Analysis
-
max time kernel
121s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 09:26
General
-
Target
Guna.UI2.dll
-
Size
1.9MB
-
MD5
bcc0fe2b28edd2da651388f84599059b
-
SHA1
44d7756708aafa08730ca9dbdc01091790940a4f
-
SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
-
SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
SSDEEP
24576:FIVZLRYIVQd9INo3FDbWX7SsOobBTEAjg+m+ZFNwaxwGoHQ/jzK+:+oWodbi9XFEAjg+m+ZFKaxw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9910946f8,0x7ff991094708,0x7ff9910947182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5404 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5500 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6280 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3456 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5696 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6852 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2726184250269893103,3139112865778393617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Monoxide\" -spe -an -ai#7zMap27584:76:7zEvent288131⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Monoxide\Monoxidex64.exe"C:\Users\Admin\Downloads\Monoxide\Monoxidex64.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\潘豛讽说漥侣馆蔌愱燯運剗岹蓜板衪.exe"C:\Users\Admin\AppData\Local\Temp\潘豛讽说漥侣馆蔌愱燯運剗岹蓜板衪.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini3⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\History.txt3⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\cy.txt3⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\fr.txt3⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\ga.txt3⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\gl.txt3⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\ky.txt3⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\mk.txt3⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\pa-in.txt3⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\ps.txt3⤵
-
-
C:\Program Files\Java\jdk-1.8\bin\jar.exe"C:\Program Files\Java\jdk-1.8\bin\jar.exe"3⤵
-
-
C:\Program Files\Java\jdk-1.8\bin\orbd.exe"C:\Program Files\Java\jdk-1.8\bin\orbd.exe"3⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x3941⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
Filesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
69KB
MD5aac57f6f587f163486628b8860aa3637
SHA1b1b51e14672caae2361f0e2c54b72d1107cfce54
SHA2560cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486
SHA5120622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
41KB
MD572798d6bf4a836bb0b2896a25cf7d0db
SHA1030f4413870fe04b1f12b1131c113c46777e113e
SHA2566aee5edd54cf1ed741bb119de022dc6e8d0513a5adce4cd59339924a02db4f4a
SHA512340413f3a65d8b7e25ef489f6d9f64c24a6fc55e75a4ec848186fb994fef9bbd4c848768ed976162b6e3269a90f6c9b805516a565dde22704aad593752151051
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5991cdad1cf921ac5ce995a0ec9b6e312
SHA1a3fef88dbfd32034daab4811e8446791d2481c6c
SHA256a2590c2b03e01f0ef1181caa7c78800ede4255186ae37c1a28194698f8f19324
SHA512807937d9f9bbf1fad83784ee802d40195edf45dcff47d11ceebdc83bd3151f773f1e36a8e8ffcaceaea707dbdf948ec0f4577f325739ad9d4f63fc6596a341ee
-
Filesize
33KB
MD53cd0f2f60ab620c7be0c2c3dbf2cda97
SHA147fad82bfa9a32d578c0c84aed2840c55bd27bfb
SHA25629a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b
SHA512ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb
-
Filesize
75KB
MD5cf989be758e8dab43e0a5bc0798c71e0
SHA197537516ffd3621ffdd0219ede2a0771a9d1e01d
