dd01e245edc9a4aeaf91a6024ef3ecf852c8b3244e34df4556f876bb522142c5

Analysis

max time kernel
43s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 22:11

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

adamsatmayiz.exe
Size

6.1MB
MD5

178336a536d9b9950626bc2220683bef
SHA1

e97e26912d0d9417b6a86e6eac69125c7f1f1952
SHA256

dd01e245edc9a4aeaf91a6024ef3ecf852c8b3244e34df4556f876bb522142c5
SHA512

f12f6534f43ff2583a692ec5704ff2a6ad87025d4200d08d2403a1830c344680cb80f8ff8c2c66720fe3aa262672ab69d5f0bf3711cc95c927d6f6f6c2618f3d
SSDEEP

196608:JqwvCnOAS9ztkBNvMGZPvGeMzWJfagYHlE8u:dWe9z6Bm2Pv1Mzgag2EX

Score

8^/10

discovery evasion execution persistence privilege_escalation pyinstaller

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2128	netsh.exe
1524	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	adamsatmayiz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cscript.exe

Executes dropped EXE 7 IoCs

pid	Process
1892	deneme.exe
4272	deneme.exe
1888	volumeid.exe
1928	volumeid.exe
2612	macc.exe
1984	macc.exe
4812	macc.exe

Loads dropped DLL 2 IoCs

pid	Process
4272	deneme.exe
4272	deneme.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	mountvol.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\macc.exe	cmd.exe
File opened for modification	C:\Windows\System32\reg.vbs	cmd.exe
File created	C:\Windows\System32\c.vbs	cmd.exe
File opened for modification	C:\Windows\System32\adamsatmayiz.bat	cmd.exe
File created	C:\Windows\System32\secsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\secsvc.dll	cmd.exe
File created	C:\Windows\System32\volumeid.exe	cmd.exe
File created	C:\Windows\System32\reg.vbs	cmd.exe
File opened for modification	C:\Windows\System32\disk.vbs	cmd.exe
File opened for modification	C:\Windows\System32\c.vbs	cmd.exe
File created	C:\Windows\System32\adamsatmayiz.bat	cmd.exe
File created	C:\Windows\System32\svckutils.exe	cmd.exe
File created	C:\Windows\System32\macc.exe	cmd.exe
File opened for modification	C:\Windows\System32\volumeid.exe	cmd.exe
File created	C:\Windows\System32\disk.vbs	cmd.exe
File created	C:\Windows\System32\b.vbs	cmd.exe
File opened for modification	C:\Windows\System32\b.vbs	cmd.exe
File opened for modification	C:\Windows\System32\svckutils.exe	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2748	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000a000000023b83-57.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	volumeid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	volumeid.exe

Gathers network information 2 TTPs 8 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4288	ipconfig.exe
4008	ipconfig.exe
2260	ipconfig.exe
4212	ipconfig.exe
4776	ipconfig.exe
2616	ipconfig.exe
2932	ipconfig.exe
2196	ipconfig.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	adamsatmayiz.exe

