Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe
Resource
win10v2004-20241007-en
General
-
Target
3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe
-
Size
313KB
-
MD5
bd372e095c037675ea4171add0520462
-
SHA1
697a203cb99b4242d067d78860fac36d73644892
-
SHA256
3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b
-
SHA512
b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a
-
SSDEEP
6144:ueHwXUU5EYCTvaBjDjWrLJKuKnGML5NjcxV:uyMUusvalag5NjaV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\LRX3Y6M\\UNT6G3M.exe\"" system.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\LRX3Y6M\\regedit.cmd" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system.exe -
Executes dropped EXE 5 IoCs
pid Process 2516 service.exe 2668 smss.exe 2692 winlogon.exe 2808 system.exe 1972 lsass.exe -
Loads dropped DLL 8 IoCs
pid Process 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\sRX6L0Q0 = "C:\\Windows\\system32\\WRQ3X8STYJ1F1E.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0G3MYJ = "C:\\Windows\\OQD6L0Q.exe" system.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: service.exe File opened (read-only) \??\R: service.exe File opened (read-only) \??\W: service.exe File opened (read-only) \??\O: service.exe File opened (read-only) \??\Q: service.exe File opened (read-only) \??\U: service.exe File opened (read-only) \??\E: service.exe File opened (read-only) \??\I: service.exe File opened (read-only) \??\M: service.exe File opened (read-only) \??\N: service.exe File opened (read-only) \??\T: service.exe File opened (read-only) \??\Y: service.exe File opened (read-only) \??\J: service.exe File opened (read-only) \??\K: service.exe File opened (read-only) \??\P: service.exe File opened (read-only) \??\S: service.exe File opened (read-only) \??\Z: service.exe File opened (read-only) \??\H: service.exe File opened (read-only) \??\L: service.exe File opened (read-only) \??\V: service.exe File opened (read-only) \??\X: service.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system.exe File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe system.exe File opened for modification C:\Windows\SysWOW64\systear.dll system.exe File opened for modification C:\Windows\SysWOW64\systear.dll 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\systear.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\systear.dll lsass.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd service.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd smss.exe File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\regedit.exe system.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\systear.dll smss.exe File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe service.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd winlogon.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe smss.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V lsass.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V smss.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd system.exe File opened for modification C:\Windows\SysWOW64\systear.dll service.exe File opened for modification C:\Windows\SysWOW64\regedit.exe smss.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V winlogon.exe File opened for modification C:\Windows\SysWOW64\regedit.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V system.exe File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\regedit.exe service.exe File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd lsass.exe File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe lsass.exe File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe lsass.exe File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe system.exe File opened for modification C:\Windows\SysWOW64\regedit.exe lsass.exe -
