\\vfheow.exe /z"	rshoid.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vfheow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwnik = "C:\\Users\\Admin\\wwnik.exe /c"	syxar.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	doiat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuiim = "C:\\Users\\Admin\\xuiim.exe /M"	wwnik.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	xuiim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xozul = "C:\\Users\\Admin\\xozul.exe /n"	xuiim.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	xzbaop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syxar = "C:\\Users\\Admin\\syxar.exe /A"	vfheow.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zooavuf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jaajion = "C:\\Users\\Admin\\jaajion.exe /j"	doiat.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	jaajion.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rshoid = "C:\\Users\\Admin\\rshoid.exe /V"	jaajion.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	syxar.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zoooman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xzbaop = "C:\\Users\\Admin\\xzbaop.exe /N"	zoooman.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exezoooman.exexzbaop.exehgwaoc.exezooavuf.exedoiat.exejaajion.exershoid.exevfheow.exesyxar.exewwnik.exexuiim.exe

pid	process
1152	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe
1152	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe
3032	zoooman.exe
3032	zoooman.exe
2728	xzbaop.exe
2728	xzbaop.exe
2992	hgwaoc.exe
2992	hgwaoc.exe
1284	zooavuf.exe
1284	zooavuf.exe
4800	doiat.exe
4800	doiat.exe
1216	jaajion.exe
1216	jaajion.exe
4208	rshoid.exe
4208	rshoid.exe
2280	vfheow.exe
2280	vfheow.exe
4824	syxar.exe
4824	syxar.exe
2104	wwnik.exe
2104	wwnik.exe
3208	xuiim.exe
3208	xuiim.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exezoooman.exexzbaop.exehgwaoc.exezooavuf.exedoiat.exejaajion.exershoid.exevfheow.exesyxar.exewwnik.exexuiim.exexozul.exe

pid	process
1152	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe
3032	zoooman.exe
2728	xzbaop.exe
2992	hgwaoc.exe
1284	zooavuf.exe
4800	doiat.exe
1216	jaajion.exe
4208	rshoid.exe
2280	vfheow.exe
4824	syxar.exe
2104	wwnik.exe
3208	xuiim.exe
3656	xozul.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exezoooman.exexzbaop.exehgwaoc.exezooavuf.exedoiat.exejaajion.exershoid.exevfheow.exesyxar.exewwnik.exexuiim.exe

description	pid	process	target process
PID 1152 wrote to memory of 3032	1152	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe	zoooman.exe
PID 1152 wrote to memory of 3032	1152	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe	zoooman.exe
PID 1152 wrote to memory of 3032	1152	26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe	zoooman.exe
PID 3032 wrote to memory of 2728	3032	zoooman.exe	xzbaop.exe
PID 3032 wrote to memory of 2728	3032	zoooman.exe	xzbaop.exe
PID 3032 wrote to memory of 2728	3032	zoooman.exe	xzbaop.exe
PID 2728 wrote to memory of 2992	2728	xzbaop.exe	hgwaoc.exe
PID 2728 wrote to memory of 2992	2728	xzbaop.exe	hgwaoc.exe
PID 2728 wrote to memory of 2992	2728	xzbaop.exe	hgwaoc.exe
PID 2992 wrote to memory of 1284	2992	hgwaoc.exe	zooavuf.exe
PID 2992 wrote to memory of 1284	2992	hgwaoc.exe	zooavuf.exe
PID 2992 wrote to memory of 1284	2992	hgwaoc.exe	zooavuf.exe
PID 1284 wrote to memory of 4800	1284	zooavuf.exe	doiat.exe
PID 1284 wrote to memory of 4800	1284	zooavuf.exe	doiat.exe
PID 1284 wrote to memory of 4800	1284	zooavuf.exe	doiat.exe
PID 4800 wrote to memory of 1216	4800	doiat.exe	jaajion.exe
PID 4800 wrote to memory of 1216	4800	doiat.exe	jaajion.exe
PID 4800 wrote to memory of 1216	4800	doiat.exe	jaajion.exe
PID 1216 wrote to memory of 4208	1216	jaajion.exe	rshoid.exe
PID 1216 wrote to memory of 4208	1216	jaajion.exe	rshoid.exe
PID 1216 wrote to memory of 4208	1216	jaajion.exe	rshoid.exe
PID 4208 wrote to memory of 2280	4208	rshoid.exe	vfheow.exe
PID 4208 wrote to memory of 2280	4208	rshoid.exe	vfheow.exe
PID 4208 wrote to memory of 2280	4208	rshoid.exe	vfheow.exe
PID 2280 wrote to memory of 4824	2280	vfheow.exe	syxar.exe
PID 2280 wrote to memory of 4824	2280	vfheow.exe	syxar.exe
PID 2280 wrote to memory of 4824	2280	vfheow.exe	syxar.exe
PID 4824 wrote to memory of 2104	4824	syxar.exe	wwnik.exe
PID 4824 wrote to memory of 2104	4824	syxar.exe	wwnik.exe
PID 4824 wrote to memory of 2104	4824	syxar.exe	wwnik.exe
PID 2104 wrote to memory of 3208	2104	wwnik.exe	xuiim.exe
PID 2104 wrote to memory of 3208	2104	wwnik.exe	xuiim.exe
PID 2104 wrote to memory of 3208	2104	wwnik.exe	xuiim.exe
PID 3208 wrote to memory of 3656	3208	xuiim.exe	xozul.exe
PID 3208 wrote to memory of 3656	3208	xuiim.exe	xozul.exe
PID 3208 wrote to memory of 3656	3208	xuiim.exe	xozul.exe
PID 3208 wrote to memory of 3656	3208	xuiim.exe	xozul.exe
PID 3208 wrote to memory of 3656	3208	xuiim.exe	xozul.exe

