Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 01:39
Behavioral task
behavioral1
Sample
c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe
Resource
win7-20240221-en
General
-
Target
c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe
-
Size
3.0MB
-
MD5
fb9c101e7ee4206d46e76123f639194c
-
SHA1
5e83980f211ed8882cdbda90b374689d582e6cda
-
SHA256
c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d
-
SHA512
60c3f32a31ed8d83aa1d915ed0ee0accffe8a6e3e88accc5037334f499e0ce02313a20dba9236261ab1fbe56c6c5836cdab51545c0d7668b941af27f6031ca74
-
SSDEEP
49152:yldN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmGWncFf0I74gu3AM:y90wGGzBjryX82uypSb9ndo9JCm
Malware Config
Extracted
orcus
loocarpoint.duckdns.org:4782
cc0d0b196e424f1bb95d117665f988e0
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\kate_is_famous_holy_fuck
Signatures
-
Orcurs Rat Executable 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2876-0-0x0000000000380000-0x000000000067A000-memory.dmp orcus C:\Program Files\Orcus\Orcus.exe orcus behavioral1/memory/2920-14-0x0000000000E80000-0x000000000117A000-memory.dmp orcus -
Executes dropped EXE 1 IoCs
Processes:
Orcus.exepid process 2920 Orcus.exe -
Drops file in Program Files directory 3 IoCs
Processes:
c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exedescription ioc process File created C:\Program Files\Orcus\Orcus.exe c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe File opened for modification C:\Program Files\Orcus\Orcus.exe c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe File created C:\Program Files\Orcus\Orcus.exe.config c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 23 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
Orcus.exepid process 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe 2920 Orcus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2472 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Orcus.exedescription pid process Token: SeDebugPrivilege 2920 Orcus.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2472 AcroRd32.exe 2472 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exeOrcus.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 2876 wrote to memory of 2920 2876 c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe Orcus.exe PID 2876 wrote to memory of 2920 2876 c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe Orcus.exe PID 2876 wrote to memory of 2920 2876 c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe Orcus.exe PID 2920 wrote to memory of 2380 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2380 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2380 2920 Orcus.exe rundll32.exe PID 2380 wrote to memory of 2472 2380 rundll32.exe AcroRd32.exe PID 2380 wrote to memory of 2472 2380 rundll32.exe AcroRd32.exe PID 2380 wrote to memory of 2472 2380 rundll32.exe AcroRd32.exe PID 2380 wrote to memory of 2472 2380 rundll32.exe AcroRd32.exe PID 2920 wrote to memory of 2556 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2556 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2556 2920 Orcus.exe rundll32.exe PID 2556 wrote to memory of 1624 2556 rundll32.exe AcroRd32.exe PID 2556 wrote to memory of 1624 2556 rundll32.exe AcroRd32.exe PID 2556 wrote to memory of 1624 2556 rundll32.exe AcroRd32.exe PID 2556 wrote to memory of 1624 2556 rundll32.exe AcroRd32.exe PID 2920 wrote to memory of 2640 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2640 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2640 2920 Orcus.exe rundll32.exe PID 2640 wrote to memory of 3008 2640 rundll32.exe AcroRd32.exe PID 2640 wrote to memory of 3008 2640 rundll32.exe AcroRd32.exe PID 2640 wrote to memory of 3008 2640 rundll32.exe AcroRd32.exe PID 2640 wrote to memory of 3008 2640 rundll32.exe AcroRd32.exe PID 2920 wrote to memory of 1748 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 1748 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 1748 2920 Orcus.exe rundll32.exe PID 1748 wrote to memory of 2144 1748 rundll32.exe AcroRd32.exe PID 1748 wrote to memory of 2144 1748 rundll32.exe AcroRd32.exe PID 1748 wrote to memory of 2144 1748 rundll32.exe AcroRd32.exe PID 1748 wrote to memory of 2144 1748 rundll32.exe AcroRd32.exe PID 2920 wrote to memory of 924 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 924 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 924 2920 Orcus.exe rundll32.exe PID 924 wrote to memory of 844 924 rundll32.exe AcroRd32.exe PID 924 wrote to memory of 844 924 rundll32.exe AcroRd32.exe PID 924 wrote to memory of 844 924 rundll32.exe AcroRd32.exe PID 924 wrote to memory of 844 924 rundll32.exe AcroRd32.exe PID 2920 wrote to memory of 2236 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2236 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2236 2920 Orcus.exe rundll32.exe PID 2236 wrote to memory of 2060 2236 rundll32.exe AcroRd32.exe PID 2236 wrote to memory of 2060 2236 rundll32.exe AcroRd32.exe PID 2236 wrote to memory of 2060 2236 rundll32.exe AcroRd32.exe PID 2236 wrote to memory of 2060 2236 rundll32.exe AcroRd32.exe PID 2920 wrote to memory of 768 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 768 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 768 2920 Orcus.exe rundll32.exe PID 768 wrote to memory of 1436 768 rundll32.exe AcroRd32.exe PID 768 wrote to memory of 1436 768 rundll32.exe AcroRd32.exe PID 768 wrote to memory of 1436 768 rundll32.exe AcroRd32.exe PID 768 wrote to memory of 1436 768 rundll32.exe AcroRd32.exe PID 2920 wrote to memory of 1752 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 1752 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 1752 2920 Orcus.exe rundll32.exe PID 1752 wrote to memory of 1140 1752 rundll32.exe AcroRd32.exe PID 1752 wrote to memory of 1140 1752 rundll32.exe AcroRd32.exe PID 1752 wrote to memory of 1140 1752 rundll32.exe AcroRd32.exe PID 1752 wrote to memory of 1140 1752 rundll32.exe AcroRd32.exe PID 2920 wrote to memory of 2092 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2092 2920 Orcus.exe rundll32.exe PID 2920 wrote to memory of 2092 2920 Orcus.exe rundll32.exe PID 2092 wrote to memory of 1612 2092 rundll32.exe AcroRd32.exe PID 2092 wrote to memory of 1612 2092 rundll32.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe"C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2472 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:1624
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:3008
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2144
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:844
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2060
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:1436
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:1140
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:1612
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:1712 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:904
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:948 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2708
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:1816 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2064
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:1504 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2036
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:2848 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2904
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:2572 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:3048
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:2340 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2616
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:2800 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:1476
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:940 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2440
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:2688 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:1636
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:2292 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2144
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:2804 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:1064
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:608 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2016
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck3⤵
- Modifies registry class
PID:660 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"4⤵PID:2960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5fb9c101e7ee4206d46e76123f639194c
SHA15e83980f211ed8882cdbda90b374689d582e6cda
SHA256c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d
SHA51260c3f32a31ed8d83aa1d915ed0ee0accffe8a6e3e88accc5037334f499e0ce02313a20dba9236261ab1fbe56c6c5836cdab51545c0d7668b941af27f6031ca74
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
3KB
MD511e39cdf6827564b1955cc06c1888b20
SHA13b730e1b94249c0163559434213d3725df218c6f
SHA256adb150517a689809ab4f15417b7563d8e7423683e3533de5ef7d5a5a0f1b045d
SHA51212d74159fdad470ac8068dfce31982f6030e59af7ff4604239ac814e0936743cd63d10f8b04b03de553944cd2f21e76d76b5e199be882ad25ef6c0dcb660b521
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e