resource yara_rule behavioral1/files/0x00070000000186d9-152.dat upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\lsass.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\LRX3Y6M\KOK7O5H.com lsass.exe File opened for modification C:\Windows\LRX3Y6M\regedit.cmd system.exe File opened for modification C:\Windows\cypreg.dll 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\LRX3Y6M\KOK7O5H.com 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\LRX3Y6M\smss.exe service.exe File opened for modification C:\Windows\LRX3Y6M\UNT6G3M.exe smss.exe File opened for modification C:\Windows\LRX3Y6M\service.exe winlogon.exe File opened for modification C:\Windows\system\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\moonlight.dll system.exe File opened for modification C:\Windows\OQD6L0Q.exe system.exe File opened for modification C:\Windows\onceinabluemoon.mid lsass.exe File opened for modification C:\Windows\LRX3Y6M\UNT6G3M.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\LRX3Y6M\system.exe lsass.exe File opened for modification C:\Windows\LRX3Y6M 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\LRX3Y6M\UNT6G3M.exe service.exe File opened for modification C:\Windows\LRX3Y6M\regedit.cmd smss.exe File opened for modification C:\Windows\LRX3Y6M\KOK7O5H.com smss.exe File opened for modification C:\Windows\TYJ1F1E.exe winlogon.exe File opened for modification C:\Windows\LRX3Y6M\regedit.cmd lsass.exe File opened for modification C:\Windows\64enc.en system.exe File opened for modification C:\Windows\LRX3Y6M\regedit.cmd 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\lsass.exe lsass.exe File opened for modification C:\Windows\OQD6L0Q.exe winlogon.exe File opened for modification C:\Windows\LRX3Y6M\service.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\lsass.exe service.exe File opened for modification C:\Windows\lsass.exe smss.exe File opened for modification C:\Windows\moonlight.dll winlogon.exe File opened for modification C:\Windows\onceinabluemoon.mid winlogon.exe File opened for modification C:\Windows\cypreg.dll winlogon.exe File opened for modification C:\Windows\lsass.exe winlogon.exe File opened for modification C:\Windows\LRX3Y6M\system.exe system.exe File opened for modification C:\Windows\cypreg.dll system.exe File opened for modification C:\Windows\moonlight.dll lsass.exe File opened for modification C:\Windows\LRX3Y6M\service.exe lsass.exe File opened for modification C:\Windows\moonlight.dll smss.exe File created C:\Windows\MooNlight.txt smss.exe File opened for modification C:\Windows\cypreg.dll lsass.exe File opened for modification C:\Windows\onceinabluemoon.mid smss.exe File opened for modification C:\Windows\LRX3Y6M smss.exe File opened for modification C:\Windows\LRX3Y6M\smss.exe system.exe File opened for modification C:\Windows\LRX3Y6M\regedit.cmd service.exe File opened for modification C:\Windows\TYJ1F1E.exe service.exe File opened for modification C:\Windows\cypreg.dll smss.exe File opened for modification C:\Windows\OQD6L0Q.exe smss.exe File opened for modification C:\Windows\TYJ1F1E.exe system.exe File opened for modification C:\Windows\system\msvbvm60.dll lsass.exe File opened for modification C:\Windows\LRX3Y6M\winlogon.