Analysis
-
max time kernel
120s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
02-10-2023 15:27
Static task
static1
Behavioral task
behavioral1
Sample
30082023.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
30082023.exe
Resource
win10v2004-20230915-en
General
-
Target
30082023.exe
-
Size
466KB
-
MD5
4d5ce0ea9efcb7e3fdb61c32d1626748
-
SHA1
5813b82a84f3c3d8f4b5a7af227026fc2c8c7f66
-
SHA256
dc5e498d5465b93688dd366c5661cb624456b0982928c3778845b5d640ebf625
-
SHA512
9739f69426a5c58aca0c4349a65417994376fd436c5cd55f2feaf30f8fe15ea80e6271fcd80f0c70f77b1f171324a11d730248429f55b80f842b8a71f2fe7be1
-
SSDEEP
12288:zMYG3l6sMIBJCx6icVkGYJ/Zi/PBs6lD+S:zjGDFkiPB9lD+S
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2732-24-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2732-28-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2732-26-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2464-32-0x00000000022C0000-0x0000000002300000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
30082023.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 30082023.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
30082023.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 30082023.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
30082023.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 30082023.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 30082023.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2736 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2556 cmd.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
30082023.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 30082023.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exe30082023.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 30082023.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 30082023.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2736 set thread context of 2732 2736 svchost.exe regtlibv12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2112 timeout.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3089010745f5d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{314FD391-6138-11EE-865B-4E9D0FD57FD1} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac2000000000200000000001066000000010000200000003492eb0c6293fb7d22450c51ffe4a124426db1f50446a0549334e77779815ceb000000000e80000000020000200000005756eff51291b69641d2c2a82671fdbc5c4c6538e9cd84b47468b68fff71ed9d2000000052b0a29e6399e6b64cb6b3138b1690ffc0f275b9d02a5851b2a5aa8effb1100640000000b82f1eedbb713370ab635396726395f001c48686e6ce488bf3161430a1a2d720755f0be363955ae504ba97893854396a82c7a21c5ec9a047db32ae5ba5d60689 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402422315" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000baed724f17c791107e3d9ba16e40df88f4a5b56bf2a8cb670655af84c64a8276000000000e800000000200002000000057ca9267e79d286de17660d6f1391d77036b49e4ba946e4cdde1c1777e24e5ce900000009344608a62b2e80a4a1c6955d8a5b017ab059b1b2d3cdcb28b584308fe362a70492d32a2471bf2387486d32876d209970b2444c36281ab2ab759d0c50e6f92f45b2116bb53b3a282371e0b522e91a6b886dcbf64c3c0d9a39a25435f3ec12eb43fea2d739713f3e8e005ea3f0ac01d00370e260d8fdf43dbfeebfb7b2261f8970f048d683e6e65ec22520fd74b40623d4000000066f6f80aaf5a3e0633bb6b7bc8c9ec028d43fdd614bb0680c77b0f07da6cbb4960241184aab722e926b5db2d110df6bd36ad81007d7784c049692148471daee5 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
30082023.exesvchost.exepowershell.exepid process 752 30082023.exe 752 30082023.exe 2736 svchost.exe 2736 svchost.exe 2464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
30082023.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 752 30082023.exe Token: SeDebugPrivilege 2736 svchost.exe Token: SeDebugPrivilege 2464 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2864 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2864 iexplore.exe 2864 iexplore.exe 2356 IEXPLORE.EXE 2356 IEXPLORE.EXE 2356 IEXPLORE.EXE 2356 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
