Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
02-10-2023 16:39
Static task
static1
Behavioral task
behavioral1
Sample
hesaphareketi-01.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
hesaphareketi-01.exe
Resource
win10v2004-20230915-en
General
-
Target
hesaphareketi-01.exe
-
Size
731KB
-
MD5
3024f8b8500d2629b5d934d0ef334efb
-
SHA1
d2013e0488e50fe9039986129e46725c2353e0a7
-
SHA256
12a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
-
SHA512
b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
SSDEEP
12288:JqH3dU+ta6byR6WYlvZja6+hpKo8sRexHyoRwMt7zANdi:etU+YxYtARN6wUK0
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2776-26-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2776-29-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2776-31-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1540-34-0x0000000002700000-0x0000000002740000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
hesaphareketi-01.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions hesaphareketi-01.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
hesaphareketi-01.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools hesaphareketi-01.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exehesaphareketi-01.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hesaphareketi-01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion hesaphareketi-01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2224 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2624 cmd.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hesaphareketi-01.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" hesaphareketi-01.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
hesaphareketi-01.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum hesaphareketi-01.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 hesaphareketi-01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2224 set thread context of 2776 2224 svchost.exe mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2544 timeout.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402426652" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A4B9FF1-6142-11EE-94FE-FAA3B8E0C052} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000a3b27437eb04e3417c270048a561a022b0bc887a90e8a26515e2876cece391fd000000000e80000000020000200000001099eabbb4a8b686d8114883f54da4e6c1fb5018f7c03a79805af746dc0739e8200000006eff4198e8d6ff202c22abacde35ae4cde227869703712743930ec186e199cf240000000b381d6141eda907535f596fa0088ed51cebdfdf2dd974c443a902496f1a804c60cf1077fadc73d3ca38f55e1c59c1fc6842517aa1b1af96f3da1026fef2d9acd iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f9f5214ff5d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000931dee96bde09b667631619cc585978dec165895714084c99df0f2d330353e29000000000e8000000002000020000000d9467517efd7aac77e22b401c8cb280ac829ebf8c59ea94c09b699394391029b90000000de1304497fcba58ddf2d06d0dc52007d0059c4e03c7016090a917f421e62ff04b65840be8431c5f57fd360d98763f92cce53613e3375296822a912e0a461b4f7dbbaf7151ee21b5b30b232fcfcec54e10634ef96be0e30620caa85dce1b9bf33c3503a16695387b055651778f5b735484067565c8c4ed70cb8aba49d341ef500747a79a56af8dd3f1dbff5973e0bb02f400000004ff3fb4099e2b8a797b064e8ade7ae48c4d938b34edf0ee6297a8eb475f1d706ad5a0612843cf7f993b298d85ec312da7e130da710cc8c480af3020b06b84bc0 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