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File opened for modification C:\Windows\LRX3Y6M\winlogon.exe service.exe File opened for modification C:\Windows\LRX3Y6M\smss.exe winlogon.exe File opened for modification C:\Windows\LRX3Y6M\UNT6G3M.exe lsass.exe File opened for modification C:\Windows\LRX3Y6M lsass.exe File opened for modification C:\Windows\OQD6L0Q.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\moonlight.dll service.exe File opened for modification C:\Windows\LRX3Y6M\service.exe service.exe File opened for modification C:\Windows\LRX3Y6M\system.exe winlogon.exe File opened for modification C:\Windows\LRX3Y6M\regedit.cmd winlogon.exe File opened for modification C:\Windows\LRX3Y6M\KOK7O5H.com winlogon.exe File opened for modification C:\Windows\LRX3Y6M system.exe File opened for modification C:\Windows\system\msvbvm60.dll system.exe File opened for modification C:\Windows\moonlight.dll 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\LRX3Y6M\system.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 2516 service.exe 2668 smss.exe 2692 winlogon.exe 2808 system.exe 1972 lsass.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1200 wrote to memory of 2516 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 29 PID 1200 wrote to memory of 2516 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 29 PID 1200 wrote to memory of 2516 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 29 PID 1200 wrote to memory of 2516 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 29 PID 1200 wrote to memory of 2668 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 30 PID 1200 wrote to memory of 2668 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 30 PID 1200 wrote to memory of 2668 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 30 PID 1200 wrote to memory of 2668 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 30 PID 1200 wrote to memory of 2808 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 31 PID 1200 wrote to memory of 2808 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 31 PID 1200 wrote to memory of 2808 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 31 PID 1200 wrote to memory of 2808 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 31 PID 1200 wrote to memory of 2692 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 32 PID 1200 wrote to memory of 2692 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 32 PID 1200 wrote to memory of 2692 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 32 PID 1200 wrote to memory of 2692 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 32 PID 1200 wrote to memory of 1972 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 33 PID 1200 wrote to memory of 1972 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 33 PID 1200 wrote to memory of 1972 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 33 PID 1200 wrote to memory of 1972 1200 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\LRX3Y6M\service.exe"C:\Windows\LRX3Y6M\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
C:\Windows\LRX3Y6M\smss.exe"C:\Windows\LRX3Y6M\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
C:\Windows\LRX3Y6M\system.exe"C:\Windows\LRX3Y6M\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
C:\Windows\LRX3Y6M\winlogon.exe"C:\Windows\LRX3Y6M\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1972