30082023.execmd.execmd.exesvchost.exeregtlibv12.exeiexplore.exedescription pid process target process PID 752 wrote to memory of 2700 752 30082023.exe cmd.exe PID 752 wrote to memory of 2700 752 30082023.exe cmd.exe PID 752 wrote to memory of 2700 752 30082023.exe cmd.exe PID 752 wrote to memory of 2700 752 30082023.exe cmd.exe PID 752 wrote to memory of 2556 752 30082023.exe cmd.exe PID 752 wrote to memory of 2556 752 30082023.exe cmd.exe PID 752 wrote to memory of 2556 752 30082023.exe cmd.exe PID 752 wrote to memory of 2556 752 30082023.exe cmd.exe PID 2700 wrote to memory of 2580 2700 cmd.exe schtasks.exe PID 2700 wrote to memory of 2580 2700 cmd.exe schtasks.exe PID 2700 wrote to memory of 2580 2700 cmd.exe schtasks.exe PID 2700 wrote to memory of 2580 2700 cmd.exe schtasks.exe PID 2556 wrote to memory of 2112 2556 cmd.exe timeout.exe PID 2556 wrote to memory of 2112 2556 cmd.exe timeout.exe PID 2556 wrote to memory of 2112 2556 cmd.exe timeout.exe PID 2556 wrote to memory of 2112 2556 cmd.exe timeout.exe PID 2556 wrote to memory of 2736 2556 cmd.exe svchost.exe PID 2556 wrote to memory of 2736 2556 cmd.exe svchost.exe PID 2556 wrote to memory of 2736 2556 cmd.exe svchost.exe PID 2556 wrote to memory of 2736 2556 cmd.exe svchost.exe PID 2736 wrote to memory of 2464 2736 svchost.exe powershell.exe PID 2736 wrote to memory of 2464 2736 svchost.exe powershell.exe PID 2736 wrote to memory of 2464 2736 svchost.exe powershell.exe PID 2736 wrote to memory of 2464 2736 svchost.exe powershell.exe PID 2736 wrote to memory of 3020 2736 svchost.exe Microsoft.Workflow.Compiler.exe PID 2736 wrote to memory of 3020 2736 svchost.exe Microsoft.Workflow.Compiler.exe PID 2736 wrote to memory of 3020 2736 svchost.exe Microsoft.Workflow.Compiler.exe PID 2736 wrote to memory of 3020 2736 svchost.exe Microsoft.Workflow.Compiler.exe PID 2736 wrote to memory of 2732 2736 svchost.exe regtlibv12.exe PID 2736 wrote to memory of 2732 2736 svchost.exe regtlibv12.exe PID 2736 wrote to memory of 2732 2736 svchost.exe regtlibv12.exe PID 2736 wrote to memory of 2732 2736 svchost.exe regtlibv12.exe PID 2736 wrote to memory of 2732 2736 svchost.exe regtlibv12.exe PID 2736 wrote to memory of 2732 2736 svchost.exe regtlibv12.exe PID 2736 wrote to memory of 2732 2736 svchost.exe regtlibv12.exe PID 2736 wrote to memory of 2732 2736 svchost.exe regtlibv12.exe PID 2736 wrote to memory of 2732 2736 svchost.exe regtlibv12.exe PID 2732 wrote to memory of 2864 2732 regtlibv12.exe iexplore.exe PID 2732 wrote to memory of 2864 2732 regtlibv12.exe iexplore.exe PID 2732 wrote to memory of 2864 2732 regtlibv12.exe iexplore.exe PID 2732 wrote to memory of 2864 2732 regtlibv12.exe iexplore.exe PID 2864 wrote to memory of 2356 2864 iexplore.exe IEXPLORE.EXE PID 2864 wrote to memory of 2356 2864 iexplore.exe IEXPLORE.EXE PID 2864 wrote to memory of 2356 2864 iexplore.exe IEXPLORE.EXE PID 2864 wrote to memory of 2356 2864 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30082023.exe"C:\Users\Admin\AppData\Local\Temp\30082023.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2580 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5496.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2112 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵PID:3020
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=regtlibv12.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.05⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2356
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a09a41b446cc881847a572add6fb2fa1
SHA1d88ce98cc23e95ceed21252a5fe19db410b1e2b1
SHA25665f9a31ab005eb2325121dc828f95a7dc53d44caaabc82f4bc5857beea3524ed