Modifies registry key 1 TTPs 32 IoCs

Modify Registry

T1112

pid	Process
1996	reg.exe
5004	reg.exe
4516	reg.exe
2708	reg.exe
2252	reg.exe
4432	reg.exe
4528	reg.exe
4364	reg.exe
4020	reg.exe
4816	reg.exe
5000	reg.exe
4532	reg.exe
2984	reg.exe
2024	reg.exe
5064	reg.exe
1360	reg.exe
3540	reg.exe
208	reg.exe
228	reg.exe
2756	reg.exe
4116	reg.exe
1888	reg.exe
2380	reg.exe
4372	reg.exe
4316	reg.exe
1484	reg.exe
772	reg.exe
2272	reg.exe
1576	reg.exe
3852	reg.exe
4000	reg.exe
3812	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
400	schtasks.exe
2080	schtasks.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe
Token: SeDebugPrivilege	2192	whoami.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 4192	1664	adamsatmayiz.exe	84
PID 1664 wrote to memory of 4192	1664	adamsatmayiz.exe	84
PID 4192 wrote to memory of 1892	4192	WScript.exe	89
PID 4192 wrote to memory of 1892	4192	WScript.exe	89
PID 1892 wrote to memory of 4272	1892	deneme.exe	91
PID 1892 wrote to memory of 4272	1892	deneme.exe	91
PID 4192 wrote to memory of 4052	4192	WScript.exe	92
PID 4192 wrote to memory of 4052	4192	WScript.exe	92
PID 4052 wrote to memory of 1072	4052	cmd.exe	94
PID 4052 wrote to memory of 1072	4052	cmd.exe	94
PID 1072 wrote to memory of 1356	1072	net.exe	95
PID 1072 wrote to memory of 1356	1072	net.exe	95
PID 4052 wrote to memory of 2192	4052	cmd.exe	96
PID 4052 wrote to memory of 2192	4052	cmd.exe	96
PID 4052 wrote to memory of 4212	4052	cmd.exe	97
PID 4052 wrote to memory of 4212	4052	cmd.exe	97
PID 4052 wrote to memory of 432	4052	cmd.exe	98
PID 4052 wrote to memory of 432	4052	cmd.exe	98
PID 4052 wrote to memory of 3420	4052	cmd.exe	99
PID 4052 wrote to memory of 3420	4052	cmd.exe	99
PID 4052 wrote to memory of 2912	4052	cmd.exe	100
PID 4052 wrote to memory of 2912	4052	cmd.exe	100
PID 2912 wrote to memory of 940	2912	WScript.exe	101
PID 2912 wrote to memory of 940	2912	WScript.exe	101
PID 2912 wrote to memory of 440	2912	WScript.exe	103
PID 2912 wrote to memory of 440	2912	WScript.exe	103
PID 2912 wrote to memory of 4724	2912	WScript.exe	105
PID 2912 wrote to memory of 4724	2912	WScript.exe	105
PID 2912 wrote to memory of 4888	2912	WScript.exe	107
PID 2912 wrote to memory of 4888	2912	WScript.exe	107
PID 2912 wrote to memory of 1440	2912	WScript.exe	109
PID 2912 wrote to memory of 1440	2912	WScript.exe	109
PID 2912 wrote to memory of 4452	2912	WScript.exe	111
PID 2912 wrote to memory of 4452	2912	WScript.exe	111
PID 2912 wrote to memory of 4328	2912	WScript.exe	113
PID 2912 wrote to memory of 4328	2912	WScript.exe	113
PID 2912 wrote to memory of 4220	2912	WScript.exe	115
PID 2912 wrote to memory of 4220	2912	WScript.exe	115
PID 2912 wrote to memory of 4000	2912	WScript.exe	117
PID 2912 wrote to memory of 4000	2912	WScript.exe	117
PID 2912 wrote to memory of 208	2912	WScript.exe	119
PID 2912 wrote to memory of 208	2912	WScript.exe	119
PID 2912 wrote to memory of 228	2912	WScript.exe	121
PID 2912 wrote to memory of 228	2912	WScript.exe	121
PID 2912 wrote to memory of 1996	2912	WScript.exe	123
PID 2912 wrote to memory of 1996	2912	WScript.exe	123
PID 2912 wrote to memory of 2272	2912	WScript.exe	125
PID 2912 wrote to memory of 2272	2912	WScript.exe	125
PID 2912 wrote to memory of 2984	2912	WScript.exe	127
PID 2912 wrote to memory of 2984	2912	WScript.exe	127
PID 2912 wrote to memory of 2708	2912	WScript.exe	129
PID 2912 wrote to memory of 2708	2912	WScript.exe	129
PID 2912 wrote to memory of 2252	2912	WScript.exe	131
PID 2912 wrote to memory of 2252	2912	WScript.exe	131
PID 2912 wrote to memory of 2024	2912	WScript.exe	133
PID 2912 wrote to memory of 2024	2912	WScript.exe	133
PID 2912 wrote to memory of 2380	2912	WScript.exe	135
PID 2912 wrote to memory of 2380	2912	WScript.exe	135
PID 2912 wrote to memory of 4020	2912	WScript.exe	137
PID 2912 wrote to memory of 4020	2912	WScript.exe	137
PID 2912 wrote to memory of 5064	2912	WScript.exe	139
PID 2912 wrote to memory of 5064	2912	WScript.exe	139
PID 2912 wrote to memory of 4816	2912	WScript.exe	141
PID 2912 wrote to memory of 4816	2912	WScript.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\adamsatmayiz.exe
"C:\Users\Admin\AppData\Local\Temp\adamsatmayiz.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\deneme.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\deneme.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\deneme.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\deneme.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoof.bat" "
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:1356
  - - C:\Windows\system32\whoami.exe
      whoami /groups
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2192
  - - C:\Windows\system32\find.exe
      find "Administrators"
      4⤵
      PID:4212
  - - C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" import "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RegistrationDomains.reg"
      4⤵
      PID:432
  - - C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" import "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vimeo.reg"
      4⤵
      PID:3420
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\reg.vbs" add "HKEY_CURRENT_USER\Software\Sysinternals\VolumeID" /v EulaAccepted /t REG_DWORD /d 1 /f
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 52257-44799-24976-60545-43838 /f >nul 2>&1
        5⤵
        