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313KB
MD54487d18c55215cb3283c1e7a42922553
SHA1c0751e09a543d04380a20968a67b1aae1d719395
SHA2564de8c23e832a45f00a5f09599346bd9d55b2c783ee7d4bceb1c38bf008113862
SHA512c4fc8fdbfb3f6d54accec62d5e6563b3494dd18e81c55177617824fba4437fd93af92cf42e0764a58ae5e1609de6ad910531f6c4a50d5a9bd73dadeba6e865f7
-
Filesize
313KB
MD55fb78dc1b8ca953c092ec59cbc0c09c6
SHA152705bb92ebe0353a42b457c05c0d42fc3f46001
SHA256d90b3f155cd47648083d2d2897ad3f1ac9debc5969628cdfcaf8def1a7cde3cc
SHA512a32a3164d330284b9b12f21336fd4e1d2fb34354de54e2abea98d75b77455ba2a6a0fa3968daae8fd05e76d5b0eb4462675aced7f45f9bd3940885cb42c5ecc6
-
Filesize
313KB
MD5894883be9122eefe8e34dd77a1ae6976
SHA19b5708f4cdf49fe23b2d909bd91eea970969251e
SHA2565d4539f31e7d1972bfc10d96d208460954558c87db37c0e4a15e580e16d8b0cf
SHA512044bf18113a3107bb2fa1de92788499e2c7124237011ea8c015a479ca9961558fa4dc22cd30ee50160b13f76ccaf22c3b1e68735cdc3325fb54cbbed4e39621f
-
Filesize
313KB
MD5368235db7f39ee8a096397c1bbdc51ac
SHA12349aaf298e40c9bcee59accd7049e6a05e57d1f
SHA25616ba71a8dc7ae99aac9a4c8a0c0bec44ce306dd035f61f2e0f438a6cd1339c0a
SHA512a9c91269e70612997d4ac0113e056386d94eb9466fdcc7d335f50ac9795997d3ce33a499ed0f1968f12bb75371ba3a6028b615c5c74809cd6f28d44e0277cc8d
-
Filesize
313KB
MD54b1cbe1d39e63d3ce2d24ba4d29bfbbb
SHA182edf37f3c7bd5017a15fc9f5736fd1860bb6a5f
SHA25657aa273536c28256c2887981c86c2458a54ab7674ce3a4272661818da428bdbd
SHA512af9bd9d3b52d6f00ad8ab19de863b0c618a6f8376317b68af0c70a560e400720233ccd5025dd98001fc8de3fecee478be14269909f65a81d78dfce52cb4602ab
-
Filesize
313KB
MD590072ec618888584c5c87a7054da3992
SHA10dbeaf7f24915b82e0f30457773c6983c6e09ed7
SHA256a1c8067ed74231868846f0c1640c79050fb10453ba32b24f78d886e310e1a608
SHA51264f319154be1dab81418749ff47573b666b34ea038e4042b60b20ed9ae2440f30c6adce1ec987f6039d9ae4d7b23eca90d2ae3cdf7135824dbdb1917eab4a278
-
Filesize
313KB
MD575fbc65ea0c44506da070473e447bbb4
SHA1741c036d7cdd737d07cfb8c6dca51960fa338f0a
SHA256547649e6c8c49ef45874ae871edeccdf8c05e7e914baa65eb3bd352ab646a94e
SHA5128172fc9f43dac11f03e5b48a32b3208c188f0aa8076c09ef20008d0c0f2f3069c3517c121e5d1233728f1bf37aa8fa3f90bfdcf5fe77196c998cd1b2d2688d00
-
Filesize
313KB
MD5ae5dedb6b5e3daac9a39d19e2812eb1b
SHA1ae1e253523a0f293e5b739aab90ada57abe3eb30
SHA25604cfcf8e451a9b0231c5063ca8507e4bed6489f0fb01367bea2cd3619caf4fd6
SHA5121ff9ba9b7d8eda5425d8d3b21a0164e9afed2e839f6b36856c1dcb5b9225cfe100c0db0e0c64ec272bc2f866450a07fa58ef05e441fdaf705155c72565364666
-
Filesize
313KB
MD5026e7c3c870358292e69bc9b0e142e24
SHA137d07eb7653ed24af7b52fe7a837f67511da7da5
SHA256c653690639b032162e7c4d402dc257147899ab1b1b805b2e2dd8e6f1d250e416
SHA512cefe102a699adf553add26ac5a0c6e3602f9c59ec1f0b486a32103ad5c6a578caa966719c539228e663df56eebc375a49999e64e4822bb416ec3646ed785141e
-
Filesize
313KB
MD53b90ef6d1b1efc0ee0df0dff37ebad38
SHA1215fdb06ddf8123ad1d9626f0bd9ed6e9ca514e7
SHA25617541ff72f845a86cf09a0a780907541a31e435d5fa8d7265daff19c4727c355
SHA51204700d5090133ec689ac46b29728781a97bd20d51ce68ebbad763eb997c0ece346b0d7dfb582f3187d7c8970dece49774fef86114636095d620addb190ea7b16
-
Filesize
313KB
MD58e42cccf0e20cd52109e924af79dcfe6
SHA183dbae88ea6cecdfdaf60dd4968cd150a072e55e
SHA256daa6646a4177d8a23a245e93be53215e72e0b2a8176f4e0c19903d136bdb0622
SHA512c77aab6f2880745e754fa93b12de94188f6556b15c946e4d614558727678980a23747f1d49ba6b7d9447e0fa370f8023db7fec513450b24882761471655b7c07
-
Filesize
313KB