C:\Users\Admin\AppData\Local\Temp\26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe
"C:\Users\Admin\AppData\Local\Temp\26266882cad968f23764cdb3f877671022729453725705d3e5688c51a4c13d90.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\zoooman.exe
"C:\Users\Admin\zoooman.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\xzbaop.exe
"C:\Users\Admin\xzbaop.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\hgwaoc.exe
"C:\Users\Admin\hgwaoc.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\zooavuf.exe
"C:\Users\Admin\zooavuf.exe"
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\doiat.exe
"C:\Users\Admin\doiat.exe"
6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\jaajion.exe
"C:\Users\Admin\jaajion.exe"
7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\rshoid.exe
"C:\Users\Admin\rshoid.exe"
8⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208

C:\Users\Admin\vfheow.exe
"C:\Users\Admin\vfheow.exe"
9⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\syxar.exe
"C:\Users\Admin\syxar.exe"
10⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\wwnik.exe
"C:\Users\Admin\wwnik.exe"
11⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\xuiim.exe
"C:\Users\Admin\xuiim.exe"
12⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\xozul.exe
"C:\Users\Admin\xozul.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\doiat.exe

Filesize
124KB

MD5
ac8d906e58acef86030dc76fe8077243

SHA1
765828dff0e3602340fdd3576dc863406cbf9612

SHA256
337e74d775676a3a05eb1e9515083a89c1411b13b07ea06a812dd0a0e62d504a

SHA512
ca34867f717d6b694cdb02a7c7c755becf3ebd14b4c57f5d8d2d7c2bce719e0713e93122e262c0801558ca171c0a8283252e73f56fbe9dd8eca2805d0ed3aa78

Download Submit
C:\Users\Admin\doiat.exe

Filesize
124KB

MD5
ac8d906e58acef86030dc76fe8077243

SHA1
765828dff0e3602340fdd3576dc863406cbf9612

SHA256
337e74d775676a3a05eb1e9515083a89c1411b13b07ea06a812dd0a0e62d504a

SHA512
ca34867f717d6b694cdb02a7c7c755becf3ebd14b4c57f5d8d2d7c2bce719e0713e93122e262c0801558ca171c0a8283252e73f56fbe9dd8eca2805d0ed3aa78

Download Submit
C:\Users\Admin\hgwaoc.exe

Filesize
124KB

MD5
ed276d30bad0be5812e8c12d3bd5fd2c

SHA1
11dafee9bd373b9b7140432af2468a4bd15b7689

SHA256
eda61d126ebbe84d10154d2c039dc467a37e3e53d035bc5782bd1ea393bbe4bd

SHA512
362431560d79127c1c1f8b8fef1dbc3170b4e3086440c269cd2a931ee0557d65b3e082520e990a2ccbfefa771c560a123c390248634b5d771b9a10173b818705