        PID:940
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 19051-43084-60985-31184-30587 /f >nul 2>&1
        5⤵
        
        PID:440
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {11413-77744-34849-73535-95281} /f >nul 2>&1
        5⤵
        
        PID:4724
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {19616-77528-17693-83296-90390} /f >nul 2>&1
        5⤵
        
        PID:4888
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {81795-61243-56801-46226-77950} /f >nul 2>&1
        5⤵
        
        PID:1440
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {61562-10976-48832-91363-11573} /f >nul 2>&1
        5⤵
        
        PID:4452
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 29951 /f
        5⤵
        
        PID:4328
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 86725 /f
        5⤵
        
        PID:4220
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 81043-16635-53762-56282-72624 /f
        5⤵
        Modifies registry key
        
        PID:4000
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 25065-16049-66999-94149-36601 /f
        5⤵
        Modifies registry key
        
        PID:208
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 59961-93243 /f
        5⤵
        Modifies registry key
        
        PID:228
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 29984 /f
        5⤵
        Modifies registry key
        
        PID:1996
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 90502-55297-70911 /f
        5⤵
        Modifies registry key
        
        PID:2272
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d FS60656 /f
        5⤵
        Modifies registry key
        
        PID:2984
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d FS46291 /f
        5⤵
        Modifies registry key
        
        PID:2708
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 43726 /f
        5⤵
        Modifies registry key
        
        PID:2252
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 96553 /f
        5⤵
        Modifies registry key
        
        PID:2024
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {73203-85700-48209-70683-69358} /f
        5⤵
        Modifies registry key
        
        PID:2380
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {33397-39762-44569-30149-73409} /f
        5⤵
        Modifies registry key
        
        PID:4020
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {88511} /f
        5⤵
        Modifies registry key
        
        PID:5064
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d 22237 /f
        5⤵
        Modifies registry key
        
        PID:4816
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 73242 /f
        5⤵
        Modifies registry key
        
        PID:5000
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 30666 /f
        5⤵
        Modifies registry key
        
        PID:2756
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" "WindowsUpdate /v SusClientId /t REG_SZ /d {60114-95683-55075-62998-87031} /f
        5⤵
        Modifies registry key
        
        PID:4372
    - - C:\Windows\System32\certutil.exe
        
        "C:\Windows\System32\certutil.exe" -URLCache * delete
        5⤵
        
        PID:3908
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" int ip reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:432
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" int ipv4 reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1524
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" int ipv6 reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4516
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface IP delete arpcache
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1548
    - - C:\Windows\System32\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" / >nul
        5⤵
        Gathers network information
        
        PID:2932
    - - C:\Windows\System32\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /release >nul
        5⤵
        Gathers network information
        
        PID:2196
    - - C:\Windows\System32\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /renew >nul
        5⤵
        Gathers network information
        
        PID:4288
    - - C:\Windows\System32\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /flushdns >nul
        5⤵
        Gathers network information
        
