Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2024, 13:23
Behavioral task
behavioral1
Sample
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Resource
win10v2004-20240226-en
General
-
Target
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
-
Size
775KB
-
MD5
4ecc7bbbed724a23a2d6b0037064a64d
-
SHA1
20b98609454cdbb242ff6102b344006f542f7f10
-
SHA256
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b
-
SHA512
48dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52
-
SSDEEP
24576:+CsR9+OXLpMePfI8TgmBTCDqEbOpPtpFa0xfq:YKOXLpMePfzVTCD7gPtLasfq
Malware Config
Extracted
C:\Users\Admin\Documents\Ky4kB_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\Ky4kB_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023313-422.dat family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 3788 wmic.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 3788 wmic.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 3788 wmic.exe 96 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 5140 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\U: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\V: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\X: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\F: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\B: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\G: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\O: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\P: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\R: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\I: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\L: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\Q: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\T: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\W: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\Y: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\Z: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\A: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\M: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\J: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\N: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\S: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\E: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe File opened (read-only) \??\H: 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1312 wmic.exe Token: SeSecurityPrivilege 1312 wmic.exe Token: SeTakeOwnershipPrivilege 1312 wmic.exe Token: SeLoadDriverPrivilege 1312 wmic.exe Token: SeSystemProfilePrivilege 1312 wmic.exe Token: SeSystemtimePrivilege 1312 wmic.exe Token: SeProfSingleProcessPrivilege 1312 wmic.exe Token: SeIncBasePriorityPrivilege 1312 wmic.exe Token: SeCreatePagefilePrivilege 1312 wmic.exe Token: SeBackupPrivilege 1312 wmic.exe Token: SeRestorePrivilege 1312 wmic.exe Token: SeShutdownPrivilege 1312 wmic.exe Token: SeDebugPrivilege 1312 wmic.exe Token: SeSystemEnvironmentPrivilege 1312 wmic.exe Token: SeRemoteShutdownPrivilege 1312 wmic.exe Token: SeUndockPrivilege 1312 wmic.exe Token: SeManageVolumePrivilege 1312 wmic.exe Token: 33 1312 wmic.exe Token: 34 1312 wmic.exe Token: 35 1312 wmic.exe Token: 36 1312 wmic.exe Token: SeIncreaseQuotaPrivilege 1140 wmic.exe Token: SeSecurityPrivilege 1140 wmic.exe Token: SeTakeOwnershipPrivilege 1140 wmic.exe Token: SeLoadDriverPrivilege 1140 wmic.exe Token: SeSystemProfilePrivilege 1140 wmic.exe Token: SeSystemtimePrivilege 1140 wmic.exe Token: SeProfSingleProcessPrivilege 1140 wmic.exe Token: SeIncBasePriorityPrivilege 1140 wmic.exe Token: SeCreatePagefilePrivilege 1140 wmic.exe Token: SeBackupPrivilege 1140 wmic.exe Token: SeRestorePrivilege 1140 wmic.exe Token: SeShutdownPrivilege 1140 wmic.exe Token: SeDebugPrivilege 1140 wmic.exe Token: SeSystemEnvironmentPrivilege 1140 wmic.exe Token: SeRemoteShutdownPrivilege 1140 wmic.exe Token: SeUndockPrivilege 1140 wmic.exe Token: SeManageVolumePrivilege 1140 wmic.exe Token: 33 1140 wmic.exe Token: 34 1140 wmic.exe Token: 35 1140 wmic.exe Token: 36 1140 wmic.exe Token: SeIncreaseQuotaPrivilege 3888 wmic.exe Token: SeSecurityPrivilege 3888 wmic.exe Token: SeTakeOwnershipPrivilege 3888 wmic.exe Token: SeLoadDriverPrivilege 3888 wmic.exe Token: SeSystemProfilePrivilege 3888 wmic.exe Token: SeSystemtimePrivilege 3888 wmic.exe Token: SeProfSingleProcessPrivilege 3888 wmic.exe Token: SeIncBasePriorityPrivilege 3888 wmic.exe Token: SeCreatePagefilePrivilege 3888 wmic.exe Token: SeBackupPrivilege 3888 wmic.exe Token: SeRestorePrivilege 3888 wmic.exe Token: SeShutdownPrivilege 3888 wmic.exe Token: SeDebugPrivilege 3888 wmic.exe Token: SeSystemEnvironmentPrivilege 3888 wmic.exe Token: SeRemoteShutdownPrivilege 3888 wmic.exe Token: SeUndockPrivilege 3888 wmic.exe Token: SeManageVolumePrivilege 3888 wmic.exe Token: 33 3888 wmic.exe Token: 34 3888 wmic.exe Token: 35 3888 wmic.exe Token: 36 3888 wmic.exe Token: SeIncreaseQuotaPrivilege 4632 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2424 wrote to memory of 4632 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 103 PID 2424 wrote to memory of 4632 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 103 PID 2424 wrote to memory of 4632 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 103 PID 2424 wrote to memory of 552 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 109 PID 2424 wrote to memory of 552 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 109 PID 2424 wrote to memory of 552 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 109 PID 2424 wrote to memory of 2880 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 111 PID 2424 wrote to memory of 2880 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 111 PID 2424 wrote to memory of 2880 2424 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe 111 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe"C:\Users\Admin\AppData\Local\Temp\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:552
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:2880
-
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:81⤵PID:6136
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe1⤵
- Executes dropped EXE
PID:5140
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Filesize775KB
MD54ecc7bbbed724a23a2d6b0037064a64d
SHA120b98609454cdbb242ff6102b344006f542f7f10
SHA2562a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b
SHA51248dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52
-
Filesize
3KB
MD56a0fecfd8a8bea3817efb368e38f768e
SHA18a4cb7b271c3b2fe17ba4341aa9f1e44761d5665
SHA256a2f5bcae413c50b442ff4608ceefbc426f728722e49ad7797a90f5c807e640ce
SHA512065b01127ad6b0145e0c4b1a21b33bbff7bc036262c96b40d2239c45b044bf5987164dd9c0968266eb2c013a1fbedff32c534979dfa5e3a9647357c4113b5f94
-
Filesize
3KB
MD5aaab96729edcaae738dc536554e264fe
SHA1006a86178457dd9b7a7ce0fb8e8207699f5c728b
SHA2560f3585284decb3af4bdd6115331b6a5150e098439323b405a3bf16a83c2f3cc3
SHA512b7e790ae9895d51529fd3849e52b586ea8f92208b3f6bfb844eb2447ea7bb5c6f86e82bd65e4d0d0ec0b58a0a9fa21be31d0129bcabe19ad0a3baad20f62c01f