SHA51282508a50807fabc0a2e6e4aa0993ab3b015b6dc7fd43e9e277eca2c612c32d593e848f10e9d54d6e337a268b6f907a34a6cd37aa0a4d609c4ae1ebbb40e37a76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b3195a179a00d3034ebcc8b378e091dd
SHA12d967cdd419b981ef4e9ed8c1d3c5cb0b251a6d6
SHA2565daf18391742afab7fcaff2783dc3411a6288badbdf8dd0fc269ddbfad274422
SHA51237593ca2732ff57a517619dbcbb82c4a887e8d03e9a3d82e89bc392edf44b4c47ede3cc444d1c6e99e450564ead8ebc3e48cdccb8930b79e50206e14dfc05743
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD541042281f159dc3e9e287316b8d81bd8
SHA11ff9f7b8dca4609756ae94c41d67423b15d135c3
SHA2564c992973ab32f87ebf6bca3a834e32b3770ae589bded817b3d5a55829e18b49e
SHA512567b59d4a5fb80fe3cfffb97fee85f2d4c87d2b924b3374cd08ec973b61658ffaa4e450e02376f78d3ffa0fb90a671e2551ab87e146ca68da771e7be42fd8a26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ff2d7de586970f6c2f94d680c58f15ce
SHA1c42e884667d4179921fb03363196b1b9ef71657d
SHA256e65e4b50742e7f1aa2b94fb8b50d33b952307052bf88f6cab224be44d39d20e8
SHA512d69d169cebeb42b68329587df63eb40bc52dc5ab441c453c849eb2197019b23933db1cea2a8a0f4e41ba0e0b32c97313bb857173150c023c602356f318026029
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54d9256c002bd542d5da3c92801ecb0c7
SHA1c3b4a73e775abb8ccabd86be72e50f90fc401c23
SHA256ea0d48a627065be347531c44fb4f17498e59266151751c295406a389d9b79701
SHA5125f3a5fc4dbec8c4868c3b65f6188eda65e1d138d0cd6344383b31c5e9f0ce53db92ddb591229014f45d33969f0a42e42b4e5684a61f816fbbdf9e9b9a7319fc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56795076f59430ee8b1685402319d7d71
SHA1258c859af2747366aeda5d95799b21f40fbfedde
SHA2561fc1f4f79121e1c861a253a884472b720872e1d1b53704b4bc6608b94156053b
SHA512bd497575f4e83a60a9405e18786cd8f2f759ba85223d5e0ca0f5c5914e3786848672ee54e47f1faf505d77f2665cc870c117249c298a2a004bcc5fdd40aad148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54e6df607fc7e8b6c7694f1797c959cb2
SHA142dd8bd07ee68fc05a6b83087989989c2b52fb16
SHA2565cd8964b555b3f4a404a9dca7af6fef5fcbe6bc93260d3a7ee31268c26aaf46d
SHA512550a4ae7d3f927e8a25699e6b54a94c74893baee93532e3f71badc668a1b85231f055316d3215946455c51c7f2b958b5306e1c8a3e8219f68517bd4ab4561919
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5628d8feefe7b1a5749d012c62227d5da
SHA105439e1a19b88880acab0230d94cdc52f8adc4e0
SHA256771c97b3d2ac1ae50b3e8a52582c8c3ef857ba107ffa6517fa7b855b246e409d
SHA51287ac8a8f0070440ff93e1e8d88b85731bf635ec7e5e7ea725ddf7303bd92f3425f06b6aa3205ccb54683ce16568c9fa82475350203faae9bb3a384b0cc70ce14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58cad6afaead7a29b838de5c6b665b150
SHA197f498c1a17f48a1536955ccdb0b99935e08be76
SHA256605ab69a11d94326eba90ca8fb620b20f48a26ab02160d7628777a712122720e
SHA51220cbf76d3415babe7a6d7ca4a2c887ca35343c7dcb0c6a9765dc3cae0b4dd7d4eeb7a64263243e09b25e19c823561d7853ddff16086496eaef379e0cb6cbd943
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5454ad2f1abce271d8f37edc2510d0bb6
SHA1c86eb550647bfff3786942157c43a9172723afa0
SHA25628260d671fb7b6d3e62b5c28f360595881913e7489d525a60888f53498d14443
SHA51280047fba1be6140699d8fb19fb821af925dcd92c67f82f267dd7f27da06f7f0fc3820a4d259d280f6a089f567a0c7a522504746dc6bcde038b13116843b2b999
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57b0442645197cb9ac6bc9aa93b8f3580
SHA16405abc8b46b4c162e43a340ef565170422cc9db
SHA25680ef1f207ed98c76b69c0c610a292495fe5aadc12e50e409ea67b6e542d8652a
SHA512f13d2a2f734c0def642ee84a050ab3fd8c79664b9ac698d5913512099c67a3e2c01e10bbb18f9b41166129f0877fe19f0b58b73fc1cd39593eded922b628aa6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56731d19814c78e4cdcc7070661509bfd
SHA1dac27bc24341df9b9d7bb1cd2170d44c37bb2c15
SHA25636817c036c1d11e0e1e55a2051da5865e2c36fa371d3b87cc1858c237e9c57de
SHA512e0bc6a3a9bd7248f4c302e2ebeddaef45e1093e2882ce58723e5b8503ab978812e8838adb123cd3a12e5828d0e0ea2c72a06ac3d41bfb3259ee583504dd74032
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54c03a133577bda1ceaf5005ea52878fd