        PID:4008
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall reset
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2128
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" winsock reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4812
  - - C:\Windows\system32\cscript.exe
      cscript "C:\dl\spoof\reg.vbs"
      4⤵
      Checks computer location settings
      PID:5100
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 72197-64740-44916-80485-63778 /f >nul 2>&1
        5⤵
        
        PID:3484
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 61953-85986-13887-74086-73489 /f >nul 2>&1
        5⤵
        
        PID:4048
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {59659-35990-83095-31781-53527} /f >nul 2>&1
        5⤵
        
        PID:2376
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d {19267-77180-17345-82948-90041} /f >nul 2>&1
        5⤵
        
        PID:1264
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d {33378-12826-98384-87809-29533} /f >nul 2>&1
        5⤵
        
        PID:3112
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d {13145-52559-90415-42946-53156} /f >nul 2>&1
        5⤵
        
        PID:552
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_SZ /d 35210 /f
        5⤵
        
        PID:2344
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 44181 /f
        5⤵
        
        PID:2324
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 39290-64881-12009-14528-30871 /f
        5⤵
        Modifies registry key
        
        PID:4116
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 36724-27708-78658-15809-48260 /f
        5⤵
        Modifies registry key
        
        PID:3812
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 18471-51753 /f
        5⤵
        Modifies registry key
        
        PID:5004
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 30426 /f
        5⤵
        Modifies registry key
        
        PID:4316
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 90944-55739-71354 /f
        5⤵
        Modifies registry key
        
        PID:1576
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d FS24511 /f
        5⤵
        Modifies registry key
        
        PID:4432
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d FS10410 /f
        5⤵
        Modifies registry key
        
        PID:4516
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 44168 /f
        5⤵
        Modifies registry key
        
        PID:4528
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 96995 /f
        5⤵
        Modifies registry key
        
        PID:4364
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {37058-49555-12064-34538-33213} /f
        5⤵
        Modifies registry key
        
        PID:1888
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {49874-56239-61046-46626-89885} /f
        5⤵
        Modifies registry key
        
        PID:4532
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {14988} /f
        5⤵
        Modifies registry key
        
        PID:3540
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate /t REG_SZ /d 80646 /f
        5⤵
        Modifies registry key
        
        PID:3852
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 41915 /f
        5⤵
        Modifies registry key
        
        PID:1484
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 89338 /f
        5⤵
        Modifies registry key
        
        PID:1360
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" "WindowsUpdate /v SusClientId /t REG_SZ /d {82200-27769-77160-85084-19117} /f
        5⤵
        Modifies registry key
        
        PID:772
    - - C:\Windows\System32\certutil.exe
        
        "C:\Windows\System32\certutil.exe" -URLCache * delete
        5⤵
        
        PID:4912
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" int ip reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3684
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" int ipv4 reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1216
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" int ipv6 reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1804
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface IP delete arpcache
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1324
    - - C:\Windows\System32\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" / >nul
        5⤵
        Gathers network information
        
        PID:2260
    - - C:\Windows\System32\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /release >nul
        5⤵
        Gathers network information
        
        PID:4212
    - - C:\Windows\System32\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /renew >nul
        5⤵
        Gathers network information
        
        PID:4776
    - - C:\Windows\System32\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /flushdns >nul
        5⤵
        Gathers network information
        
        PID:2616
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall reset
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1524
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" winsock reset
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1556
  - - C:\Windows\system32\cscript.exe
      cscript "C:\dl\spoof\disk.vbs"
      4⤵
      Checks computer location settings
      PID:2200
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c volumeid.exe C: F839-2DBA
        5⤵
        
        PID:224
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\volumeid.exe
        
        volumeid.exe C: F839-2DBA
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c volumeid.exe F: 54D7-F8AB
        5⤵
        