hesaphareketi-01.exesvchost.exepowershell.exepid process 2972 hesaphareketi-01.exe 2972 hesaphareketi-01.exe 2224 svchost.exe 2224 svchost.exe 1540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
hesaphareketi-01.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 2972 hesaphareketi-01.exe Token: SeDebugPrivilege 2224 svchost.exe Token: SeDebugPrivilege 1540 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 820 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 820 iexplore.exe 820 iexplore.exe 852 IEXPLORE.EXE 852 IEXPLORE.EXE 852 IEXPLORE.EXE 852 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
hesaphareketi-01.execmd.execmd.exesvchost.exemscorsvw.exeiexplore.exedescription pid process target process PID 2972 wrote to memory of 2620 2972 hesaphareketi-01.exe cmd.exe PID 2972 wrote to memory of 2620 2972 hesaphareketi-01.exe cmd.exe PID 2972 wrote to memory of 2620 2972 hesaphareketi-01.exe cmd.exe PID 2972 wrote to memory of 2620 2972 hesaphareketi-01.exe cmd.exe PID 2972 wrote to memory of 2624 2972 hesaphareketi-01.exe cmd.exe PID 2972 wrote to memory of 2624 2972 hesaphareketi-01.exe cmd.exe PID 2972 wrote to memory of 2624 2972 hesaphareketi-01.exe cmd.exe PID 2972 wrote to memory of 2624 2972 hesaphareketi-01.exe cmd.exe PID 2620 wrote to memory of 2504 2620 cmd.exe schtasks.exe PID 2620 wrote to memory of 2504 2620 cmd.exe schtasks.exe PID 2620 wrote to memory of 2504 2620 cmd.exe schtasks.exe PID 2620 wrote to memory of 2504 2620 cmd.exe schtasks.exe PID 2624 wrote to memory of 2544 2624 cmd.exe timeout.exe PID 2624 wrote to memory of 2544 2624 cmd.exe timeout.exe PID 2624 wrote to memory of 2544 2624 cmd.exe timeout.exe PID 2624 wrote to memory of 2544 2624 cmd.exe timeout.exe PID 2624 wrote to memory of 2224 2624 cmd.exe svchost.exe PID 2624 wrote to memory of 2224 2624 cmd.exe svchost.exe PID 2624 wrote to memory of 2224 2624 cmd.exe svchost.exe PID 2624 wrote to memory of 2224 2624 cmd.exe svchost.exe PID 2224 wrote to memory of 1540 2224 svchost.exe powershell.exe PID 2224 wrote to memory of 1540 2224 svchost.exe powershell.exe PID 2224 wrote to memory of 1540 2224 svchost.exe powershell.exe PID 2224 wrote to memory of 1540 2224 svchost.exe powershell.exe PID 2224 wrote to memory of 2696 2224 svchost.exe SMSvcHost.exe PID 2224 wrote to memory of 2696 2224 svchost.exe SMSvcHost.exe PID 2224 wrote to memory of 2696 2224 svchost.exe SMSvcHost.exe PID 2224 wrote to memory of 2696 2224 svchost.exe SMSvcHost.exe PID 2224 wrote to memory of 2776 2224 svchost.exe mscorsvw.exe PID 2224 wrote to memory of 2776 2224 svchost.exe mscorsvw.exe PID 2224 wrote to memory of 2776 2224 svchost.exe mscorsvw.exe PID 2224 wrote to memory of 2776 2224 svchost.exe mscorsvw.exe PID 2224 wrote to memory of 2776 2224 svchost.exe mscorsvw.exe PID 2224 wrote to memory of 2776 2224 svchost.exe mscorsvw.exe PID 2224 wrote to memory of 2776 2224 svchost.exe mscorsvw.exe PID 2224 wrote to memory of 2776 2224 svchost.exe mscorsvw.exe PID 2224 wrote to memory of 2776 2224 svchost.exe mscorsvw.exe PID 2776 wrote to memory of 820 2776 mscorsvw.exe iexplore.exe PID 2776 wrote to memory of 820 2776 mscorsvw.exe iexplore.exe PID 2776 wrote to memory of 820 2776 mscorsvw.exe iexplore.exe PID 2776 wrote to memory of 820 2776 mscorsvw.exe iexplore.exe PID 820 wrote to memory of 852 820 iexplore.exe IEXPLORE.EXE PID 820 wrote to memory of 852 820 iexplore.exe IEXPLORE.EXE PID 820 wrote to memory of 852 820 iexplore.exe IEXPLORE.EXE PID 820 wrote to memory of 852 820 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2504 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD124.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2544 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"4⤵PID:2696
