480f83695dd50d652910613f062a934c85a8ac9bae32bb542e60255e8e85128e

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

480f83695dd50d652910613f062a934c85a8ac9bae32bb542e60255e8e85128e.exe
Size

3.7MB
MD5

f3e1737d81c846aeffe6dc434ef1a70d
SHA1

6fb7d26916313e2264f6000b24159a684532ffa8
SHA256

480f83695dd50d652910613f062a934c85a8ac9bae32bb542e60255e8e85128e
SHA512

4f08d0f8be1ef3ce54c961532d7234d7301a25a28b3cb09ad29f6dc4c503946c1382c75ccb495722cd63bd7ffb365b758e1106504dbad71dc734d32e82ba90b1
SSDEEP

98304:AqwnqwaZHBYnxTE2nC21V1QkGSKRgRzzHxthjfdRVD:AqwnqwoBv2eVSKRKvj1bD

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4760	powershell.exe
3756	powershell.exe
1160	powershell.exe
2268	powershell.exe
3892	powershell.exe
624	powershell.exe
1356	powershell.exe
3704	powershell.exe
4492	powershell.exe
2400	powershell.exe
552	powershell.exe
408	powershell.exe
1420	powershell.exe
4056	powershell.exe
4104	powershell.exe
4756	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	fwa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	480f83695dd50d652910613f062a934c85a8ac9bae32bb542e60255e8e85128e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	clamer.exe

Executes dropped EXE 8 IoCs

pid	Process
3928	clamer.exe
2740	ad.exe
464	fwa.exe
5656	fontdrvhost.exe
3988	fontdrvhost.exe
2088	fontdrvhost.exe
5496	fontdrvhost.exe
320	fontdrvhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\ProgramData\\MyHiddenFolder\\fwa.exe"	fwa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	ad.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	clamer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5568	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5464	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe
2740	ad.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	ad.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	5656	fontdrvhost.exe
Token: SeDebugPrivilege	3988	fontdrvhost.exe
Token: SeDebugPrivilege	2088	fontdrvhost.exe
Token: SeDebugPrivilege	5496	fontdrvhost.exe
Token: SeDebugPrivilege	320	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1128	4480	480f83695dd50d652910613f062a934c85a8ac9bae32bb542e60255e8e85128e.exe	84
PID 4480 wrote to memory of 1128	4480	480f83695dd50d652910613f062a934c85a8ac9bae32bb542e60255e8e85128e.exe	84
PID 1128 wrote to memory of 3928	1128	cmd.exe	87
PID 1128 wrote to memory of 3928	1128	cmd.exe	87
PID 3928 wrote to memory of 2740	3928	clamer.exe	90
PID 3928 wrote to memory of 2740	3928	clamer.exe	90
PID 2740 wrote to memory of 4492	2740	ad.exe	91
PID 2740 wrote to memory of 4492	2740	ad.exe	91
PID 2740 wrote to memory of 3892	2740	ad.exe	92
PID 2740 wrote to memory of 3892	2740	ad.exe	92
PID 2740 wrote to memory of 4756	2740	ad.exe	93
PID 2740 wrote to memory of 4756	2740	ad.exe	93
PID 2740 wrote to memory of 2268	2740	ad.exe	94
PID 2740 wrote to memory of 2268	2740	ad.exe	94
PID 2740 wrote to memory of 624	2740	ad.exe	95
PID 2740 wrote to memory of 624	2740	ad.exe	95
PID 2740 wrote to memory of 2400	2740	ad.exe	96
PID 2740 wrote to memory of 2400	2740	ad.exe	96
PID 2740 wrote to memory of 552	2740	ad.exe	97
PID 2740 wrote to memory of 552	2740	ad.exe	97
PID 2740 wrote to memory of 1160	2740	ad.exe	98
PID 2740 wrote to memory of 1160	2740	ad.exe	98
PID 2740 wrote to memory of 4760	2740	ad.exe	99
PID 2740 wrote to memory of 4760	2740	ad.exe	99
PID 2740 wrote to memory of 1356	2740	ad.exe	100
PID 2740 wrote to memory of 1356	2740	ad.exe	100
PID 2740 wrote to memory of 408	2740	ad.exe	101
PID 2740 wrote to memory of 408	2740	ad.exe	101
PID 2740 wrote to memory of 1420	2740	ad.exe	102
PID 2740 wrote to memory of 1420	2740	ad.exe	102
PID 2740 wrote to memory of 4056	2740	ad.exe	103
PID 2740 wrote to memory of 4056	2740	ad.exe	103
PID 2740 wrote to memory of 3704	2740	ad.exe	104
PID 2740 wrote to memory of 3704	2740	ad.exe	104
PID 2740 wrote to memory of 4104	2740	ad.exe	105
PID 2740 wrote to memory of 4104	2740	ad.exe	105
PID 2740 wrote to memory of 3756	2740	ad.exe	106
PID 2740 wrote to memory of 3756	2740	ad.exe	106
PID 2740 wrote to memory of 2024	2740	ad.exe	123
PID 2740 wrote to memory of 2024	2740	ad.exe	123
PID 3928 wrote to memory of 464	3928	clamer.exe	125
PID 3928 wrote to memory of 464	3928	clamer.exe	125
PID 2024 wrote to memory of 4592	2024	cmd.exe	126
PID 2024 wrote to memory of 4592	2024	cmd.exe	126
PID 2024 wrote to memory of 5464	2024	cmd.exe	127
PID 2024 wrote to memory of 5464	2024	cmd.exe	127
PID 3928 wrote to memory of 5568	3928	clamer.exe	128
PID 3928 wrote to memory of 5568	3928	clamer.exe	128
PID 2024 wrote to memory of 5656	2024	cmd.exe	129
PID 2024 wrote to memory of 5656	2024	cmd.exe	129
PID 5656 wrote to memory of 4168	5656	fontdrvhost.exe	134
PID 5656 wrote to memory of 4168	5656	fontdrvhost.exe	134
PID 4168 wrote to memory of 5292	4168	cmd.exe	136
PID 4168 wrote to memory of 5292	4168	cmd.exe	136
PID 4168 wrote to memory of 4668	4168	cmd.exe	137
PID 4168 wrote to memory of 4668	4168	cmd.exe	137
PID 4168 wrote to memory of 3988	4168	cmd.exe	138
PID 4168 wrote to memory of 3988	4168	cmd.exe	138
PID 3988 wrote to memory of 3196	3988	fontdrvhost.exe	139
PID 3988 wrote to memory of 3196	3988	fontdrvhost.exe	139
PID 3196 wrote to memory of 3748	3196	cmd.exe	141
PID 3196 wrote to memory of 3748	3196	cmd.exe	141
PID 3196 wrote to memory of 4688	3196	cmd.exe	142
PID 3196 wrote to memory of 4688	3196	cmd.exe	142

