Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 09:30
Static task
static1
Behavioral task
behavioral1
Sample
9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe
Resource
win10v2004-20241007-en
General
-
Target
9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe
-
Size
3.6MB
-
MD5
33eeeb25f834e0b180f960ecb9518ea0
-
SHA1
61f73e692e9549ad8bc9b965e25d2da683d56dc1
-
SHA256
9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f
-
SHA512
aaa4583b37c08a8baebac026a1b5fdca865b1c0f6760e7ade19181a28426340285dbeeb65d55bc9e222d6863645a7bf719384a1e0d3593207882619c234c9292
-
SSDEEP
98304:ngwRMbvguPPou2Bzg1jGE5FS3E/HrmP9Aji:ng/bv25jEKU/HrmP9AO
Malware Config
Signatures
-
Detects Mimic ransomware 2 IoCs
resource yara_rule behavioral1/files/0x0007000000016d3a-37.dat family_mimic behavioral1/files/0x0006000000016d43-50.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Mimic family
-
Clears Windows event logs 1 TTPs 1 IoCs
pid Process 2276 wevtutil.exe -
Deletes itself 1 IoCs
pid Process 2904 cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 2348 7za.exe 2564 7za.exe 2984 ELPACO-team.exe 2216 svhostss.exe 2876 gui40.exe 1708 Everything.exe -
Loads dropped DLL 8 IoCs
pid Process 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 2984 ELPACO-team.exe 2984 ELPACO-team.exe 2216 svhostss.exe 2216 svhostss.exe 2216 svhostss.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command ELPACO-team.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" ELPACO-team.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open ELPACO-team.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" svhostss.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open\command svhostss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" svhostss.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open\command ELPACO-team.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell ELPACO-team.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" ELPACO-team.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command svhostss.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhostss = "\"C:\\Users\\Admin\\AppData\\Local\\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\\svhostss.exe\" " ELPACO-team.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\Q: Everything.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ELPACO-team.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhostss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wevtutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command ELPACO-team.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile ELPACO-team.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell ELPACO-team.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command svhostss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" svhostss.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open\command svhostss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" ELPACO-team.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open\command ELPACO-team.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open ELPACO-team.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" ELPACO-team.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" svhostss.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2216 svhostss.exe 2216 svhostss.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe 2876 gui40.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeRestorePrivilege 2348 7za.exe Token: 35 2348 7za.exe Token: SeRestorePrivilege 2564 7za.exe Token: 35 2564 7za.exe Token: SeSecurityPrivilege 2564 7za.exe Token: SeSecurityPrivilege 2564 7za.exe Token: SeIncreaseQuotaPrivilege 2984 ELPACO-team.exe Token: SeSecurityPrivilege 2984 ELPACO-team.exe Token: SeTakeOwnershipPrivilege 2984 ELPACO-team.exe Token: SeLoadDriverPrivilege 2984 ELPACO-team.exe Token: SeSystemProfilePrivilege 2984 ELPACO-team.exe Token: SeSystemtimePrivilege 2984 ELPACO-team.exe Token: SeProfSingleProcessPrivilege 2984 ELPACO-team.exe Token: SeIncBasePriorityPrivilege 2984 ELPACO-team.exe Token: SeCreatePagefilePrivilege 2984 ELPACO-team.exe Token: SeBackupPrivilege 2984 ELPACO-team.exe Token: SeRestorePrivilege 2984 ELPACO-team.exe Token: SeShutdownPrivilege 