Download Submit
C:\Users\Admin\hgwaoc.exe

Filesize
124KB

MD5
ed276d30bad0be5812e8c12d3bd5fd2c

SHA1
11dafee9bd373b9b7140432af2468a4bd15b7689

SHA256
eda61d126ebbe84d10154d2c039dc467a37e3e53d035bc5782bd1ea393bbe4bd

SHA512
362431560d79127c1c1f8b8fef1dbc3170b4e3086440c269cd2a931ee0557d65b3e082520e990a2ccbfefa771c560a123c390248634b5d771b9a10173b818705

Download Submit
C:\Users\Admin\jaajion.exe

Filesize
124KB

MD5
60aa49ae3c05001de6c9dd9a0344bfdc

SHA1
09578e650c6f911e566b87990a73532424702859

SHA256
7fdd6f8165b8e616c0c695a48c576d0658d44754a0c0155e3ab953e8dbe2a7a1

SHA512
c348080365f1c1d57a2c625076068383532de097e82f4475a08aea46fbee3176add5a73cef819b293d24cf5aab14722b7e5cbfc658d5e8af34ff5da24276ab48

Download Submit
C:\Users\Admin\jaajion.exe

Filesize
124KB

MD5
60aa49ae3c05001de6c9dd9a0344bfdc

SHA1
09578e650c6f911e566b87990a73532424702859

SHA256
7fdd6f8165b8e616c0c695a48c576d0658d44754a0c0155e3ab953e8dbe2a7a1

SHA512
c348080365f1c1d57a2c625076068383532de097e82f4475a08aea46fbee3176add5a73cef819b293d24cf5aab14722b7e5cbfc658d5e8af34ff5da24276ab48

Download Submit
C:\Users\Admin\rshoid.exe

Filesize
124KB

MD5
27a97b33625ac86e13282e32aa8d2981

SHA1
2bebaeef67c2aaf7933e7044beaa0cca07a7a8ac

SHA256
8092ab20428040f567be2941f304f20e22303040767c49540e71090ee7714262

SHA512
a702a8ee456a2b16d7ae3d62851416c8cb124f56ec371ca1acbe94dbb2a7c4ddfdea48a84751ed933ad65274514aec382fc8ef2d4b6cd795207433f3e1b77463

Download Submit
C:\Users\Admin\rshoid.exe

Filesize
124KB

MD5
27a97b33625ac86e13282e32aa8d2981

SHA1
2bebaeef67c2aaf7933e7044beaa0cca07a7a8ac

SHA256
8092ab20428040f567be2941f304f20e22303040767c49540e71090ee7714262

SHA512
a702a8ee456a2b16d7ae3d62851416c8cb124f56ec371ca1acbe94dbb2a7c4ddfdea48a84751ed933ad65274514aec382fc8ef2d4b6cd795207433f3e1b77463

Download Submit
C:\Users\Admin\syxar.exe

Filesize
124KB

MD5
1f1a56edb323c0d6fb5197683ab22376

SHA1
a8f2a12c9523151ac28c57b731d8d5ecfa4cbcda

SHA256
c51fb014a0504866d1f83d98c9ee401defbf70b00d338884204bfa6ec71d1eb3

SHA512
9e1a277c081532fabfba85611afa73be19855467b2643aaf51b885a75a9e7e251c79bc3b67384284a173d395d2956b65ce9b06c7158c810332bf1a9029c3905b

Download Submit
C:\Users\Admin\syxar.exe

Filesize
124KB

MD5
1f1a56edb323c0d6fb5197683ab22376

SHA1
a8f2a12c9523151ac28c57b731d8d5ecfa4cbcda

SHA256
c51fb014a0504866d1f83d98c9ee401defbf70b00d338884204bfa6ec71d1eb3

SHA512
9e1a277c081532fabfba85611afa73be19855467b2643aaf51b885a75a9e7e251c79bc3b67384284a173d395d2956b65ce9b06c7158c810332bf1a9029c3905b

Download Submit
C:\Users\Admin\vfheow.exe

Filesize
124KB

MD5
941096d6ea4caad81ec0a454e9c63e76

SHA1
179a78995e6d631d0f216fefb3efd2f199ba7126

SHA256
4f8e0904f78a532b5a30bc5838046b99eeadea76c2c8194bb26eea99398c65a4

SHA512
2092ad8474c37e58e1c14d35ce4f9a8e1a9b4616b7a5c4dd24e34500f26a374d985bdeb8798b82a50c7400d8355472ec5cfc384606dfc9a55c8893695d60491e