SHA17654b9b2fc5db07af940d8b8caa4052ba995ed16
SHA25622cca86b24aa8ea91b40c3d7703def4b5b18a14a2063d077f804599dd0a32747
SHA51299aff57bb88599d61170fcc024b5bc53b7839f2b99623a38e4ccb93a30bccff9e6a4364147c66cb652b4fb404ed789700f6b60ba3b4e7a42110b7251071fc3f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e170338c24eeed61f3f501f48ee7983b
SHA13789a631f2c726d0342a5b858947d5f3c57f7b32
SHA2567feab5ec47b97b096c3235d1afc7fe8db7cb64516fc3361637a62257ee9f7fd2
SHA5120d59ddfb0f464f92ad89b2183c4396f36dff6e3c2e1d125ff9fdb0c6b1ea5aeb15c823ff797cca2e5b9ac5a3d727109e878aee316ddc232e2e2492f8a61aecf8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD549852e3572ec41a47f06fd0c510cc82c
SHA185be1451081fe5328470250dee2aa05001272c57
SHA25646e7ac76cd00351eb18476eef26dbbc579e01b2824b391cc03054a3f9bded855
SHA512808391644a5ecaf88c007d971bf1e9f120021b0e3c7114db45f64abc40c1e60b908dbd806abccb09d43138fca7fa6db3bb52f5bf255587b50b7207924fd4aa3d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e66cd790acf1bc0c645d63988401280c
SHA1fb84c5447eba03b292c380f01cde10ad8f7e9dff
SHA2564a921f426b77e13f5dfbf1c57bf08194542ed4aac0ecb37a6900683190975c37
SHA512cc374ab0c6dd8cf11dc7467711f7c89c7fc098093bbf3f10295aab99a525b683998ef430748e7bb9ca1d43511b29a52f94956508bb36186d1cac569b8daf7ba6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD515c4c04932eb488b93d5c39e64b18fd3
SHA1a72d685825c9716576fb4930cc439206bf219874
SHA256792792cbe31cc4268bab825966ba5546b7b5ffd603e1fca15672f0ac462b43a9
SHA51258310c978fd25cc293ebd9bdd0a0b4b036359098a258bbd226105a6d53615760b3a73ca00f3c267d67c7725ad7714708fa0eb564550a19f46dcb33d3ffb2c47b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d62c213f17fc1d17f393eeacf8f0353a
SHA1ad0ec65ba4eba13a84b9d4a860041221c9601bb6
SHA256798272e2064651f58b22eb9923a7a711bc5352c2327ab8adb5c111780f8138c5
SHA5121addb0af1213355698bd05049db06f77da4fc5a8de85a7c818128fb327b4bd28a9fa22de67da3d3667d50fa0ce8a9d063936f8f71865f9f884c9a0842a95bc63
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56ce2bb3aeb0e5f14ba3e8d61d4be4247
SHA10a36abbb70c59e31252927423f9d3b2cb2f70480
SHA256aacc6a15a70e260afa50ffa392cbd489fd84537323bba0a743f1c07ff1d3ddf1
SHA5124d93efd1b2a555614fcf1d4af558758c9570efba603f47066557473236e504893b5335cc55679cdd50bcd69f6f8d174c4461c678df777af32b19cd24f0d985ac
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
151B
MD5f69439ebe24f00542842fb04fd4ed05a
SHA1193601481d1f51e3aed8bc081493ca6604527307
SHA256de6d1319489b46bd84066934afd1424a7d9b29fdc70bf7edab1e67141ad5e1e6
SHA512e05a8c4f8710b71a3d94263a63fd99924d3bb66e40e9341b862be5b547247e1eb3cdb8823dc362d9b4c6296f4c3adbdaf5f4d9c4a1375029d6b85f3b3772f999
-
Filesize
151B
MD5f69439ebe24f00542842fb04fd4ed05a
SHA1193601481d1f51e3aed8bc081493ca6604527307
SHA256de6d1319489b46bd84066934afd1424a7d9b29fdc70bf7edab1e67141ad5e1e6
SHA512e05a8c4f8710b71a3d94263a63fd99924d3bb66e40e9341b862be5b547247e1eb3cdb8823dc362d9b4c6296f4c3adbdaf5f4d9c4a1375029d6b85f3b3772f999
-
Filesize
466KB
MD54d5ce0ea9efcb7e3fdb61c32d1626748
SHA15813b82a84f3c3d8f4b5a7af227026fc2c8c7f66
SHA256dc5e498d5465b93688dd366c5661cb624456b0982928c3778845b5d640ebf625
SHA5129739f69426a5c58aca0c4349a65417994376fd436c5cd55f2feaf30f8fe15ea80e6271fcd80f0c70f77b1f171324a11d730248429f55b80f842b8a71f2fe7be1
-
Filesize
466KB
MD54d5ce0ea9efcb7e3fdb61c32d1626748
SHA15813b82a84f3c3d8f4b5a7af227026fc2c8c7f66
SHA256dc5e498d5465b93688dd366c5661cb624456b0982928c3778845b5d640ebf625
SHA5129739f69426a5c58aca0c4349a65417994376fd436c5cd55f2feaf30f8fe15ea80e6271fcd80f0c70f77b1f171324a11d730248429f55b80f842b8a71f2fe7be1
-
Filesize
466KB
MD54d5ce0ea9efcb7e3fdb61c32d1626748
SHA15813b82a84f3c3d8f4b5a7af227026fc2c8c7f66
SHA256dc5e498d5465b93688dd366c5661cb624456b0982928c3778845b5d640ebf625
SHA5129739f69426a5c58aca0c4349a65417994376fd436c5cd55f2feaf30f8fe15ea80e6271fcd80f0c70f77b1f171324a11d730248429f55b80f842b8a71f2fe7be1