C:\Users\Admin\AppData\Local\Temp\480f83695dd50d652910613f062a934c85a8ac9bae32bb542e60255e8e85128e.exe
"C:\Users\Admin\AppData\Local\Temp\480f83695dd50d652910613f062a934c85a8ac9bae32bb542e60255e8e85128e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
    clamer.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ad.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ad.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pSO6Ad4CHX.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4592
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:5464
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MCv5EqkMBH.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4668
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGbZHomwPb.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4688
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat"
        11⤵
        
        PID:5440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3588
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z0hIbOJQ8t.bat"
        13⤵
        
        PID:224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4664
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      PID:464
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwa.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGbZHomwPb.bat

Filesize
213B

MD5
f5717967130c1a0f1f64bda3be773a33

SHA1
aa5a36d25e98fb504436d1495e3b96b2e92535aa

SHA256
a086727ac2a91c2b229c9a7626aa83f5637cd4f2c1684fe90733a292c0960988

SHA512
60137f765de0b5bade22bab6ac1ddd000190af1e6779b31fd12480ba78c592ce34affe569c06e4fae7644505fce47191bd7c03709bdf7c89c6fa9036096d3850

Download Submit
C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat

Filesize
213B

MD5
99f7a00c2271be8ff984a6d79b9e514b

SHA1
391ba1007915f18d9c1708d9670d487366274ba0

SHA256
feb1748604aea95031417ca0b493285610b65be03417e131ff623ffba93df25a

SHA512
6d8981a27576a77f36eba7d8717aeb39bf8879a00ade50e49269d95077d570629a42b11b91a677b119fbdd416bb0e8dcaa300c9745f8abc7474a04b44c1c4c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCv5EqkMBH.bat

Filesize
213B

MD5
b08c6233e2437b2509a6d69737d4d6d6

SHA1
a91f7a6eefc62b63d6fc201c7fe5dbbbbb9d1c96

SHA256
87e2109d3719d6a33149c80cb2a0772852d3bccbbc1239866616947832d81f19

SHA512
05645ab177f5750b8da94f6f9b557358dd9141a969d3f9f0327f9109f6a5fb85dbbddf3c02b2426bec87884b28e0801c4e96b4764dd095e967e174de3b86778f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
3.3MB

MD5
02ba8c5f08709d99bbebb9344af4ac46

SHA1
99ed4d61ac5749f285509a7b5e60c76ef9f4e0c4

SHA256
6599650c00dc01de8ead0554bb585ae4d1d14892f28e1311aae71ad3db38a4c1

SHA512
befcbd81405ccf53429bb9d77ccde886bbcc75422af262a9bb1be15a6be46e76203adbbfc30a1653fdd42c19295246a5a6e57aad80391bbc16bf72b26804938a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ad.exe

Filesize
2.3MB

MD5
fba36b0b385397a0a9190abfd3332f92

SHA1
f7f2b3979fe2695803a285e399fae69dd651e767

SHA256
19d8a5c007460fd0c78d139bb6d40ddea4887a54b8fea1aabcfd9cf821355598

SHA512
8a36c80ac49a432a50e9349613d97719367f7c84f8f2c1332a9fb5ec612b847fb50ca52ffebea85b46ca9de1ee1ede2992f1c358575a222b81268e2210422806