Download Submit
C:\Users\Admin\vfheow.exe

Filesize
124KB

MD5
941096d6ea4caad81ec0a454e9c63e76

SHA1
179a78995e6d631d0f216fefb3efd2f199ba7126

SHA256
4f8e0904f78a532b5a30bc5838046b99eeadea76c2c8194bb26eea99398c65a4

SHA512
2092ad8474c37e58e1c14d35ce4f9a8e1a9b4616b7a5c4dd24e34500f26a374d985bdeb8798b82a50c7400d8355472ec5cfc384606dfc9a55c8893695d60491e

Download Submit
C:\Users\Admin\wwnik.exe

Filesize
124KB

MD5
d18db304afc28d72a94e8f63c627b460

SHA1
29d26660d1fb33aa4d949da52c4368a5690aec17

SHA256
4f2ed6f4b7ce7b9bfdb8e793a485cf8e0586e86caef64da939320ede56e59535

SHA512
a29fe922d4216a31e9b45ac4ac649c5a2165dccb13b816fbbcf59c2850b17f314b26ef0b38c8d2eda93974c331ce9508c8ebb7aa999ecfc30a5b3d37d14a6151

Download Submit
C:\Users\Admin\wwnik.exe

Filesize
124KB

MD5
d18db304afc28d72a94e8f63c627b460

SHA1
29d26660d1fb33aa4d949da52c4368a5690aec17

SHA256
4f2ed6f4b7ce7b9bfdb8e793a485cf8e0586e86caef64da939320ede56e59535

SHA512
a29fe922d4216a31e9b45ac4ac649c5a2165dccb13b816fbbcf59c2850b17f314b26ef0b38c8d2eda93974c331ce9508c8ebb7aa999ecfc30a5b3d37d14a6151

Download Submit
C:\Users\Admin\xozul.exe

Filesize
124KB

MD5
f48e097db5ca34686b0c06854f3386b6

SHA1
5d3d938c556dae9f951dd7eb7de68cb95c9c29a4

SHA256
bd20b492f89fc50bb7177dcf456b2d460cb1f608172b0f4a05d652b7f73f2017

SHA512
4632560e5e534ccbacef768e071f2814aa8bfdd99c18c698e580fc2945750b13b2414506f9b7c7aef1bc1a713ad73f1830410e6dbc9cec33abc956b831541af8

Download Submit
C:\Users\Admin\xozul.exe

Filesize
124KB

MD5
f48e097db5ca34686b0c06854f3386b6

SHA1
5d3d938c556dae9f951dd7eb7de68cb95c9c29a4

SHA256
bd20b492f89fc50bb7177dcf456b2d460cb1f608172b0f4a05d652b7f73f2017

SHA512
4632560e5e534ccbacef768e071f2814aa8bfdd99c18c698e580fc2945750b13b2414506f9b7c7aef1bc1a713ad73f1830410e6dbc9cec33abc956b831541af8

Download Submit
C:\Users\Admin\xuiim.exe

Filesize
124KB

MD5
7d5b9647c2e07dbbad33de7865e511db

SHA1
d6901c4b20aca21aebe1f027e9d125a83faa8706

SHA256
e1d0d2111b99b56529ad5930a44f087e6458617b9ae35047567df42170433ace

SHA512
b43f5b5c8297af478b9c64423499eef26a0ec2fa270b97691336786dcb1a9291cf1b730e18a2d0f2e91115ed7307c377629ecffff4b456495915053a19346eb6

Download Submit
C:\Users\Admin\xuiim.exe

Filesize
124KB

MD5
7d5b9647c2e07dbbad33de7865e511db

SHA1
d6901c4b20aca21aebe1f027e9d125a83faa8706

SHA256
e1d0d2111b99b56529ad5930a44f087e6458617b9ae35047567df42170433ace

SHA512
b43f5b5c8297af478b9c64423499eef26a0ec2fa270b97691336786dcb1a9291cf1b730e18a2d0f2e91115ed7307c377629ecffff4b456495915053a19346eb6