MD57f64cf01611c4309604eae7c019b2153
SHA15d1d7519fb13bdc211d155b67ffdc75620ba60e3
SHA256b48c993cfcaa285c3f42b36ab1f818b739077510caa41131410150eb668aa247
SHA512d66ce29b5bca9b5ce025e64b6117518047c0d45613c9253d9564b3b3846995e3e33d40bae48a6d1b8cfb3811cc74e36fc6f4d8f8ce282f4442fcd35072b1f708
-
Filesize
313KB
MD557e1f3ae7b7f2c75090a030c18218040
SHA199e899f66ba91819b89fb7cf72298ae957fae5a1
SHA25652d891a83ca71ea90f590922af372b9e9790b940efd73fb20e2af55672a341a1
SHA5129214fef6efbd66e9feec6117357d677a01829d9e10afc25d1dfbceca7751140428c51298a200c3ceda5bbb21a042ad08b807ec8279ed4b40e3d94d288a0f960b
-
Filesize
313KB
MD5bd372e095c037675ea4171add0520462
SHA1697a203cb99b4242d067d78860fac36d73644892
SHA2563ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b
SHA512b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a
-
Filesize
313KB
MD50102f0f1e9677f4b385178e20b84ef50
SHA198dcfe2b9eb3de89411603a22c4608b4b2281cbc
SHA2565ca35fffc029e5af81cb09c3b8c9dc371583682b000f7b7c9f061b72df53b1ac
SHA512680484a66648f8117a76b7ba356d2ac17fdad6fed2350fd9eef34496ffc7d37e4938cc96275e550fb1b0447eddc18b9f6b473411070704f54b327db69577eb0f
-
Filesize
313KB
MD59c779d1d362a96d569ad44607284a1f4
SHA130d9af11e4fef2b199a3ad521de718f1cf158224
SHA2562b538620d691745805591295b469866a63c35c5a6b581a5a0f976884c8bbde4d
SHA512979ad6e2c3a1080cf63c8a50e7ce410147da0c5f4b2a3c5c302767bc870a560f595a52d66197e9c501017eefd96f0e2650bef1271ef51081a2aa978ba2c2df0b
-
Filesize
141B
MD5d1b06c1feba95fece35fd91d705f778f
SHA18a0d51016931fadb4cd65610ad2f82b122f899bc
SHA256ce790862a1ee0cf67f6c548e6363314fe51dcb825a907bfeecc85dc2fc4d3caa
SHA51256f67dc9ac44282fc5c3f460311533dab2931a89ae3d448fdd743d21b42a069315152a420fedfa698a966416e3067959d2229dee9e33f75861b20b73b96472e3
-
Filesize
417KB
MD5d98c8e75e0b733b355221719abeb71e4
SHA1e83c3d1bb4a5e346e8cd2582112ad8c44e18da2a
SHA2564128459a5e29bc260f774480f81d2a1b558c7b5adb4bfb0c2bcce1d939b497f5
SHA512312bfb82a0aa07e508fdeccade049f6edf434705ea6feefc5f24512283b2141700feb60d543523bc765be0b53bd6e95a533a6bad2a467abf0437228b2edcd7fe
-
Filesize
417KB
MD5a18f4968b8f8fe9082185bcf1ae2d131
SHA1992f97e5491a3336c19f8a8fa42f57eaf6f7646a
SHA256a8a3f3cab149177fc8d736329368b84ef92ddd3133fc62c6a26586560a51c3df
SHA512a5542b365a2c5cd1779ef6b173b44863acb279d0614d501c7217e6598bba174139580ad96649baebda8cdb51c8bcced497717bc6a3fe83a181f03656e8ec3d16
-
Filesize
313KB
MD506b5ea9ddc5503d52137fb909cc0210f
SHA1d8bf80712eff604ab2843b9627c5f2e5cdae38d3
SHA256c0166599756f9d522f65183cf57b98aa999633641b361bf7938b7bb609283c9d
SHA5122b2956b890b0d87ee7aeffbc85eb8077c893763c29ea78a0db3bb76f3025b4013986b70a4e6e0030771b4823032a01a11f3da5bbc0fd72daffb4bb91fd78ab50
-
Filesize
65KB
MD58e6e31f8df128a746ff9a3a38f8f78c0
SHA1e4da9aa336eb7e254592e585b29d8b4e23f3e4bd
SHA256dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7
SHA512eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.3MB
MD50b56afade202c406eacbf7cdc87152e0
SHA16781240f65be24dd3d171f9b9d950b61349c565a
SHA256494797cd029292876cea51dd6ef96e361416fc35682d2503dcb7ee989e77a98a
SHA5125e2792f2ae7473218e92e7e40c39d0f46d31252205ec2fc4433f438797b3bb0d056847f882912ec2e4039c8229edc17e2e9e5b0f134bfab1e674b8273215ecb5
-
Filesize
313KB
MD5b579b43ef4283d244650f6d6d0e175db
SHA1eed7fe8498b16b6654f358f0e7791c47f29abead
SHA256ad4c3edcaa5ee5e8b3b2a2907d791bba6b546c854b7497fb686366ded9d94767
SHA5128c4ed83e844dff49c33f4375f8f60bd33678b4a21e735f8759b433dbbfa4bb87408fab71275ea57b5304b5700a3832e77f5175fd50260b4e7d29dad1bb92c78b