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwa.txt

Filesize
5KB

MD5
a8aba49b4924d5acc914e914d747435d

SHA1
c412f9ca92a962c3c076724f7d449eaf33f1b8bc

SHA256
820a8158f1ec44b3d46c4f53bffc81d912e73f23e6203d3f7faa397180950db2

SHA512
33fc2135fedb527bbc4c84b0cafa566da8ed5317dd3a957676f045ac17da635de889ea39842a3c612312061cd4e94ef9e48ca7583b780aee2d77cbdb5b73a27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fwa.exe

Filesize
545KB

MD5
87a5a4705b24429c4411a5a9be73590d

SHA1
df3ec5028c3f6a1a96665db7947e00e4045790a6

SHA256
04f9a7f216209a283e7339598c41d0ae839f130e048c72445a9a88598ca4fa1c

SHA512
b0411197c0be5d2e38cdffc36fb8dd42ff20e8d593395d8a6d124cfe817d5e860e4246301235452dfdddcb56d387adb6391a872cb60551ddf3f9aa0360443462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z0hIbOJQ8t.bat

Filesize
213B

MD5
b39ad1d7707f1868035ebd0b9cb9c76d

SHA1
d96927e3e9aa1cc385d80b3f600c3d8eeefb7a7d

SHA256
e90dd1db5b13c7b5581577b401aee1f69fd1c4f951cb8c6f6249291070b4027e

SHA512
9d47925f8354ed5a2ba5520619c0711ebaf3626cdcb5ecd21d8fef479a4d533a684a0d8f1b0e53f4bf5527b8b364156b6de1e6fda82657e7d97a7725a0e3ce7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utf5xf4j.dzi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSO6Ad4CHX.bat

Filesize
165B

MD5
7a7d84b01071776e3e1cd45c3206e2db

SHA1
a82232fb59ab8b9db9fe91cd1d39a6bce4e41fa5

SHA256
2d89a611e302f77fc5956e4c8159fa107afacdd07980d040fda5615cbc14ee73

SHA512
014d2ed01456e73b6cdf0be907189ca09f631b809530f8889312b70a5fdecea7e3c55e1a3687430a9e7845b164ad475054d89f54789b346b98d273bda95375c7

Download Submit
memory/464-279-0x00007FF706310000-0x00007FF70639E000-memory.dmp

Filesize
568KB

Download
memory/2740-39-0x0000000002990000-0x000000000299E000-memory.dmp

Filesize
56KB

Download
memory/2740-50-0x000000001C420000-0x000000001C948000-memory.dmp

Filesize
5.2MB

Download
memory/2740-56-0x000000001BF50000-0x000000001BFAA000-memory.dmp

Filesize
360KB

Download
memory/2740-58-0x000000001BE80000-0x000000001BE8E000-memory.dmp

Filesize
56KB

Download
memory/2740-60-0x000000001BEF0000-0x000000001BF00000-memory.dmp

Filesize
64KB

Download
memory/2740-62-0x000000001BF00000-0x000000001BF0E000-memory.dmp

Filesize
56KB

Download
memory/2740-64-0x000000001BF30000-0x000000001BF48000-memory.dmp

Filesize
96KB

Download
memory/2740-66-0x000000001BF10000-0x000000001BF1C000-memory.dmp

Filesize
48KB

Download
memory/2740-68-0x000000001C000000-0x000000001C04E000-memory.dmp

Filesize
312KB

Download
memory/2740-26-0x00000000005A0000-0x00000000007F4000-memory.dmp

Filesize
2.3MB

Download
memory/2740-52-0x000000001B430000-0x000000001B43E000-memory.dmp

Filesize
56KB

Download
memory/2740-54-0x000000001BE70000-0x000000001BE80000-memory.dmp

Filesize
64KB

Download
memory/2740-49-0x000000001BED0000-0x000000001BEE2000-memory.dmp

Filesize
72KB

Download
memory/2740-47-0x000000001BEB0000-0x000000001BEC6000-memory.dmp

Filesize
88KB

Download
memory/2740-45-0x000000001BE90000-0x000000001BEA2000-memory.dmp

Filesize
72KB

Download
memory/2740-43-0x0000000002A00000-0x0000000002A0E000-memory.dmp

Filesize
56KB

Download
memory/2740-41-0x00000000029A0000-0x00000000029AC000-memory.dmp

Filesize
48KB

Download
memory/2740-37-0x0000000002980000-0x000000000298E000-memory.dmp

Filesize
56KB

Download
memory/2740-35-0x000000001BE50000-0x000000001BE68000-memory.dmp

Filesize
96KB

Download
memory/2740-33-0x000000001B440000-0x000000001B490000-memory.dmp

Filesize
320KB

Download
memory/2740-32-0x00000000029E0000-0x00000000029FC000-memory.dmp

Filesize
112KB

Download
memory/2740-30-0x00000000010C0000-0x00000000010CE000-memory.dmp

Filesize
56KB

Download
memory/2740-28-0x00000000029B0000-0x00000000029D6000-memory.dmp

Filesize
152KB

Download
memory/4756-89-0x0000028370960000-0x0000028370982000-memory.dmp

Filesize
136KB

Download