Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Resource
win10v2004-20240226-en
General
-
Target
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
-
Size
775KB
-
MD5
117da2dd6fa24616f63eb43d5a15e5d3
-
SHA1
b4d70eecdef52ceef15f04a025d1ab08f193fb97
-
SHA256
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
-
SHA512
de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
-
SSDEEP
24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq
Malware Config
Extracted
C:\Users\Admin\Desktop\OkIPU_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 3512 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 3512 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 3512 wmic.exe -
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (145) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exepid process 4636 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process File opened (read-only) \??\Z: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\A: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\N: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\O: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\S: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\W: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\F: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\E: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\K: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\T: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\V: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\R: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\U: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\X: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\H: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\I: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\M: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Q: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\P: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Y: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\B: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\G: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\J: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\L: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exepid process 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 4888 wmic.exe Token: SeSecurityPrivilege 4888 wmic.exe Token: SeTakeOwnershipPrivilege 4888 wmic.exe Token: SeLoadDriverPrivilege 4888 wmic.exe Token: SeSystemProfilePrivilege 4888 wmic.exe Token: SeSystemtimePrivilege 4888 wmic.exe Token: SeProfSingleProcessPrivilege 4888 wmic.exe Token: SeIncBasePriorityPrivilege 4888 wmic.exe Token: SeCreatePagefilePrivilege 4888 wmic.exe Token: SeBackupPrivilege 4888 wmic.exe Token: SeRestorePrivilege 4888 wmic.exe Token: SeShutdownPrivilege 4888 wmic.exe Token: SeDebugPrivilege 4888 wmic.exe Token: SeSystemEnvironmentPrivilege 4888 wmic.exe Token: SeRemoteShutdownPrivilege 4888 wmic.exe Token: SeUndockPrivilege 4888 wmic.exe Token: SeManageVolumePrivilege 4888 wmic.exe Token: 33 4888 wmic.exe Token: 34 4888 wmic.exe Token: 35 4888 wmic.exe Token: 36 4888 wmic.exe Token: SeIncreaseQuotaPrivilege 4208 wmic.exe Token: SeSecurityPrivilege 4208 wmic.exe Token: SeTakeOwnershipPrivilege 4208 wmic.exe Token: SeLoadDriverPrivilege 4208 wmic.exe Token: SeSystemProfilePrivilege 4208 wmic.exe Token: SeSystemtimePrivilege 4208 wmic.exe Token: SeProfSingleProcessPrivilege 4208 wmic.exe Token: SeIncBasePriorityPrivilege 4208 wmic.exe Token: SeCreatePagefilePrivilege 4208 wmic.exe Token: SeBackupPrivilege 4208 wmic.exe Token: SeRestorePrivilege 4208 wmic.exe Token: SeShutdownPrivilege 4208 wmic.exe Token: SeDebugPrivilege 4208 wmic.exe Token: SeSystemEnvironmentPrivilege 4208 wmic.exe Token: SeRemoteShutdownPrivilege 4208 wmic.exe Token: SeUndockPrivilege 4208 wmic.exe Token: SeManageVolumePrivilege 4208 wmic.exe Token: 33 4208 wmic.exe Token: 34 4208 wmic.exe Token: 35 4208 wmic.exe Token: 36 4208 wmic.exe Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: 36 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 1076 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription pid process target process PID 1332 wrote to memory of 2688 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 1332 wrote to memory of 2688 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 1332 wrote to memory of 2688 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 1332 wrote to memory of 2900 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 1332 wrote to memory of 2900 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 1332 wrote to memory of 2900 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 1332 wrote to memory of 4408 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 1332 wrote to memory of 4408 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 1332 wrote to memory of 4408 1332 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
1File Deletion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exeFilesize
775KB
MD5117da2dd6fa24616f63eb43d5a15e5d3
SHA1b4d70eecdef52ceef15f04a025d1ab08f193fb97
SHA25648d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
SHA512de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
-
C:\Users\Admin\Desktop\OkIPU_readme_.txtFilesize
3KB
MD5832a50210a32e23359a5791560ee3d95
SHA14f5da3ee5e57517e5cabbf3880f585ed2274b75a
SHA256fc7bb019e74102c45e8a78d6d691a3324af5cff61ee7aa9e5cea680e986dbfdf
SHA512b1bc980b881f43619c0be8e08d566d6730f959d16a918108cb767568074689073e020618646403c6d46e383a354481f8866a90f39bdfae7fff383025d9bc9bea