SHA256beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615
SHA512f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7
-
Filesize
3KB
MD52383e36bc0be1bae24e4ca8f140082cc
SHA1e4ab23e5663b4fa00d3a309baba8a8ecfaa6e540
SHA256bd2e3bdc7cd6c329da93dcee19a881eb4852cd60a4e083db215af94e4248e3bb
SHA5120d8c511a1f25cdb549c024ba8f0f1abe264e5f73e2af51a938a7c288718ed50a81d8832aa292480ae6dc5fc736e5afb10eee27b3da8a3fc1b1cfd68c0f8a077e
-
Filesize
1KB
MD56d230cc44eaeffcd2f3e53c6fbabd396
SHA110c26817bedb80181d3143568d1a01414d52fdc9
SHA256f986609c3db274ddf42d695926b1054c92d25db49cdea0fbb6239c0d25e58150
SHA512577ccd6ad371ff04006533a6156e407b573540b2be7927c78d3fcf571ad39cb8a07eaae91ea3701ac8d846cabd218394d4b700f87ad3f64df9ab394e5f16d4a7
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
1KB
MD5070853404f4675f870a05c3a40dddd2c
SHA1ad3f8de1d04e43aa74b6bd2dc13ac1bf79211a7a
SHA2567b2961060384d77571f4d2fc4b2c3a685ba47cf2ce2f3dd9645bcb1b486b9700
SHA512e97f319b09281d4ac602b4e59c892971f754541b51082c8a33fe3b179717d449efa2881c54697e9d8f95b95f7de2fcf628767e6ac7b7fc903d6671db25dbcbae
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
7KB
MD589d67fd8721bef789b3b28bdd3d1a858
SHA1124acff7219674e0f71994bcd5c74275ad6f42d2
SHA25611323d21392a57456909b3c6e9492d73994d42f51f781d1bd6f3581788e1cd42
SHA512a939ae3db16b2e424a0f1831d7ddff190ec194c0d57bb22de8518e388295e907bdb16089e2d34f81740d4e5b973e8b4665cdae3259e5a8fd7362110ed62ea3da
-
Filesize
5KB
MD53bc11393610d159bc402b299661cbe8e
SHA1a633e5569813cce7fef4d734e61ffbda2674edf4
SHA2567530d87178feaab2d03926e2c9fb12ed6d65ec7d88c91735320ba55f342aef5e
SHA5125f604b45b24dd7d6beb33853dad6105f07c7909eca27182fb3ccdfd661eff6526f6ce08c427b4a9cf7e3f9a810ed8a04d8673c714ec44822ae821946e248b97f
-
Filesize
6KB
MD5afb11ee4908dd9b9825dbe015558d772
SHA173e6f8465e8b976cb95662f16e5ec1484d5b9adb
SHA256efa0aa2143828715bd89ce3591ad39e9e76c707afe4934b321c684a2c5f25856
SHA512ff7ac586e05cc114b5578ddb729e7605ad7415fb11c32101b42f413ee21f1661b2857b02ed6ba49ec18c89dbe19c34cefc9344ba18d24e347208218985960cd3
-
Filesize
6KB
MD57bdbb8fd5c87a23f4f072caa752a61e6
SHA11aad168474e701f83712741cad39ca040b9a76d3
SHA256e73e7016de517db3c80e3bcdf47f9007d9f240d51d5fdb4775dcc184a7e06f76
SHA5121dcb49824c62a2bece1920d168cb2ccc2e52f74089aeb6bc92802e7311e7dbf3aeacb2503735113427d002381cf4e9333073691bf3138498256c7a5072193990
-
Filesize
6KB
MD52bdac1bb1492239187d59ebbcae2d290
SHA19cb0d38aa861680fc87795ed30194c5b2c95c683
SHA2563d7919f5e027c8626892f8ed04c9a475104c2ccd9a1e5894d042253326ccec2d
SHA5124de815f0e99556a47b57cce9ead6f2169f25c2c391845c5402ff1f3a31c539bd8404508fe2719a72795b73934bc10809ad02068c315c79730cc6566525b2fa8e
-
Filesize
6KB
MD5aff797efbcf2e09cc1d143bdfc11f714
SHA1c73706885198ac60d36cae4df68535d2a79e1e24
SHA25673dc325098123333420e55fe3fa4612fb5806cdb182d41d068df574481c1df51
SHA512c7f268833d965771a250d207ef01ef2bc71abb49dd11d62b94df202df6bf41bdd79537d257ca72fe3c05929cf8370d39d329a536318eaaf4c4ed096dc007fcf4
-
Filesize
7KB
MD58b6f948423129fc40c9e509e05108e10
SHA159130533ac1ed7c0b9a5de3ece055f2a5f1557e8
SHA25608f472aff5ed57fe94372ef72c479060b6054a2b39e387b358af2e2a9b9b0875
SHA512422943d4bf2f35afed0a9fc6eb2d09137b1f78306148f0946a5a45ee4dfb0411e553ec22f63fc4021975af8f1d1cbd33f7bfe5b397e6cbacef16c33c570e1acf
-
Filesize
7KB
MD58093fabd40161c66d42af1cf4fae0176
SHA1084c45b8ae364322da6947bba2938c8bc283edeb
SHA256fab96697607a14c8935d0061900e7f27686820ef4b68bc298fd44534b393e193
SHA512ea59536b72d2e264f9a841c269e07da6b117fe597a7fa936609636900874a3db4cbabb8ae921b916fc617efe3f8e987c4764ccf605668579040bc82cfc57088a