Download Submit
C:\Users\Admin\xzbaop.exe

Filesize
124KB

MD5
2709b677c265f8d5ffec97529b3645a5

SHA1
38484037866e111dbfc81d8094435034b35bb08c

SHA256
7cd3277e3a3b9640d30641b5aba9e39c0fc3e470784d4f528db2c1c8c8e0d98d

SHA512
9c304bbdd04cf2ea2832fb03e14258e72b64c4bb03d51fda49d9021f51d99222659c18f164662d36935ed34e9e7dabd3cfe61184de4ca7cf5fef1c8850a8d1b0

Download Submit
C:\Users\Admin\xzbaop.exe

Filesize
124KB

MD5
2709b677c265f8d5ffec97529b3645a5

SHA1
38484037866e111dbfc81d8094435034b35bb08c

SHA256
7cd3277e3a3b9640d30641b5aba9e39c0fc3e470784d4f528db2c1c8c8e0d98d

SHA512
9c304bbdd04cf2ea2832fb03e14258e72b64c4bb03d51fda49d9021f51d99222659c18f164662d36935ed34e9e7dabd3cfe61184de4ca7cf5fef1c8850a8d1b0

Download Submit
C:\Users\Admin\zooavuf.exe

Filesize
124KB

MD5
54d7429f93b0f0f939cfc4c514d74722

SHA1
09501b82fb6032b964ee80800fa2d07858955d55

SHA256
079cb4a1f59f260aaa655d7c7da99fe20832aaae1b23ca2f6c3d4edce2d42400

SHA512
6f0cde60027e8399e25c49da49af510ba7bbe6f58b25d24162484b5b7e6715400afc2542a0e3ece643b20e8cd37bc74b973a42b3f67b6e74c55e960243b30c03

Download Submit
C:\Users\Admin\zooavuf.exe

Filesize
124KB

MD5
54d7429f93b0f0f939cfc4c514d74722

SHA1
09501b82fb6032b964ee80800fa2d07858955d55

SHA256
079cb4a1f59f260aaa655d7c7da99fe20832aaae1b23ca2f6c3d4edce2d42400

SHA512
6f0cde60027e8399e25c49da49af510ba7bbe6f58b25d24162484b5b7e6715400afc2542a0e3ece643b20e8cd37bc74b973a42b3f67b6e74c55e960243b30c03

Download Submit
C:\Users\Admin\zoooman.exe

Filesize
124KB

MD5
5819d32bc3d1384aad6325c13393c314

SHA1
758dec5a8f59a1cb32a1ac2633f1696a5dbf2c8b

SHA256
c3c840ff381de37ee31d1d2dc7d32f463ca75615161c75cf5456894eaebfc5b8

SHA512
4b72b5ba1c88a65948222fe6e45f4a92da0d2ef6b6bfa5f3f559807aaf06e2d46d6710c3a4c6fccc48f4edb63b8c9451c2c953105d39bf138f1c136a6333e1ed

Download Submit
C:\Users\Admin\zoooman.exe

Filesize
124KB

MD5
5819d32bc3d1384aad6325c13393c314

SHA1
758dec5a8f59a1cb32a1ac2633f1696a5dbf2c8b

SHA256
c3c840ff381de37ee31d1d2dc7d32f463ca75615161c75cf5456894eaebfc5b8

SHA512
4b72b5ba1c88a65948222fe6e45f4a92da0d2ef6b6bfa5f3f559807aaf06e2d46d6710c3a4c6fccc48f4edb63b8c9451c2c953105d39bf138f1c136a6333e1ed

Download Submit
memory/1216-159-0x0000000000000000-mapping.dmp

Download
memory/1284-149-0x0000000000000000-mapping.dmp

Download
memory/2104-179-0x0000000000000000-mapping.dmp

Download
memory/2280-169-0x0000000000000000-mapping.dmp

Download
memory/2728-139-0x0000000000000000-mapping.dmp

Download
memory/2992-144-0x0000000000000000-mapping.dmp

Download
memory/3032-134-0x0000000000000000-mapping.dmp

Download
memory/3208-184-0x0000000000000000-mapping.dmp

Download
memory/3656-189-0x0000000000000000-mapping.dmp

Download
memory/4208-164-0x0000000000000000-mapping.dmp

Download
memory/4800-154-0x0000000000000000-mapping.dmp

Download
memory/4824-174-0x0000000000000000-mapping.dmp

Download