        PID:2180
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\volumeid.exe
        
        volumeid.exe F: 54D7-F8AB
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
  - - C:\Windows\system32\mountvol.exe
      mountvol X: /S
      4⤵
      PID:1528
  - - C:\Windows\system32\mountvol.exe
      mountvol X: /D
      4⤵
      Enumerates connected drives
      PID:4496
  - - C:\Windows\system32\sc.exe
      sc create sechost binPath= "C:\u.exe" DisplayName= "sechost" start= auto obj= LocalSystem
      4⤵
      Launches sc.exe
      PID:2748
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "svckutils" /tr "C:\Windows\system32\svckutils.exe" /sc ONLOGON /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:400
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "cvbs" /tr "C:\Windows\system32\c.vbs" /sc ONLOGON /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2080
  - - C:\Windows\System32\macc.exe
      "C:\Windows\System32\macc.exe"
      4⤵
      Executes dropped EXE
      PID:2612
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
        5⤵
        
        PID:2000
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
        6⤵
        
        PID:2164
  - - C:\Windows\System32\macc.exe
      "C:\Windows\System32\macc.exe"
      4⤵
      Executes dropped EXE
      PID:1984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
        5⤵
        
        PID:4820
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
        6⤵
        
        PID:4924
  - - C:\Windows\System32\macc.exe
      "C:\Windows\System32\macc.exe"
      4⤵
      Executes dropped EXE
      PID:4812
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
        5⤵
        
        PID:3216
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
        6⤵
        
        PID:5064
  - - C:\Windows\system32\cscript.exe
      cscript "C:\Windows\System32\b.vbs"
      4⤵
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RegistrationDomains.reg

Filesize
252B

MD5
cf8bb35ca1f63713dfda205b283d29c9

SHA1
97a4c64d8896303edcdf1d8a5cd6a8e3899ccfa3

SHA256
48e6d9ebcaba5731f47e7f8ad08aee5caacd319ecdc0c2392cf79ae755d2f546

SHA512
06db6588e7f6af459b58890bd87d16d7bf2cb2099e01e3980c1175f1180b912deed85dda19d29b23202705deff8fe36e7b499a76601bd42d5a46bbe134894077

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vimeo.reg

Filesize
250B

MD5
80436e210b15e8e473d6cac6c5bc8442

SHA1
aadfcf3d71273b22580d7b1163af776b426d3678

SHA256
d3e02c48f2dc1b96f95ef2360890d6f309af5dc88622417cea1fdc8ca984f0c2

SHA512
52ca64e4ffb7b8952b9cc978d81a84ad43979043b224d48860bc2e90008201d13e3f2410578a17d4be93a86c6b74682a6935263eed4b7aef473dc45d42c35b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\a.vbs

Filesize
2KB

MD5
72a0fe178ab5f6b393c7e647e2926d1b

SHA1
72c225d31fa13a80aee56c7496b41f4bf9a65700

SHA256
2e482096964d0ed6827a5de6321fb7c49245681676f37353bcb9e335d134ef5a

SHA512
4eea090ee3d50ed8ebb9155a39efe364d0dae9784889e0bfd79ce71365f44f2db4eeb423976bbe988ad261cb85d14b1d9f4ce5ecf0bfd7cdb39df54b7df34d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\adamsatmayiz.bat

Filesize
781B

MD5
9b922bad9e454504a74fa02d3a1e9485

SHA1
2843aa584483ed4371f41f083a901cca2b7a122b

SHA256
1db5c47d93579e4f60df77cd551eec0147f1ac6a95ba61ceea2b5837764e381e

SHA512
7bcd6c788f9790aadfa24c376888cce10fca4766c310a7148ccd0ce7a976b6cc8fe2245199843250fcbd0e49066faa705b37125a725ae6a026d1ad5b3bf4d4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\b.vbs

Filesize
362B

MD5
c7a848002d82419b2c71c1ea7e4c595d

SHA1
754a2f437747b221fe2cf914b4a9d82d002f539b

SHA256
8639f5c398f122203b3af24229b19dfe541e56d5bc34e3c099b283becd35c494

SHA512
1350cefdc74f5dbc2c87d4aec6ba79af34a97b087e937b42f240ec6974055060e817a2d75910d91010b261ed9ced6a75f1c1793a898b0e757f585cfa4a719083