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mscorsvw.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.05⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:820 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52aa5a84cbe80457343927d831a93d401
SHA1a1e8851ce418d20979d20c42c28879a720f3ecea
SHA25641a93b58f17a92f280bdca2d640341ba2b12ac77e00a3da3f08c7bc8c9427ad0
SHA5126c4189d5408f6b44c5b704046a7cd14fb0ab5e95ee593a606dfbf21f39c58b7fd1997d5ae8a118cea6c230cf5162e245cd8ff997922918f7c46202747b21e1dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD541ce9bdb75f35e6d7b4a69bec150a33f
SHA1c4962f6d6470f2aa7071dd862f7009befdc1d792
SHA256de7f9362994a6283a8ba64e5ded63e56e63fcbe7172da40e5e8576bf395a0143
SHA5122bccac406973bb4af60a6437244b855ddc15fee10fe98d5a8a962185eb4d72058f1b8ad3113761bbede83f888b4d7929a65a4cce30524739d3661ac5b082cdec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD590e814625938c3741d4f90abaa3984eb
SHA19924beb4e6d4d6d4304bb2880ba09107528fff62
SHA256c56c7dda4d3ac5694ffe4fabc551b07c080644b20f5c58413f7792ea221aab33
SHA5126914c0337fb88389dc2b24fc6dfe6a086e22d10d92be19e24be488de6a84cc6f8e75ebc8ebfbf634a5a53895c274f511e5dffc18ce3680e09a9c07835620312e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD524d20f34c1f578f0e38d4ca53da5b53b
SHA115a3294848d22165be69e1138ae86a3d47b44286
SHA25604d34e31761abdfed286b8320435fcceaf0f1dd63b1403d8119af8c1adca3ffb
SHA5128e4ec1bd81ab96a951ab18713afab00b7b9ae1770fee504a6dfc5ee003b3a6b34344c22902779bcf4e4407dc5f9ed0520842dad4d4c3361d33917c00476741a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b7515dce7d62460e45b57fab999a093b
SHA1cf008d2fd50cd39d153d8aa982e21e6dfc70bbf7
SHA256dac577dd659f52503848912ed075a2267036af3fcc7999d7645f5d86e15b6038
SHA512bea7ca57d94f2020c706d6393d0ac176cae0f3851712aa882a3f69c03351c7248d19313fa89a16375032626d91abcb9d774ff58f047a6d868aaae95a2e29bb4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5015a3604038c4053303666d2d88e3b67
SHA19f7fbd178b1b2dcc5aea8becce9c66e09ab852f3
SHA25624cc46aca4844c17fc20c74d88cec2f2510123753d6c84121907fc04dbdd5d12
SHA512cd5da51052d2abe2b92d96e4b3673009dd3c13b94cee23df0c002362076015968915a97f88c13ad187924b53f80fd1bae2b723dc5e08bada7d4e0d808de85c97
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a541c403b8c49f327370ba6401eb13e7
SHA13e72ef5925d00102622b0ead776016b6d4237457
SHA256bbe50b5eac1fa376ed6e397108851adb75ba0e6c30ee74ec3dac820298a6144e
SHA512fc9b71c4804d3d861bed561684b77680141957b094e9e556b9cabf3dd8094dbd06d17e9fea82a1fb63983fd6fa368b67892582d3f9d02e1fef7ed42ae483fbcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD571035fa302b5d2c8c9ead1d67092e212
SHA103c0d6dd12e10cbd640d771a18ab50b3d1243801
SHA2566e0d23a0061a93c12e0b7e1150b7c8569f3c9c15a19918eac196eb8a9f6978e3
SHA5126ea7024978541e28ca3206fd5ff892bf05ef3474bc690e6d099c360630f5fe19a1b6c044eb4827165a56b07c766167bb18f468279415b40e19679cd7841177bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5692538b920ef1385075afffd1e490d02
SHA13a67256ae02d9f1565b39de4a73b1ac1346a8c03
SHA256118000ea6d0373ad2cc1aebd5e85bf5c2b83399c16f60dff1bc3970c673ad258
SHA512020f3785638943fc5a147b88ffdc2327639b3d0349796faa10f969c53226851dc1eed1b3cd92549eb2778f54457ac5908531c73489457a2763f802eb321fcce9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ae8a44183aa331fcb7175a77cd6319b4
SHA1f0d51fc8702406fd027b1709fb9bffa9e31a24ff
SHA256153b80a1ad1c12f735da91e4ca75392fafcc0e72fac0307f3391cb3ab01dc044
SHA5124e71af705901d7ffc1711af376370816a8f313fe163b459fb7aceb861a2972815b3631a91c13fd395a9f917638c8e4ca062871de8ed2c6fc593850bb924453ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53b06495774e6cd8d8721fcb33b1efa5c
SHA12082ce54f3665aa44d3c6ba4db75e96998a46a12
SHA25652a277a1e0f5d423f34e0843cf91e9c0b1b0ffcd01a94c9a1c88a119f8860c3d
SHA512749fc961447a745d16ccb25acdd70fa897921a54b087354d4e8681bd921953c8bf7ab08ecb1d373b28892bed53af0c60c2dcdad003c0e090b6c384ceaf1ba134
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ca790c9c27b23f7c9a275eb57ae41916
SHA1f4bec774dc0ff91f5529e2622f7999957be122ef
SHA256bc335570e8bbb895ebe17f134849427d496ea6bb1a1b014a76f7a7d7723760cf
SHA5127c5bd717660a45064275bc864541de63a7ff2ca9f782a5e4796abfb6997f70a0b0a71b53bb1d45badf5c3e862770fb04cc486dc8c6e769ac184a6feb446043fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56d422c3f1e33ee9f6e6bb327e29035f6
SHA10053e50ef950aaf77e433749c28e6b6a08a16385
SHA2564ff7c184523e656371bc1e1bef72f869435312aa2f0b74db388275256b4292f4
SHA51241f4dc365cece7cdafa4b59699ff2c6ce01344084104140464cb4a782598f76687aa64f77a5686f71f686689f2f3e12d6924c4b28737701bd64da8dba0992749
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53eb3267b23418fe41b81c4f251b0987d
SHA1f646c9102b003934a13ebf2188095b7add3d32a7
SHA25641e9deeee35eff345d93c41083e9997b8c34e6e3317d3518a432ede05b32d4d2
SHA5120848599d9c0edf78348f4698b1be0cc5677b9947a66fed19e2f4261e72c93bb4610d4157fd497be825a00a643c910ad8a330f39ca76d7463f7c85611c8cdb048
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58a5b441cb644e7002109f60121a14ed1
SHA116d86c0cc41f744e6a39a1bc5a806b39c95254bf
SHA256c3857db9f5e1bef8a351218fbb28a58cda28d7a958f6167b5594874fa3d09a77
SHA512720c381f6086212f387a22986744c1b0c770881eec3ba4293376abe680633763ea011f26f49c0fa195855c9e8d8faacb507545bd7064b77fe4527b668cdcfb29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53c1eddc9e9cec15886ef9322d94ee661
SHA16cdd26e528155b1ad55db958e8414a1931ad23d3
SHA256adbd23805717df5a072985553013a50afaf5d7d57c75753224ab5c854cb9dea8
SHA512614bab9569c548c594e9c5af4ab9e345b3ef81d05f553e00262203cb4e80bae31e5a1ec6aab350af65de7bb998bfcec4a179aa3cd0dffb07fc818cc115bd4e8d
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
151B
MD57fa1a8f0597e251473bc6768879aa2ed
SHA1d76819e763bbad358852adf00dff36ae354fbdbf
SHA256f4691eaa83d71c3494961198a5d6439bfb1eeb6e65313ba31367e0a14328b1c4
SHA512770ba0b75628554b2fed78d353058079e09397c6cb52bfd992c176f54b454ec7d4188543653ab32e3b2fea0605e323fa0982b8837b4b55de9a8bc8912f8be672
-
Filesize
151B
MD57fa1a8f0597e251473bc6768879aa2ed
SHA1d76819e763bbad358852adf00dff36ae354fbdbf
SHA256f4691eaa83d71c3494961198a5d6439bfb1eeb6e65313ba31367e0a14328b1c4
SHA512770ba0b75628554b2fed78d353058079e09397c6cb52bfd992c176f54b454ec7d4188543653ab32e3b2fea0605e323fa0982b8837b4b55de9a8bc8912f8be672
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998
-
Filesize
731KB
MD53024f8b8500d2629b5d934d0ef334efb
SHA1d2013e0488e50fe9039986129e46725c2353e0a7
SHA25612a63c9b7bd7c707d4a0e440182abf8c5afc62c171a06f188e32c18048c7ea31
SHA512b8ca6e76ebfd879d3f5643caa614d57fb7d57e5a95d79aecea2bdbd71bbed366b72a59a12b96b6f84e988c45e15e1c3369fd01418972e0aed7dba65ee2a4a998