Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe
Resource
win10v2004-20241007-en
General
-
Target
3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe
-
Size
313KB
-
MD5
bd372e095c037675ea4171add0520462
-
SHA1
697a203cb99b4242d067d78860fac36d73644892
-
SHA256
3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b
-
SHA512
b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a
-
SSDEEP
6144:ueHwXUU5EYCTvaBjDjWrLJKuKnGML5NjcxV:uyMUusvalag5NjaV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\FLR1S4G\\OGN3W1G.exe\"" system.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\FLR1S4G\\regedit.cmd" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe -
Executes dropped EXE 5 IoCs
pid Process 2056 service.exe 988 smss.exe 3512 system.exe 3436 winlogon.exe 4668 lsass.exe -
Loads dropped DLL 3 IoCs
pid Process 3512 system.exe 3512 system.exe 3512 system.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sLR1U3C0 = "C:\\Windows\\system32\\JDC6J2EFKT5O5N.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0W1GKT = "C:\\Windows\\XCM1U3C.exe" system.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: service.exe File opened (read-only) \??\M: service.exe File opened (read-only) \??\N: service.exe File opened (read-only) \??\R: service.exe File opened (read-only) \??\W: service.exe File opened (read-only) \??\Y: service.exe File opened (read-only) \??\I: service.exe File opened (read-only) \??\J: service.exe File opened (read-only) \??\S: service.exe File opened (read-only) \??\T: service.exe File opened (read-only) \??\U: service.exe File opened (read-only) \??\H: service.exe File opened (read-only) \??\L: service.exe File opened (read-only) \??\O: service.exe File opened (read-only) \??\V: service.exe File opened (read-only) \??\X: service.exe File opened (read-only) \??\E: service.exe File opened (read-only) \??\G: service.exe File opened (read-only) \??\Z: service.exe File opened (read-only) \??\P: service.exe File opened (read-only) \??\Q: service.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd smss.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O smss.exe File opened for modification C:\Windows\SysWOW64\POR1X0K.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\POR1X0K.exe lsass.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd service.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd system.exe File opened for modification C:\Windows\SysWOW64\POR1X0K.exe system.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O lsass.exe File opened for modification C:\Windows\SysWOW64\regedit.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\regedit.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\systear.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd lsass.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O winlogon.exe File opened for modification C:\Windows\SysWOW64\regedit.exe service.exe File opened for modification C:\Windows\SysWOW64\regedit.exe lsass.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O service.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd winlogon.exe File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system.exe File opened for modification C:\Windows\SysWOW64\systear.dll smss.exe File opened for modification C:\Windows\SysWOW64\systear.dll 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\systear.dll system.exe File opened for modification C:\Windows\SysWOW64\systear.dll service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\POR1X0K.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\POR1X0K.exe service.exe File opened for modification C:\Windows\SysWOW64\regedit.exe smss.exe File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe smss.exe File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe lsass.exe File opened for modification C:\Windows\SysWOW64\systear.dll lsass.exe File opened for modification C:\Windows\SysWOW64\POR1X0K.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IXC5F6O system.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\regedit.exe system.exe File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe system.exe -