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootx64.efi

Filesize
917KB

MD5
b1f99a44c80e0593ea009e5c5b4948f4

SHA1
8efa245d6c8d3888f1b9289d6f6f7582f9bf3261

SHA256
24dcc034bf6a5158f43b23b71a16acbfdcf1597de55aa309f7f6ac5af90666e6

SHA512
c010b61f866da1e97510cbadc9cd16b9ea28cef936647f6726e21655a0d3b8667ed5e5dd8b56510d2c7a41ab69ceda45c469b3cdcf0e3cc0bde87f47ca0b2221

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.vbs

Filesize
99B

MD5
2fd68c7d33c3c9c22a01ddd1decf4b91

SHA1
5b29943e218dad3c7b6c26694af0ae8136200408

SHA256
6de12c4f2d532b3bdce2cd97439cd33c62e53931a884f86f16fbbd299ea9051a

SHA512
eb915985a9565e7c67f14beef6e5452d9f0008f111adc230e5056dc6c6f5bfc8d97511c8e17cd01809c84bf24a1e8660d90e11b8c5064e3efa62bf45a3946195

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\deneme.exe

Filesize
4.8MB

MD5
6e4421d0c8e459b2b378ea968510182e

SHA1
8bb44092d97898424c2afb30e5db11a2cbb70acd

SHA256
63534bf58d0657aee6def9711bd75310fc58724bda6200f34a11df0de9f49f96

SHA512
8f4ae909f1992e10cb88dda6b023a15b3e23543f6345853588a678b7354890d4979c1f4ddc69c1ae66ac486bab284d1fbbe369b19b8097c61bc38fcd24a08dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\disk.vbs

Filesize
819B

MD5
e2e55ce217658a13775610d5982347dc

SHA1
9cb50e09480ca42550ec5eeaebfd7692ffb2c5f6

SHA256
045ac02f8832a8adfb14a0da0f75cd9445cbc362743ca8f65258977fe5393138

SHA512
629fb48d4e6b2f97d3b8b18f319d67d59196d7e2c4c617d2e0c7e7ae2cbd46db9290894804d547fb2eb301507233188601d2d5ce79846908f98fe6a687d6d853

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\macc.exe

Filesize
33KB

MD5
aed42ff110a595753bb2f83171727285

SHA1
492ab23acf2cf384183f0a4c0716c0871b597bf5

SHA256
a124932386dbcc5e6b5901f2460f68e7cfb1dff1406cd899620e8880461c60fb

SHA512
6ba035f8d3c719adcd99f28f8b6e8e10fab15ea11f7e6753a3c1119221bffb070ccbf9ed68e1053fc55a9cd68d17ec240fb83a35fb2dd0029f256a6626eb3d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mp.efi

Filesize
147KB

MD5
28d826f9973ec6c0a3c4b6cfc4ae4fa4

SHA1
3ccb67ce64563799cc6508fa12b04f1c0232f93e

SHA256
a08b82ef1e7883ddda401641fc5fd18163b02b4b3e2cfb77f6d6813005b38419

SHA512
0142635e3b4702f80596625491cf4aada9b0cc92f0bed6437c6eaef10137b82a34024997be77ae3d881d62ce6aa7fb6090c14f594cfc19fd97d10d46adf6257d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\reg.vbs

Filesize
5KB

MD5
bd8226c764c510380d232e23dc78190b

SHA1
3355e1cc9e7c494b0ac4d824297f36e4930866b0

SHA256
169629b694874481cde5d8a4da9478d8658ca208f68fc9cd0e2280521c3576f5

SHA512
2977723ec645635cbf40a999949f4fb4a99c93d3d2ff0f8f928f9c677a9d98a142e7cc0aefd15cb94786ca7ae736697c21b3d5b7aa853ce081b9c6f909e88d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\secsvc.dll

Filesize
233KB

MD5
9a2ec0140d6be501f97c477c2733c54d

SHA1
77065eeeb055e68de75f1f888f0801abd6bd57b3

SHA256
fbeaca58da6244e72a9a37d221e006ab93b174158cab12eaf496a831a7b2ce0c

SHA512
0b750715990a976bb29416ea8fb7ef83e97f2ce6259e7c2d3d9d4b3df6f0fbbc347c05c72010cc6da19416da7bc02c0ffedbe66e12f17c92e4a13be90314e5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoof.bat

