Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2024, 13:40
Behavioral task
behavioral1
Sample
bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
Resource
win10v2004-20240226-en
General
-
Target
bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
-
Size
775KB
-
MD5
21de830008ad31c83a09be67a3ae8b4d
-
SHA1
c95ac053d6f4284e41dfea342bb30aede7b02244
-
SHA256
bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac
-
SHA512
293dc967be7fd187116623cbc67d33b785c7e6d946b22e8793a7432a4eb044ab5f56af12d41c342d2ee06c6350b1615e6b15f9db170518abaad4dd219287d1b1
-
SSDEEP
24576:+Csr9+OXLpMePfI8TgmBTCDqEbOpPtpFadxfq:Y0OXLpMePfzVTCD7gPtLaffq
Malware Config
Extracted
C:\Users\Admin\Desktop\eM9UR_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\eM9UR_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
resource yara_rule behavioral2/files/0x000300000001e9a0-517.dat family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 4652 wmic.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 4652 wmic.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 4652 wmic.exe 89 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (178) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 1400 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\E: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\H: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\Y: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\O: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\F: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\B: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\M: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\N: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\K: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\L: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\Q: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\S: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\V: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\A: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\G: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\I: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\X: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\T: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\U: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\W: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\J: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\P: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\R: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1732 wmic.exe Token: SeSecurityPrivilege 1732 wmic.exe Token: SeTakeOwnershipPrivilege 1732 wmic.exe Token: SeLoadDriverPrivilege 1732 wmic.exe Token: SeSystemProfilePrivilege 1732 wmic.exe Token: SeSystemtimePrivilege 1732 wmic.exe Token: SeProfSingleProcessPrivilege 1732 wmic.exe Token: SeIncBasePriorityPrivilege 1732 wmic.exe Token: SeCreatePagefilePrivilege 1732 wmic.exe Token: SeBackupPrivilege 1732 wmic.exe Token: SeRestorePrivilege 1732 wmic.exe Token: SeShutdownPrivilege 1732 wmic.exe Token: SeDebugPrivilege 1732 wmic.exe Token: SeSystemEnvironmentPrivilege 1732 wmic.exe Token: SeRemoteShutdownPrivilege 1732 wmic.exe Token: SeUndockPrivilege 1732 wmic.exe Token: SeManageVolumePrivilege 1732 wmic.exe Token: 33 1732 wmic.exe Token: 34 1732 wmic.exe Token: 35 1732 wmic.exe Token: 36 1732 wmic.exe Token: SeIncreaseQuotaPrivilege 4324 wmic.exe Token: SeSecurityPrivilege 4324 wmic.exe Token: SeTakeOwnershipPrivilege 4324 wmic.exe Token: SeLoadDriverPrivilege 4324 wmic.exe Token: SeSystemProfilePrivilege 4324 wmic.exe Token: SeSystemtimePrivilege 4324 wmic.exe Token: SeProfSingleProcessPrivilege 4324 wmic.exe Token: SeIncBasePriorityPrivilege 4324 wmic.exe Token: SeCreatePagefilePrivilege 4324 wmic.exe Token: SeBackupPrivilege 4324 wmic.exe Token: SeRestorePrivilege 4324 wmic.exe Token: SeShutdownPrivilege 4324 wmic.exe Token: SeDebugPrivilege 4324 wmic.exe Token: SeSystemEnvironmentPrivilege 4324 wmic.exe Token: SeRemoteShutdownPrivilege 4324 wmic.exe Token: SeUndockPrivilege 4324 wmic.exe Token: SeManageVolumePrivilege 4324 wmic.exe Token: 33 4324 wmic.exe Token: 34 4324 wmic.exe Token: 35 4324 wmic.exe Token: 36 4324 wmic.exe Token: SeIncreaseQuotaPrivilege 2896 wmic.exe Token: SeSecurityPrivilege 2896 wmic.exe Token: SeTakeOwnershipPrivilege 2896 wmic.exe Token: SeLoadDriverPrivilege 2896 wmic.exe Token: SeSystemProfilePrivilege 2896 wmic.exe Token: SeSystemtimePrivilege 2896 wmic.exe Token: SeProfSingleProcessPrivilege 2896 wmic.exe Token: SeIncBasePriorityPrivilege 2896 wmic.exe Token: SeCreatePagefilePrivilege 2896 wmic.exe Token: SeBackupPrivilege 2896 wmic.exe Token: SeRestorePrivilege 2896 wmic.exe Token: SeShutdownPrivilege 2896 wmic.exe Token: SeDebugPrivilege 2896 wmic.exe Token: SeSystemEnvironmentPrivilege 2896 wmic.exe Token: SeRemoteShutdownPrivilege 2896 wmic.exe Token: SeUndockPrivilege 2896 wmic.exe Token: SeManageVolumePrivilege 2896 wmic.exe Token: 33 2896 wmic.exe Token: 34 2896 wmic.exe Token: 35 2896 wmic.exe Token: 36 2896 wmic.exe Token: SeIncreaseQuotaPrivilege 3256 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2564 wrote to memory of 4324 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 95 PID 2564 wrote to memory of 4324 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 95 PID 2564 wrote to memory of 4324 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 95 PID 2564 wrote to memory of 2308 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 101 PID 2564 wrote to memory of 2308 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 101 PID 2564 wrote to memory of 2308 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 101 PID 2564 wrote to memory of 1776 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 103 PID 2564 wrote to memory of 1776 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 103 PID 2564 wrote to memory of 1776 2564 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 103 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe"C:\Users\Admin\AppData\Local\Temp\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2564 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:2308
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:1776
-
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3256
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4780
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe1⤵
- Executes dropped EXE
PID:1400
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
Filesize775KB
MD521de830008ad31c83a09be67a3ae8b4d
SHA1c95ac053d6f4284e41dfea342bb30aede7b02244
SHA256bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac
SHA512293dc967be7fd187116623cbc67d33b785c7e6d946b22e8793a7432a4eb044ab5f56af12d41c342d2ee06c6350b1615e6b15f9db170518abaad4dd219287d1b1
-
Filesize
3KB
MD57bbbfbe7b07facee18efc5e6650568ae
SHA1ec6929f6b27007db102ab5165ae7df201f8b9ca2
SHA256769c7e0c8656207403811377c70e4424f6656e08f58b7d786d5c365af08307f4
SHA5124dc70c172a7efc8c7729d851b20647684d5a20ddedc9dea3255ec53c5d4371d3df9851771385eb771909a1273f5ff273f7b6e1664b33446e3e146473e4ef5b01
-
Filesize
3KB
MD55fa29f0a0673b0f371ce90eea8a7f400
SHA1ddfbb09f2538cd5b15dda0f5cd2355efca98f4a0
SHA256de90ddf9e54802830b04f089adbc6b3748b2b34e079b4e789b5f021e6c3edebf
SHA512446533a7658d7858b90f912f80cc5f412abb6c983ca9b5ef773a41037fc23ffcfc7dddebc6e0aa8ae4226c22712a241ee39e7794ccd69f4725b53ad9e09d5d9e