2984 ELPACO-team.exe Token: SeDebugPrivilege 2984 ELPACO-team.exe Token: SeSystemEnvironmentPrivilege 2984 ELPACO-team.exe Token: SeChangeNotifyPrivilege 2984 ELPACO-team.exe Token: SeRemoteShutdownPrivilege 2984 ELPACO-team.exe Token: SeUndockPrivilege 2984 ELPACO-team.exe Token: SeManageVolumePrivilege 2984 ELPACO-team.exe Token: SeImpersonatePrivilege 2984 ELPACO-team.exe Token: SeCreateGlobalPrivilege 2984 ELPACO-team.exe Token: 33 2984 ELPACO-team.exe Token: 34 2984 ELPACO-team.exe Token: 35 2984 ELPACO-team.exe Token: SeIncreaseQuotaPrivilege 2216 svhostss.exe Token: SeSecurityPrivilege 2216 svhostss.exe Token: SeTakeOwnershipPrivilege 2216 svhostss.exe Token: SeLoadDriverPrivilege 2216 svhostss.exe Token: SeSystemProfilePrivilege 2216 svhostss.exe Token: SeSystemtimePrivilege 2216 svhostss.exe Token: SeProfSingleProcessPrivilege 2216 svhostss.exe Token: SeIncBasePriorityPrivilege 2216 svhostss.exe Token: SeCreatePagefilePrivilege 2216 svhostss.exe Token: SeBackupPrivilege 2216 svhostss.exe Token: SeRestorePrivilege 2216 svhostss.exe Token: SeShutdownPrivilege 2216 svhostss.exe Token: SeDebugPrivilege 2216 svhostss.exe Token: SeSystemEnvironmentPrivilege 2216 svhostss.exe Token: SeChangeNotifyPrivilege 2216 svhostss.exe Token: SeRemoteShutdownPrivilege 2216 svhostss.exe Token: SeUndockPrivilege 2216 svhostss.exe Token: SeManageVolumePrivilege 2216 svhostss.exe Token: SeImpersonatePrivilege 2216 svhostss.exe Token: SeCreateGlobalPrivilege 2216 svhostss.exe Token: 33 2216 svhostss.exe Token: 34 2216 svhostss.exe Token: 35 2216 svhostss.exe Token: SeDebugPrivilege 2876 gui40.exe Token: SeSecurityPrivilege 2276 wevtutil.exe Token: SeBackupPrivilege 2276 wevtutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1708 Everything.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2348 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 30 PID 2156 wrote to memory of 2348 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 30 PID 2156 wrote to memory of 2348 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 30 PID 2156 wrote to memory of 2348 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 30 PID 2156 wrote to memory of 2564 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 32 PID 2156 wrote to memory of 2564 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 32 PID 2156 wrote to memory of 2564 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 32 PID 2156 wrote to memory of 2564 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 32 PID 2156 wrote to memory of 2984 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 34 PID 2156 wrote to memory of 2984 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 34 PID 2156 wrote to memory of 2984 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 34 PID 2156 wrote to memory of 2984 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 34 PID 2984 wrote to memory of 2216 2984 ELPACO-team.exe 36 PID 2984 wrote to memory of 2216 2984 ELPACO-team.exe 36 PID 2984 wrote to memory of 2216 2984 ELPACO-team.exe 36 PID 2984 wrote to memory of 2216 2984 ELPACO-team.exe 36 PID 2216 wrote to memory of 2876 2216 svhostss.exe 38 PID 2216 wrote to memory of 2876 2216 svhostss.exe 38 PID 2216 wrote to memory of 2876 2216 svhostss.exe 38 PID 2216 wrote to memory of 2876 2216 svhostss.exe 38 PID 2216 wrote to memory of 1708 2216 svhostss.exe 39 PID 2216 wrote to memory of 1708 2216 svhostss.exe 39 PID 2216 wrote to memory of 1708 2216 svhostss.exe 39 PID 2216 wrote to memory of 1708 2216 svhostss.exe 39 PID 2156 wrote to memory of 2904 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 41 PID 2156 wrote to memory of 2904 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 41 PID 2156 wrote to memory of 2904 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 41 PID 2156 wrote to memory of 2904 2156 9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe 41 PID 2216 wrote to memory of 2276 2216 svhostss.exe 43 PID 2216 wrote to memory of 2276 2216 svhostss.exe 43 PID 2216 wrote to memory of 2276 2216 svhostss.exe 43 PID 2216 wrote to memory of 2276 2216 svhostss.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe"C:\Users\Admin\AppData\Local\Temp\9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p7183204373585782 Everything64.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe"C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exeC:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe"C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1708
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security4⤵
- Clears Windows event logs
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2904
-
Network
- No results found
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.2MB
MD5d002dc28b4b0bd6b4fc680da48e1891d
SHA102c836a9c39582426a158482c705450de5c7461c
SHA256ad14a41bce8c56e52901b969e50ecb5fe046fbe6df98cf7fea608008962af1cf
SHA512f97f9f747c6b390f8bb2691007f2d6db844847ae0d5a0b95b1935a590cef6235d40c0c221586c394d6b8cb3dbfcaae16da276fb9dafbf4e1034fcf783e965e5e
-
Filesize
20KB
MD57fb1936016f116a92098e7ae908d7183
SHA1d8015feca59de5d9b681a91cb21113df29a97d6d
SHA2561f718f8fa2e92d610b9cbe403d7b7c837e812f6a08c102000641432ab66cf415
SHA512113af1b7e5bd337f7a1aaf3d08468ab652db441681fc99cb4565aeebc08eecb663ed01bf6d467ff18b94fb581428f8e2e8a37d3c073881ffc176ce347fad9193
-
Filesize
6KB
MD5d106743b01117ebf789fcf626313d97a
SHA143d4de41f0f63296f80b2d111b13e0a22b3262bc
SHA256f49bc9e6bdbe720bcc47a5b859bb870e2d5ae24dcac04077806eb34c60e16973
SHA5123360adcb6fb938264f5fcdb58b99f4e4f03abb1e0d6002e6e2ff3252d5cda2dda7d35848a7484a8c04bec8a4482bc2e3f020b9aea5ded0cb62155c4c7b410336
-
Filesize
32B
MD561399a26e0a46b85ebc7d91a2bf70e8c
SHA1b767287839763ea7616149daf27edfd184acaea9
SHA256a03a53c8a0861322abb787f341db92bc0b4fc7405c54aaf8a84bfec2d1cb074e
SHA51278af56006729b38925f92b35bc118f9ea93f17da93866c66aa7c813d7f43c7d9215c1c879c21d1b0ffff3324bd481fd40443ccfeaa34dbfa97c3791cb216ae9c
-
Filesize
300B
MD5f31b4d075ad2f1027f66293e5d7d7be3
SHA15055a7122d9498830e17b017c3fca09a07da7f16
SHA25683710f793fb3fce43cbb6658bb8a4e3d46a678addad385325d32b51526ce939d
SHA512b3ecc61f7efc37850137e5b7c2bcbb1b313bed749aa197ab7dce2f4eded7f5a720e6bfb34bb1237410ec183e5378b8a6d5224b75f9eb211738c28664dad35be5
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5
-
Filesize
802KB
MD5ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
Filesize
2.4MB
MD5b951e50264f9c5244592dfb0a859ec41
SHA18af05099986d0b105d8e38f305efe9098a9fbda6
SHA256e160d7d21c917344f010e58dcfc1e19bec6297c294647a06ce60efc7420d3b13
SHA512ae9d85bad1ae0ed2b614fce1b7d3969483a1e39a50bc3aad3e5ba5c8fab56d4d38bf60b3e641c67ee6be29d88e3fbb73dfa39dd3c11a9a01aacdb7c269a7471d
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe
Filesize2.4MB
MD50bf7c0d8e3e02a6b879efab5deab013c
SHA14f93d2cda84e669eeddcfeb2e2fa2319901059a1
SHA256b600e06f14e29b03f0b1456723a430b5024816518d704a831dde2dc9597ce9c9
SHA512313f9a8ae5a0096488996f51ce0d2049f7040b5cba1f6efd6e7190517accffad9af4d72eb551755978e624f4089b9e5983eae792496b2e8e6da5a6cd7939ae5f
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
548B
MD5742c2400f2de964d0cce4a8dabadd708
SHA1c452d8d4c3a82af4bc57ca8a76e4407aaf90deca
SHA2562fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01
SHA51263a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
2.5MB
MD5245fb739c4cb3c944c11ef43cddd8d57
SHA1435fee4453ac3d3a14d422ac21400c32d792763c
SHA256d180f63148fbbfcfd88aa7938ab88fcea3881402b6617f4f3e152427aeb6c59c
SHA512ee45e53116508b385a9788ce9bfe7d119f4dbf1dd4f31fc940d0dab4ca91eb63c842868ae56782f0bdb807d26895344c6e8aa909c94ddcf2dfe3189d9e24c342
-
Filesize
10B
MD526f59bb93f02d5a65538981bbc2da9cc
SHA15e99a311784301637638c02401925a89694f463d
SHA25614f93a82d99cd2bf3da0aba73b162a7bb183eded695cffff47a05c1290d2a2fa
SHA512e48f20a62bb2d5de686a7328a682a84821c83c8c4d836287adffbe464a8b4a0ba8ca728a35438c58f142686047b153c9c3f722c0431db620e3ef3479215b9016
-
Filesize
276KB
MD503a63c096b9757439264b57e4fdf49d1
SHA1a5007873ce19a398274aec9f61e1f90e9b45cc81
SHA25622ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46
SHA5120d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd
-
Filesize
276KB
MD557850a4490a6afd1ef682eb93ea45e65
SHA1338d147711c56e8a1e75e64a075e5e2984aa0c05
SHA25631feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615
SHA51215cf499077e0c8f3421b95e09a18ae5468ae20a7b3a263f01cc8e6d445d54f09ca8a3189ecb40c87d0e6277c99b504424cdd0e35bbe493a1b0849900d21bccf8
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532