Analysis
-
max time kernel
186s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe
-
Size
388KB
-
MD5
596cbbbf42f77c3b512ad0277718329d
-
SHA1
5bc4358cbbea466e2d661c53cf7b5cb83e34feed
-
SHA256
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa
-
SHA512
8db5bf21f28031adbc1355116bbcb75c44e911ef4e43ed17570293d1f3e83694c67254ff1958850e65c065a2d4cfdec3297358647a35f8470905459a1fb07dd7
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\Recovery+kgxct.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EB5F4FDBDFC9E56
2. http://kkd47eh4hdjshb5t.angortra.at/EB5F4FDBDFC9E56
3. http://ytrest84y5i456hghadefdsd.pontogrot.com/EB5F4FDBDFC9E56
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/EB5F4FDBDFC9E56
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EB5F4FDBDFC9E56
http://kkd47eh4hdjshb5t.angortra.at/EB5F4FDBDFC9E56
http://ytrest84y5i456hghadefdsd.pontogrot.com/EB5F4FDBDFC9E56
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/EB5F4FDBDFC9E56
URLs
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EB5F4FDBDFC9E56
http://kkd47eh4hdjshb5t.angortra.at/EB5F4FDBDFC9E56
http://ytrest84y5i456hghadefdsd.pontogrot.com/EB5F4FDBDFC9E56
http://xlowfznrg4wf7dli.ONION/EB5F4FDBDFC9E56
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
akxrmywehjhm.exeakxrmywehjhm.exepid Process 2640 akxrmywehjhm.exe 4440 akxrmywehjhm.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exeakxrmywehjhm.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation akxrmywehjhm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
akxrmywehjhm.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run akxrmywehjhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\njeonlufikum = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\akxrmywehjhm.exe\"" akxrmywehjhm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exeakxrmywehjhm.exedescription pid Process procid_target PID 3976 set thread context of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 2640 set thread context of 4440 2640 akxrmywehjhm.exe 83 -
Drops file in Program Files directory 64 IoCs
Processes:
akxrmywehjhm.exedescription ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\Recovery+kgxct.png akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Recovery+kgxct.png akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\Recovery+kgxct.html akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\Recovery+kgxct.html akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\History.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\License.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\Recovery+kgxct.png akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Recovery+kgxct.html akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\Recovery+kgxct.html akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\Recovery+kgxct.png akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Recovery+kgxct.png akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\Recovery+kgxct.png akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\Recovery+kgxct.html akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\Recovery+kgxct.png akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Recovery+kgxct.html akxrmywehjhm.exe File opened for modification C:\Program Files\ClearConnect.rar akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\Recovery+kgxct.png akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Recovery+kgxct.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\readme.txt akxrmywehjhm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Recovery+kgxct.html akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt akxrmywehjhm.exe File opened for modification C:\Program Files\7-Zip\Lang\Recovery+kgxct.png akxrmywehjhm.exe -
Drops file in Windows directory 2 IoCs
Processes:
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exedescription ioc Process File created C:\Windows\akxrmywehjhm.exe 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe File opened for modification C:\Windows\akxrmywehjhm.exe 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
akxrmywehjhm.exepid Process 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe 4440 akxrmywehjhm.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exeakxrmywehjhm.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 4064 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe Token: SeDebugPrivilege 4440 akxrmywehjhm.exe Token: SeIncreaseQuotaPrivilege 4232 WMIC.exe Token: SeSecurityPrivilege 4232 WMIC.exe Token: SeTakeOwnershipPrivilege 4232 WMIC.exe Token: SeLoadDriverPrivilege 4232 WMIC.exe Token: SeSystemProfilePrivilege 4232 WMIC.exe Token: SeSystemtimePrivilege 4232 WMIC.exe Token: SeProfSingleProcessPrivilege 4232 WMIC.exe Token: SeIncBasePriorityPrivilege 4232 WMIC.exe Token: SeCreatePagefilePrivilege 4232 WMIC.exe Token: SeBackupPrivilege 4232 WMIC.exe Token: SeRestorePrivilege 4232 WMIC.exe Token: SeShutdownPrivilege 4232 WMIC.exe Token: SeDebugPrivilege 4232 WMIC.exe Token: SeSystemEnvironmentPrivilege 4232 WMIC.exe Token: SeRemoteShutdownPrivilege 4232 WMIC.exe Token: SeUndockPrivilege 4232 WMIC.exe Token: SeManageVolumePrivilege 4232 WMIC.exe Token: 33 4232 WMIC.exe Token: 34 4232 WMIC.exe Token: 35 4232 WMIC.exe Token: 36 4232 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exeakxrmywehjhm.exeakxrmywehjhm.exedescription pid Process procid_target PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 3976 wrote to memory of 4064 3976 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 79 PID 4064 wrote to memory of 2640 4064 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 80 PID 4064 wrote to memory of 2640 4064 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 80 PID 4064 wrote to memory of 2640 4064 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 80 PID 4064 wrote to memory of 384 4064 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 81 PID 4064 wrote to memory of 384 4064 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 81 PID 4064 wrote to memory of 384 4064 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 81 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 2640 wrote to memory of 4440 2640 akxrmywehjhm.exe 83 PID 4440 wrote to memory of 4232 4440 akxrmywehjhm.exe 84 PID 4440 wrote to memory of 4232 4440 akxrmywehjhm.exe 84 -
System policy modification 1 TTPs 2 IoCs
Processes:
akxrmywehjhm.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System akxrmywehjhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" akxrmywehjhm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe"C:\Users\Admin\AppData\Local\Temp\4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe"C:\Users\Admin\AppData\Local\Temp\4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\akxrmywehjhm.exeC:\Windows\akxrmywehjhm.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\akxrmywehjhm.exeC:\Windows\akxrmywehjhm.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4440 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4CBB26~1.EXE3⤵PID:384
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5596cbbbf42f77c3b512ad0277718329d
SHA15bc4358cbbea466e2d661c53cf7b5cb83e34feed
SHA2564cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa
SHA5128db5bf21f28031adbc1355116bbcb75c44e911ef4e43ed17570293d1f3e83694c67254ff1958850e65c065a2d4cfdec3297358647a35f8470905459a1fb07dd7
-
Filesize
388KB
MD5596cbbbf42f77c3b512ad0277718329d
SHA15bc4358cbbea466e2d661c53cf7b5cb83e34feed
SHA2564cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa
SHA5128db5bf21f28031adbc1355116bbcb75c44e911ef4e43ed17570293d1f3e83694c67254ff1958850e65c065a2d4cfdec3297358647a35f8470905459a1fb07dd7
-
Filesize
388KB
MD5596cbbbf42f77c3b512ad0277718329d
SHA15bc4358cbbea466e2d661c53cf7b5cb83e34feed
SHA2564cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa
SHA5128db5bf21f28031adbc1355116bbcb75c44e911ef4e43ed17570293d1f3e83694c67254ff1958850e65c065a2d4cfdec3297358647a35f8470905459a1fb07dd7