-
Filesize
536B
MD5e3d7e49d697485886e4c0d7bb6a61f65
SHA1e0d551b1b53167cfc20ab5c56007c1ae5faad74a
SHA256e4a389875b1bdbc21631001e0933ced0de1e46a203af82528fed016281565348
SHA512cddecf4863b62a6052f0916d229ce62d11198779dc33ffee0e5356ac2b94f06c9ee291482fcda35d64c91386949d646bca0d2ff48f0b1366973afcdffea81270
-
Filesize
1KB
MD5d465c31a1a55a1c9a1a9bcfe323e9034
SHA1d312136b4559fd2bbd40493fdb119d9e7832e82f
SHA2569c1a0bb299ed227d3097a74368ce2740901d0f7d7216071e6141a3efcf61a31f
SHA51208abe330364ee3ad133a6f52e107c6950e38f569a5e28c22c8302886c8d2e543ba14bf9ed2887cbc21516ca6c581955555804f5f7d3b8e0c86e09a68acbe58a8
-
Filesize
1KB
MD52e0b1b67702814255ac2de9661d074e2
SHA1cf5b4a365b4dbcf5bb3d9943fe12736261cb2842
SHA25601589fd355d4dab91e8d7f04f02ec66661374d0d47aa64acd14cbaf9f55f3f6c
SHA5123d7b0ddac300a72a4c53e5f7ee434e838548c4000bf14f5d91593283e2b99a8b900fd77cf9b986cea82e6ae8fe8a26b9f31c083d70faf78a4fd870fb208c2ba9
-
Filesize
536B
MD56c1ea3fdc25c2efd41ecf5969ab93aae
SHA13320198bafbb1f8a88a45d7e444f11e0f6c14e1d
SHA256e4fe97de673284285338874c373e03407d91ff8f7ff1cb5c240d8d1353f3bc5a
SHA512155b5ca5ee86272f916334327c6b7db7a9ac0721f5e2d6555ef8e35285a7e96896c704d4543222a066d611ca31710226104367d52dad21323d0fa08270cc1e8e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5281ba14f9b682582c1ffe20cee0f6d30
SHA190f4fa2cbeec38285d9a349c4962d0a75f63af40
SHA256e87ef931e71d7d842c20e013d8737b8f5b3f1489433973d6b25d11ba740ddcbd
SHA51257b6c8756d26ad6515a3d662d2c6490cb0cd37dd0ea8f1f3cde9ee834eb72c4eddd390d5600ea7b6e28e4f8e04f92448bd8366154b96655a4bb68669f4b9f9c5
-
Filesize
11KB
MD5909a0cccc4e49ccfc86610f4ff301119
SHA10fdd25904d7e5af3d6c75814e8560d520f7bd2b9
SHA256f14dcf35589a6663b331a3a37b187d752b087ebdfde04cec0a23d52c629edc06
SHA512c43200ec386c506afe968f52257751acf98286b89b374026d57825001316db594646e07b6702b30a8ac29c637d2dfc98b92389b03931fef34a28ea3297bedd6d
-
Filesize
12KB
MD5228c6940e4429bb2082244f45340ba6f
SHA1b4b407b25e89f53872d0000ce7ad39960478fd67
SHA25685637d519463689b51ee4435230a01cc492d1b8116486876c3d981440e09411a
SHA5123ef95f7c94ef7dbbea6d0014dad2a8d7b18ff4f6763930e1299839916f611331059d5b365fb051caa6f58d3ce48a6da2623d4d8bb26ba76bb8b8d6100c805926
-
Filesize
260B
MD5c2d97a70ee977a8ad523b7c82ab41a09
SHA17be802dcd4b71172a6bd189b0f3b94af8d8e4635
SHA2568d8c718af0b79f6fd08eaab278e52f01af1fcdd0d29fc4d8f3043743da1a8728
SHA512aeb6451614d692e9f81d2bcdf377adda57ddebc736ea2e5e7c1866d053c452dedb2b97521bf0fff54b26e1070124396e6cd43268dc5d0ba0a7ed47b4b65d608f
-
Filesize
155KB
MD536458bc23cefdf9115405b5c157e508a
SHA149abdfc7db22cd49a724804c6d49ebc07a915c2d
SHA256e4f5fab55df2b7c6acbf86618a6d43fa23ccb5b45f0f827ad8a130c1e8d227a1
SHA5124f930df63d7ccd384619dfe5356512927287b7e60613cad3082b6ba93c912aecd593d6420ef00f73dfd28239a5d8ead8ae7145118f6a683740da9dd9e92ecbc1
-
Filesize
330KB
MD5692361071bbbb3e9243d09dc190fedea
SHA104894c41500859ea3617b0780f1cc2ba82a40daf
SHA256ae9405b9556c24389ee359993f45926a895481c8d60d98b91a3065f5c026cffe
SHA512cfdd627d228c89a4cc2eac27dcdc45507f1e4265eff108958de0e26e0d1abe7598a5347be77d1a52256de70c77129f1cd0e9b31c023e1263f4cf04dbc689c87e
-
Filesize
289KB
MD55c378b11848ac59704c2000b4e711c30
SHA16a46c53fd89b1f66d3fdab7653181e8a3e56d418
SHA256bd764fe2f9734d5ac56933ce68df0a175bfa98dc0266ae3cd3a5c963267ea77e
SHA512c6fe33ff3825e9018abea99ea49dc5221f2abd96bd1099def898425b82c05f9b9ca1aacaba0b7ffb7d09a7d097eae9937abdc13bbf3e7643e24e37edc7841c48
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e