Filesize
3KB

MD5
ee74b8b25557c4debd6243a25312a7e3

SHA1
be72609e8b71a01f129a27d6ba8e3ceb86389113

SHA256
21ed458d70083c61d916d23cf8ef20c50de39f9f2a99de5abb943fdaed049b21

SHA512
9b50271e7d76635f8787879f473462e8f398e124f9f4f04102acab11f96c0a6f1ed739cd483775f09206a2b0763d456ce49e2dcfa7f1781386848308c6270151

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\startup.nsh

Filesize
834B

MD5
0f159cd7ca4a75a1e819f1834570dd41

SHA1
d73a0ffe926db91ed391d7a004184f10b4b663a9

SHA256
277609f4d023f0f9d465c1258639ba8f8110814b76eca368074fcbe259a68377

SHA512
2a2a2813d464f39b48afa910f51057aa394a1e187d3d8347cdd6ea1874a2e375fdb5564cef2b0b44683f6bb7f43641667edac643a51c0ba199fb60882332b631

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svckutils.exe

Filesize
612KB

MD5
8f347518f441bf6fea66d4718e6af89f

SHA1
2477e2bb0fc8f51e1bd5e3519f5632db73d65958

SHA256
1df1e45f77ccec87b5ae91905b629dae18127a3c72558b5b29eeeff00134bab8

SHA512
bbdf2bf4f7a56c84e317655811b77a8a58e26ae3c2abd3c1baea541c579963539939e6fe3664bb4bcf020e084223515f22d218972a21e261c5179b5a6f47382e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\volumeid.exe

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\_bz2.pyd

Filesize
85KB

MD5
a49c5f406456b79254eb65d015b81088

SHA1
cfc2a2a89c63df52947af3610e4d9b8999399c91

SHA256
ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced

SHA512
bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\_hashlib.pyd

Filesize
46KB

MD5
5e5af52f42eaf007e3ac73fd2211f048

SHA1
1a981e66ab5b03f4a74a6bac6227cd45df78010b

SHA256
a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b

SHA512
bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\_lzma.pyd

Filesize
159KB

MD5
cf9fd17b1706f3044a8f74f6d398d5f1

SHA1
c5cd0debbde042445b9722a676ff36a0ac3959ad

SHA256
9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4

SHA512
5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\_socket.pyd

Filesize
78KB

MD5
4827652de133c83fa1cae839b361856c

SHA1
182f9a04bdc42766cfd5fb352f2cb22e5c26665e

SHA256
87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba

SHA512
8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\base_library.zip

Filesize
824KB

MD5
09f7062e078379845347034c2a63943e

SHA1
9683dd8ef7d72101674850f3db0e05c14039d5fd

SHA256
7c1c73de4909d11efb20028f4745a9c8494fb4ee8dcf2f049907115def3d2629

SHA512
a169825e9b0bb995a115134cf1f7b76a96b651acd472dc4ce8473900d8852fc93b9f87a26d2c64f7bb3dd76d5feb01eeb4af4945e0c0b95d5c9c97938fa85b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\python38.dll

Filesize
4.0MB

MD5
26ba25d468a778d37f1a24f4514d9814

SHA1
b64fe169690557656ede3ae50d3c5a197fea6013

SHA256
2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128

SHA512
80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\select.pyd

Filesize
27KB

MD5
e21cff76db11c1066fd96af86332b640

SHA1
e78ef7075c479b1d218132d89bf4bec13d54c06a

SHA256
fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28

SHA512
e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18922\unicodedata.pyd

Filesize
1.0MB

MD5
601aee84e12b87ca66826dfc7ca57231

SHA1
3a7812433ca7d443d4494446a9ced24b6774ceca

SHA256
d8091e62c74e1b2b648086f778c3c41ce01f09661a75ea207d3fea2cf26a8762

SHA512
7c2d64623c6cfd66d6729f59909c90aa944e810ff6514c58b2b3142ee90e8660b7ddf7fa187389dd333e47efe8b19e935dd4e9119c15375b69b4880d043877d7

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads