Analysis
-
max time kernel
111s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 02:59
Static task
static1
Behavioral task
behavioral1
Sample
cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe
Resource
win7-20240221-en
General
-
Target
cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe
-
Size
161KB
-
MD5
6b08812a6837ef81f21ddd7dc04aadcb
-
SHA1
ef9acb2bd522fd21e7ee1bdfd1c6ac6522ee5952
-
SHA256
cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6
-
SHA512
51534f2963b483c91eca6bdd8aa04cd2441d9c24dc6da276c057c3137714510a4ddda9a25845890748887f096cc31889093c3389c8219e0a90911d166c2e3e7d
-
SSDEEP
3072:6iZpyDaHgA6pqu3oHS8rys0iCXlRTmmXR8su4:6qpyMMpWyKpURf
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/files/0x00090000000234ec-133.dat family_zgrat_v1 behavioral2/memory/956-148-0x0000000000C20000-0x0000000001374000-memory.dmp family_zgrat_v1 behavioral2/files/0x00090000000234ec-132.dat family_zgrat_v1 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/1180-18-0x0000000003C90000-0x0000000003DAB000-memory.dmp family_djvu behavioral2/memory/3648-19-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3648-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3648-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3648-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3648-33-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3996-39-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3996-40-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3996-42-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/400-94-0x00000000043A0000-0x0000000004C8B000-memory.dmp family_glupteba behavioral2/memory/400-95-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/400-101-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/400-162-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/400-167-0x00000000043A0000-0x0000000004C8B000-memory.dmp family_glupteba behavioral2/memory/1912-169-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1912-171-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1912-203-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows executables referencing non-Windows User-Agents 6 IoCs
resource yara_rule behavioral2/memory/400-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/400-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/400-162-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1912-169-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1912-171-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1912-203-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables Discord URL observed in first stage droppers 6 IoCs
resource yara_rule behavioral2/memory/400-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/400-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/400-162-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1912-169-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1912-171-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1912-203-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 6 IoCs
resource yara_rule behavioral2/memory/400-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/400-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/400-162-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1912-169-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1912-171-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1912-203-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 6 IoCs
resource yara_rule behavioral2/memory/400-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/400-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/400-162-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1912-169-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1912-171-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1912-203-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables referencing many varying, potentially fake Windows User-Agents 6 IoCs
resource yara_rule behavioral2/memory/400-95-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/400-101-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/400-162-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1912-169-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1912-171-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1912-203-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 464 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation 20B2.exe -
Deletes itself 1 IoCs
pid Process 3424 Process not Found -
Executes dropped EXE 7 IoCs
pid Process 1180 20B2.exe 3648 20B2.exe 4192 20B2.exe 3996 20B2.exe 4244 F827.exe 400 EDE.exe 1636 2804.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1408 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f096597c-4b64-48a9-83bc-064b7e4e91d5\\20B2.exe\" --AutoStart" 20B2.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 161 api.2ip.ua 162 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1180 set thread context of 3648 1180 20B2.exe 105 PID 4192 set thread context of 3996 4192 20B2.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2556 3996 WerFault.exe 113 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1608 cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe 1608 cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found 3424 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1608 cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeShutdownPrivilege 3424 Process not Found Token: SeCreatePagefilePrivilege 3424 Process not Found Token: SeShutdownPrivilege 3424 Process not Found Token: SeCreatePagefilePrivilege 3424 Process not Found Token: SeShutdownPrivilege 3424 Process not Found Token: SeCreatePagefilePrivilege 3424 Process not Found Token: SeShutdownPrivilege 3424 Process not Found Token: SeCreatePagefilePrivilege 3424 Process not Found Token: SeShutdownPrivilege 3424 Process not Found Token: SeCreatePagefilePrivilege 3424 Process not Found Token: SeShutdownPrivilege 3424 Process not Found Token: SeCreatePagefilePrivilege 3424 Process not Found Token: SeDebugPrivilege 2144 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3424 Process not Found 3424 Process not Found -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 3424 wrote to memory of 1180 3424 Process not Found 101 PID 3424 wrote to memory of 1180 3424 Process not Found 101 PID 3424 wrote to memory of 1180 3424 Process not Found 101 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 1180 wrote to memory of 3648 1180 20B2.exe 105 PID 3648 wrote to memory of 1408 3648 20B2.exe 106 PID 3648 wrote to memory of 1408 3648 20B2.exe 106 PID 3648 wrote to memory of 1408 3648 20B2.exe 106 PID 3648 wrote to memory of 4192 3648 20B2.exe 107 PID 3648 wrote to memory of 4192 3648 20B2.exe 107 PID 3648 wrote to memory of 4192 3648 20B2.exe 107 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 4192 wrote to memory of 3996 4192 20B2.exe 113 PID 3424 wrote to memory of 4244 3424 Process not Found 118 PID 3424 wrote to memory of 4244 3424 Process not Found 118 PID 3424 wrote to memory of 4244 3424 Process not Found 118 PID 3424 wrote to memory of 1116 3424 Process not Found 119 PID 3424 wrote to memory of 1116 3424 Process not Found 119 PID 1116 wrote to memory of 868 1116 cmd.exe 121 PID 1116 wrote to memory of 868 1116 cmd.exe 121 PID 3424 wrote to memory of 400 3424 Process not Found 122 PID 3424 wrote to memory of 400 3424 Process not Found 122 PID 3424 wrote to memory of 400 3424 Process not Found 122 PID 3424 wrote to memory of 1636 3424 Process not Found 123 PID 3424 wrote to memory of 1636 3424 Process not Found 123 PID 400 wrote to memory of 2144 400 EDE.exe 124 PID 400 wrote to memory of 2144 400 EDE.exe 124 PID 400 wrote to memory of 2144 400 EDE.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe"C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1608
-
C:\Users\Admin\AppData\Local\Temp\20B2.exeC:\Users\Admin\AppData\Local\Temp\20B2.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\20B2.exeC:\Users\Admin\AppData\Local\Temp\20B2.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f096597c-4b64-48a9-83bc-064b7e4e91d5" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1408
-
-
C:\Users\Admin\AppData\Local\Temp\20B2.exe"C:\Users\Admin\AppData\Local\Temp\20B2.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\20B2.exe"C:\Users\Admin\AppData\Local\Temp\20B2.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2205⤵
- Program crash
PID:2556
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3996 -ip 39961⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\F827.exeC:\Users\Admin\AppData\Local\Temp\F827.exe1⤵
- Executes dropped EXE
PID:4244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FDA7.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\EDE.exeC:\Users\Admin\AppData\Local\Temp\EDE.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\EDE.exe"C:\Users\Admin\AppData\Local\Temp\EDE.exe"2⤵PID:1912
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:368
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:464
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1656
-
-
-
C:\Users\Admin\AppData\Local\Temp\2804.exeC:\Users\Admin\AppData\Local\Temp\2804.exe1⤵
- Executes dropped EXE
PID:1636
-
C:\Users\Admin\AppData\Local\Temp\5976.exeC:\Users\Admin\AppData\Local\Temp\5976.exe1⤵PID:956
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\D926.exeC:\Users\Admin\AppData\Local\Temp\D926.exe1⤵PID:748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
709KB
MD5b4496d2224777403415440dfe5f13a86
SHA15c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA5120bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158
-
Filesize
11.8MB
MD5450039a02217c53bd983eaf1fd34505a
SHA1930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080
-
Filesize
11.2MB
MD54735a3ac68ec42c1c11a9da4995c2180
SHA1bae8992b04298bdbe4493a3bd4af7bd8ec21df14
SHA256c9cfea7d0004b96ce180d794bfd0e5f2930e4ac8d0a417e785816c2205e45d4f
SHA512787e3d7bf4c8119bbf4b091d704854106251fbb579d912533cdd7b7404a36adeee0d0cc2e912fe162c41f331824ab7e04eb6689db150844b72afd1b0f3af2abb
-
Filesize
1.9MB
MD5ac071ac86725eed386b62923d6ef575c
SHA1671c44aa53cfb7dac93b616c0ba100aadaf8960a
SHA256e0798f8698f42ce4ea28790432187910834816a589bf73e72ab2eb5cf10cabb7
SHA5124f91d406e9a9d0d38b9b601a8259b523a681dfad318e5f6ebd4b136ea42f945f3a940e4dba12e46351b9630717207040c6f064a4d7f43ea6712a7ec5af0c7dce
-
Filesize
1.8MB
MD541fd57cd82f051d417151de9a8a77ab3
SHA1a6e3ad8645ee9985529c72111923a4331007c1d2
SHA256838f373d47ca0d141d9140d3e1a8d3cf9a127d8a3b72eea2bbf81e2e397b5fb9
SHA512002808d1922789c49dfc72bb4f1a689bda8af9f1031ec8debde8cac37a51a5fe5c38eeb42459a84cdf264e592189fec9b7fba389f55c68f50019e0d18dbe1a05
-
Filesize
4.1MB
MD5f0d232748eafdbd8b5785b8103608ccf
SHA14791b04755963ebfa65616a8ad12b9e38ad1ea0e
SHA2561eeda2fcb2595e3d68ea8a5ff31f553630a2c80ca7fb77d3251adf34f244610b
SHA512e1b63727162cb5d4910cc26306a52d5aae8d5f10280c4f9fe0aac57d0e8ed41ccf2462c935e3fa270467d7887fb12535c9db6861d972e024fe838fabbc61675a
-
Filesize
4.1MB
MD51047d7617f162d488920965b0a8b876c
SHA1059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA25658b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac
-
Filesize
1.8MB
MD5f4c95e8b32a74bdbcd80c93303500a02
SHA15829be3e40b0acebacfbcff159fb45b276ade18d
SHA2568c7203c100d21d8999b550842fa9781e7880a8f280b2e7e1a3f06d4dda1f445c
SHA51257fc6efe23fa5cf22e591c93937ea56032b6dcef5a76d01008acdfc850bc4d68d301ee549979645da89e0d29b12a7fc5d059b0b2da1af94bce8e06c6f7a9c9ae
-
Filesize
3.8MB
MD564d4166bb79888a6ee896a501721bf07
SHA1732272b92adfa014413ca5399f0ecd8468241f7b
SHA256d5c75cd09e1cb7dd4719bd090d01a54495ead059414327add91beb2b1760c7d6
SHA5129f77a869bc664a8189371d6ef28853a0b4ced424e5cfaca0884a53f7b4ada0c88c181487ccef4da73473ad1cb11ca78da2aa8e131fb772148e1e5a74b4c484d0
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD58a52ee0c318f634098f62182691cac7f
SHA104c9d0e4ceb08ffa6e90bc8f5c8dd8a394ee85eb
SHA256a1a001c1ca40eaa3a00cb5d39e94faf4e7a706cbc7bf535222776c0244b0633d
SHA512e0c1b03c7bd6163f5f068043594d454c8e557b9ba57d0823d8d8175a1f2c4305315b6068b09d09d5fde4fe86601d007a177b4dcaaf0aeb7184ee171ae2e42be4