resource yara_rule behavioral2/files/0x000a000000023b6b-149.dat upx behavioral2/memory/3512-315-0x0000000010000000-0x0000000010075000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\FLR1S4G 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\FLR1S4G\system.exe winlogon.exe File opened for modification C:\Windows\system\msvbvm60.dll system.exe File opened for modification C:\Windows\FKT5O5N.exe smss.exe File opened for modification C:\Windows\moonlight.dll lsass.exe File opened for modification C:\Windows\cypreg.dll lsass.exe File opened for modification C:\Windows\FLR1S4G\service.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com winlogon.exe File opened for modification C:\Windows\FLR1S4G\regedit.cmd service.exe File opened for modification C:\Windows\moonlight.dll system.exe File opened for modification C:\Windows\FLR1S4G\winlogon.exe lsass.exe File opened for modification C:\Windows\FKT5O5N.exe lsass.exe File opened for modification C:\Windows\lsass.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\FLR1S4G\service.exe winlogon.exe File opened for modification C:\Windows\FLR1S4G\regedit.cmd winlogon.exe File opened for modification C:\Windows\cypreg.dll system.exe File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe system.exe File opened for modification C:\Windows\FLR1S4G\winlogon.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\lsass.exe service.exe File opened for modification C:\Windows\FLR1S4G\system.exe smss.exe File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe smss.exe File opened for modification C:\Windows\moonlight.dll winlogon.exe File opened for modification C:\Windows\FLR1S4G\winlogon.exe service.exe File opened for modification C:\Windows\FLR1S4G\smss.exe service.exe File opened for modification C:\Windows\FLR1S4G\regedit.cmd system.exe File opened for modification C:\Windows\XCM1U3C.exe system.exe File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com smss.exe File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\FLR1S4G\smss.exe winlogon.exe File opened for modification C:\Windows\FKT5O5N.exe system.exe File opened for modification C:\Windows\FLR1S4G lsass.exe File opened for modification C:\Windows\onceinabluemoon.mid 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\FLR1S4G\smss.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe winlogon.exe File opened for modification C:\Windows\FLR1S4G\system.exe system.exe File opened for modification C:\Windows\XCM1U3C.exe lsass.exe File opened for modification C:\Windows\FLR1S4G\winlogon.exe winlogon.exe File opened for modification C:\Windows\cypreg.dll service.exe File opened for modification C:\Windows\FLR1S4G\regedit.cmd smss.exe File opened for modification C:\Windows\XCM1U3C.exe smss.exe File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\onceinabluemoon.mid winlogon.exe File opened for modification C:\Windows\FLR1S4G\service.exe service.exe File opened for modification C:\Windows\cypreg.dll winlogon.exe File opened for modification C:\Windows\moonlight.dll smss.exe File opened for modification C:\Windows\FLR1S4G\service.exe system.exe File opened for modification C:\Windows\64enc.en system.exe File opened for modification C:\Windows\FLR1S4G\regedit.cmd 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\FKT5O5N.exe 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe File opened for modification C:\Windows\FLR1S4G service.exe File opened for modification C:\Windows\FKT5O5N.exe service.exe File opened for modification C:\Windows\onceinabluemoon.mid system.exe File opened for modification C:\Windows\FLR1S4G system.exe File opened for modification C:\Windows\FLR1S4G\smss.exe smss.exe File opened for modification C:\Windows\FLR1S4G\smss.exe lsass.exe File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe lsass.exe File opened for modification C:\Windows\FLR1S4G winlogon.exe File opened for modification C:\Windows\FLR1S4G\system.exe service.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\lsass.exe system.exe File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com system.exe File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com lsass.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File opened for modification C:\Windows\FLR1S4G\service.exe smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 832 3512 WerFault.exe 87 5108 3512 WerFault.exe 87 2924 3512 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 2056 service.exe 3436 winlogon.exe 3512 system.exe 988 smss.exe 4668 lsass.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1472 wrote to memory of 2056 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 85 PID 1472 wrote to memory of 2056 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 85 PID 1472 wrote to memory of 2056 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 85 PID 1472 wrote to memory of 988 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 86 PID 1472 wrote to memory of 988 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 86 PID 1472 wrote to memory of 988 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 86 PID 1472 wrote to memory of 3512 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 87 PID 1472 wrote to memory of 3512 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 87 PID 1472 wrote to memory of 3512 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 87 PID 1472 wrote to memory of 3436 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 89 PID 1472 wrote to memory of 3436 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 89 PID 1472 wrote to memory of 3436 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 89 PID 1472 wrote to memory of 4668 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 90 PID 1472 wrote to memory of 4668 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 90 PID 1472 wrote to memory of 4668 1472 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\FLR1S4G\service.exe"C:\Windows\FLR1S4G\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2056
-
-
C:\Windows\FLR1S4G\smss.exe"C:\Windows\FLR1S4G\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:988
-
-
C:\Windows\FLR1S4G\system.exe"C:\Windows\FLR1S4G\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 11683⤵
- Program crash
PID:832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 13763⤵
- Program crash
PID:5108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 14043⤵
- Program crash
PID:2924
-
-
-
C:\Windows\FLR1S4G\winlogon.exe"C:\Windows\FLR1S4G\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3436
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3512 -ip 35121⤵PID:4660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3512 -ip 35121⤵PID:452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3512 -ip 35121⤵PID:4804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313KB
MD5bd372e095c037675ea4171add0520462
SHA1697a203cb99b4242d067d78860fac36d73644892
SHA2563ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b
SHA512b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a
-
Filesize
313KB
MD5199c63ea5c0db458d15522c47a5f629f
SHA117a8610280618ec3710d76ca67f2bec4602616c5
SHA256389cb54684a1682a9f46b8bc538df4ce31a33de8f2314364735b9a70450f94d5
SHA51229d2b92435d6d47661e895ef2d140a81d9038512d8d939fcf92f47090480edc4cd267f4b09e111f239203050861ab74f0eb0367028c056e6f3b4a3ab7142055b
-
Filesize
313KB
MD557e1f3ae7b7f2c75090a030c18218040
SHA199e899f66ba91819b89fb7cf72298ae957fae5a1
SHA25652d891a83ca71ea90f590922af372b9e9790b940efd73fb20e2af55672a341a1
SHA5129214fef6efbd66e9feec6117357d677a01829d9e10afc25d1dfbceca7751140428c51298a200c3ceda5bbb21a042ad08b807ec8279ed4b40e3d94d288a0f960b
-
Filesize
313KB
MD506b5ea9ddc5503d52137fb909cc0210f
SHA1d8bf80712eff604ab2843b9627c5f2e5cdae38d3
SHA256c0166599756f9d522f65183cf57b98aa999633641b361bf7938b7bb609283c9d
SHA5122b2956b890b0d87ee7aeffbc85eb8077c893763c29ea78a0db3bb76f3025b4013986b70a4e6e0030771b4823032a01a11f3da5bbc0fd72daffb4bb91fd78ab50
-
Filesize
313KB
MD5368235db7f39ee8a096397c1bbdc51ac
SHA12349aaf298e40c9bcee59accd7049e6a05e57d1f
SHA25616ba71a8dc7ae99aac9a4c8a0c0bec44ce306dd035f61f2e0f438a6cd1339c0a
SHA512a9c91269e70612997d4ac0113e056386d94eb9466fdcc7d335f50ac9795997d3ce33a499ed0f1968f12bb75371ba3a6028b615c5c74809cd6f28d44e0277cc8d
-
Filesize
313KB
MD50102f0f1e9677f4b385178e20b84ef50
SHA198dcfe2b9eb3de89411603a22c4608b4b2281cbc
SHA2565ca35fffc029e5af81cb09c3b8c9dc371583682b000f7b7c9f061b72df53b1ac
SHA512680484a66648f8117a76b7ba356d2ac17fdad6fed2350fd9eef34496ffc7d37e4938cc96275e550fb1b0447eddc18b9f6b473411070704f54b327db69577eb0f
-
Filesize
313KB
MD54487d18c55215cb3283c1e7a42922553
SHA1c0751e09a543d04380a20968a67b1aae1d719395
SHA2564de8c23e832a45f00a5f09599346bd9d55b2c783ee7d4bceb1c38bf008113862
SHA512c4fc8fdbfb3f6d54accec62d5e6563b3494dd18e81c55177617824fba4437fd93af92cf42e0764a58ae5e1609de6ad910531f6c4a50d5a9bd73dadeba6e865f7
-
Filesize
313KB
MD51edb736c351db3b75a27c5f83ef780b8
SHA1fa8f6029460143d56855fbd66eab9fbeeaf9cbff
SHA256c936ae12e9ef151c7fbe57be25184fccc92bcc6ccbd75eab67f2c1d2fee5164a
SHA5121b29b1e90c261be0e1c8b30df9d5f7afe24a455a2cd64f03ed2bbca915dec4b6b3b3358e2bce6ade6c589684d60633635a2b7dec98d517df7b81209bbcf83f76
-
Filesize
313KB
MD51cc826448cf9163cd41c64ccde4e2cb3
SHA1d26e4f9405d704064288f01feda21053804518b4
SHA25649739dc6c520093b8ccf34cb06b8987354e36e0a7e8ba5dba1bb6c55fd1a1aa8
SHA512a20e0e47375cd22fcfb3595a25cd95340cdc81c1f37c8589438041af8dbe707d6e659be7626e589c145b7e140421d946b1ad7b5aed97bc32cf7842c283bf3ed3
-
Filesize
313KB
MD55fb78dc1b8ca953c092ec59cbc0c09c6
SHA152705bb92ebe0353a42b457c05c0d42fc3f46001
SHA256d90b3f155cd47648083d2d2897ad3f1ac9debc5969628cdfcaf8def1a7cde3cc
SHA512a32a3164d330284b9b12f21336fd4e1d2fb34354de54e2abea98d75b77455ba2a6a0fa3968daae8fd05e76d5b0eb4462675aced7f45f9bd3940885cb42c5ecc6
-
Filesize
313KB
MD5d5566830fe21bc739effa10b9ffcfd77
SHA12ca8ec08fc5172ba6749d6cadeb97635d6a2f728
SHA256890fb28d507ed1ec7323c2494712f84e45b7ff756b4e673da87652b33fb2f622
SHA512ebac071a458049f6b3d36dc4599afc2e027b782d0d4dcaa43f979cfc74c4b12834992096d73d7f9279d4519b86029ade367be3a86a10c8bd36ecfd558034b45c
-
Filesize
313KB
MD5f0db78a6b00f01f9f89cc55302e772a0
SHA1031a0bdec48375c324829c9d6a8132be5c36b3ce
SHA25643f8142434e77cd84043829e4c05c4ddda5930f202396d3115008fdd770c57c3
SHA5122ae3389cfb52c8d87459393340c0dcd07b423d7166b69ee954c26a5c5806522d051be66f5c1129b2397611f66fa6631d389f96c924b4a36c752b492cc796db8d
-
Filesize
313KB
MD5ae5dedb6b5e3daac9a39d19e2812eb1b
SHA1ae1e253523a0f293e5b739aab90ada57abe3eb30
SHA25604cfcf8e451a9b0231c5063ca8507e4bed6489f0fb01367bea2cd3619caf4fd6
SHA5121ff9ba9b7d8eda5425d8d3b21a0164e9afed2e839f6b36856c1dcb5b9225cfe100c0db0e0c64ec272bc2f866450a07fa58ef05e441fdaf705155c72565364666
-
Filesize
127B
MD5f422e9aae4dd373496be5cb6250ea17f
SHA1442a3b537eeaffb2cd1f6e518d263985993c0469
SHA25694e2cbeaa7bd94a07bc1553ce9b364d52de24657471318b7834722bfef55027c
SHA51234e5b383164cc2c8a06b45b8c0777b6d16ab11c4cf47a8792d009118072fa61b69079b1c1ea20a969c03c9143702b51e0f91454673fd82b7bae35e858bd733b0
-
Filesize
141B
MD55fc322327c1f94e05986422ea77f5400
SHA19d1475e52e0c0a4fb5f760424d2511b5e0abdf13
SHA256474552b7055bc73b4b1d0e0eff23b5cfbb559d016942980d68cb89b3518f156a
SHA512305bf6a35b2e4eeafc26f6aa54c53b774f1cc0fdb9c47fce1ac77ec854cfc63221b5c5285b59d0828a3df3e22c03aa886f2256f2f9cd48b69842cb6a49a76c35
-
Filesize
313KB
MD590072ec618888584c5c87a7054da3992
SHA10dbeaf7f24915b82e0f30457773c6983c6e09ed7
SHA256a1c8067ed74231868846f0c1640c79050fb10453ba32b24f78d886e310e1a608
SHA51264f319154be1dab81418749ff47573b666b34ea038e4042b60b20ed9ae2440f30c6adce1ec987f6039d9ae4d7b23eca90d2ae3cdf7135824dbdb1917eab4a278
-
Filesize
313KB
MD5bdf2927626b061514e4c696eaf8fde74
SHA1cc61eab7bac0807a3f40e6d730056397e0fbe9bd
SHA2561cb4026142be72f6437039a5185ef2809495da404272a785f1a91034b0af8188
SHA512868d2af3b2f1f1feaea26b82ec2640394d074725faf932ab71ae77a67138aa9d1ec29c1a5a33aafdd7643ae2ecaf93ab71a2dff8e90f29d030a394fbc1c70c53
-
Filesize
361KB
MD545c87e723ef890963a244048007fafab
SHA1724b8494460f10a8be3773aca69a904b1f9f6054
SHA2561112c19bd06e331ad2a4ce38c0742528f9b92b6f1c7a757d38f32a83e26cf58e
SHA5122fc969800f75b0ccd27a2c7817423ed81bd56e5eff03329ee485a5ca413c8d934614c32cf9b67b2b6d1e6312f0ae2030577987b7112945c7194efa3969376727
-
Filesize
361KB
MD57d48fdf0c4cc365871c367d00f323b2f
SHA151ec4a45bf0e2a140d001126cae872ae24dce7fa
SHA2568a4872dbf252c53d5eef62feaa616e9933f357b5dde182680baf182c424c4a19
SHA512296dcf36cf5cc9fa9080737b80a5cc9c7340f2ffce64041cd484ee3a86468e05e51af39a981b57e8f81251e599ae6e3fee0c6b040e42add6d7dbcba00e39ec9a
-
Filesize
361KB
MD5a6679ff6d0b14ec2b1ef181feb1d9fef
SHA1c5459a8aa055e4cbb9518d1ef5d411d48ef8de8f
SHA2565f93083e889ae9ca1f498cdebe90ddef52315edf22fc201fe7d9eba4e1e2e9b9
SHA512322229369f1b73c5c1be2bd54d574c84519625559ee4d7f355786f51c82f8b0d5101571807af54c755f6e3e8bceeda33a8e06490b2a805cd19d91e9e5b7d7563
-
Filesize
313KB
MD5894883be9122eefe8e34dd77a1ae6976
SHA19b5708f4cdf49fe23b2d909bd91eea970969251e
SHA2565d4539f31e7d1972bfc10d96d208460954558c87db37c0e4a15e580e16d8b0cf
SHA512044bf18113a3107bb2fa1de92788499e2c7124237011ea8c015a479ca9961558fa4dc22cd30ee50160b13f76ccaf22c3b1e68735cdc3325fb54cbbed4e39621f
-
Filesize
313KB
MD5026e7c3c870358292e69bc9b0e142e24
SHA137d07eb7653ed24af7b52fe7a837f67511da7da5
SHA256c653690639b032162e7c4d402dc257147899ab1b1b805b2e2dd8e6f1d250e416
SHA512cefe102a699adf553add26ac5a0c6e3602f9c59ec1f0b486a32103ad5c6a578caa966719c539228e663df56eebc375a49999e64e4822bb416ec3646ed785141e
-
Filesize
65KB
MD58e6e31f8df128a746ff9a3a38f8f78c0
SHA1e4da9aa336eb7e254592e585b29d8b4e23f3e4bd
SHA256dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7
SHA512eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.4MB
MD5c14d86b2aa572ba9973828133ffd9d83
SHA1db863f0efc33b72522b228f25835826fad532d32
SHA25686a9eb67eca6d722a633e967a25866b874560ba49a49d024e9584f3db5a1a14e
SHA5129c0d57b0a6be0d6c4f81268f75f4032cf81e6287a781fdc7b0050d1ed31c1456d6650186b0e3bf1204d47c92b358b59707f260e7042837c78a8777692fd67d34
-
Filesize
1.4MB
MD5f2c0b2e1251d0bbced555c5d292c6e7a
SHA1f660aab70472c3e480e27699d0d33b0a2d5520c9
SHA2562f1075a0715c4f5c954c12ac69b396a32312c5bae8266291c50b0c7b69b7dcea
SHA512c4ce8f3badef64a0280baed8eaf71dd3bab2b03d0933e7191c33d70476c32471e94e33875a72b266af4105973342903fcdc8af7f55a020b07d78e1b774b7daf9
-
Filesize
1.4MB
MD5d93921be0a8cc54b2914d59edda504ff
SHA161699b7bf5b7b3903ed8a99623367054f57a934a
SHA2562160e45f6bb10d3e3a8765ffc01b42dd6a68159abf14c1a8dea2602365bb002d
SHA5126dc0088e685920d63b7898a413d1351b37c5c431d02ffd04c3db42527ec09178641a94abefdaa2dd2a70792240d1caf25f943fe04ca4eb9556a52f9ed17e4a36
-
Filesize
1.4MB
MD5c6e72c1e418663017ccfea1bedf7eee7
SHA1797a84957ebd22647d8e7ac62a81061496ea2ef2
SHA256d6f15036a1fd7489d7c2a04dcb2be2f44dd9a0e752e5206698f7b462970f2e9a
SHA5123f693de5fa31421e9a5c4ecf9182ac654a388a4934bc58b9e5e509419ea0e371d458ed8fe838f742003b3a250347e92ef9c23eac32f2cdca46fe494ff771191c