Analysis
-
max time kernel
267s -
max time network
259s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
31/08/2024, 21:43
General
-
Target
Masew_Cleaner.exe
-
Size
8.6MB
-
MD5
4cea17c844a02332a5c5710e5c0a85f1
-
SHA1
606437280389be921c3da93b1fc45c04942dac6b
-
SHA256
e00f30fbf89010df952f9ee593655c3f1ccd4dc5e6a6ad733d0c91c1266336db
-
SHA512
9fe35b63ad3aa57be8ce6b35b63ffad25f281fe60ff129d602d80841bbcbfffc794d6bf70c1cfed79b00f41ad2f34a41a5b69a563e90c0a02595edcc4e401f0f
-
SSDEEP
196608:L4S7kvG91Co1vxBPMuFvxlBRh+LO1kSIvkKgRRwpR:LBo01CGxBPVNxVh+LO1kSwpgLwj
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 21 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 21 IoCs
-
Checks BIOS information in registry 2 TTPs 42 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 20 IoCs
-
Maps connected drives based on registry 3 TTPs 42 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in Windows directory 1 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 18 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 47 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Masew_Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd98e7cc40,0x7ffd98e7cc4c,0x7ffd98e7cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1848 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1788,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2080 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2208 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3128 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3516 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4540,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4700 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4564 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4972,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4560 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4588,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4752 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4728,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5224 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3736,i,13939782732280186924,10753928879109619201,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3740 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\HideEdit.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ConnectUninstall.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\Masew_Cleaner.exe"C:\Users\Admin\Downloads\Masew_Cleaner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
1KB
MD5b4fce7ad1fed1e9dd027c0b54ed6510a
SHA198bf9b52c38d5c29ac77dd620f661db9b11d978e
SHA25674b4d30030215b40437fce53e5f9c72fd3c5b9dbefa034dcc2793f9df2e5f348
SHA512153e02e3834f5a5733e7622c7612866121420e3c7a1977d91e3472cd8a5b70b1c54828f1c101dcc3fe9826b9149c3e4665deaa5aac1b45c9fb69d205f87dc86a
-
Filesize
345B
MD5460d930c2e413858981ad2e2fb35cbf0
SHA1859b256166d1bde0eaa7b5d2cbf86efebfe5c3ea
SHA2561f1d44b141b8289d7664f09b8075609f1271634d1604a4dc560543b348041c28
SHA512cf630a95854384962257787238da058258018df201f96b36259ac03ac2b6a4f9f775bc566b8c78ecf10abb9bde6726eaff9bc938fa611ff39031e2a4299e84eb
-
Filesize
471B
MD5ee10a35bed59d925fd26ce66a11c0bc8
SHA1e8178f5eaae71e407f83fd6fc1cfcf96c51535b1
SHA256d19e409713e478287b852f1501b2c4dfe27e18d62b8dc4a066d02ad6d6fdfd84
SHA5123216042febaf2626796dcddbf1990f185ed5e99b6f67d749c8d7997bb7f061a7bb87ceea98125a0225ea3a2eff5edd4019da363ae3b4a94eab53f6dfdcb9ffe9
-
Filesize
471B
MD5521e4158632c9c2f129bfbad82e7ca9e
SHA1e68fb304bfb7bc64b07e64a3065b9e98691d8c6d
SHA256ae25cc033f84d4f778ac1d5a6ee089f42c75919d468d1e9dcc13a56e515731fc
SHA512efa875a39983d659eed3e845c2f8e5f41f0788bb6d7977e998c60b269b0ee4b252db7b603d70b551432183c3ffc3ed88d65b134551566ce92cf7e3f9e804c7ba
-
Filesize
170B
MD5543f8b9d702e80cd0fa96c21fc772af5
SHA1b23e0360d68ff47930b053637560a495ce902580
SHA256424e73c4a2be12bfb10f29fa7c9fd394455006df135540edebf09af5ccaae247
SHA5125a760646529da3c47c79eb4aebbd65fd5d7f62cd3776025439e5617f54dc2151c4b9dcbb161c8fa3505516927fd397615ccd7993df5a97e3f19b74924d0db8d4
-
Filesize
192B
MD5c373d8fc536450d0f4b3f6fc2dc877a3
SHA1fc05c031fc6d2c79feda4584ca1a904a3814738d
SHA256b54ae995b0c5d783aa65014685fefe66c893971bcccd35d9bb74fc153c3237ea
SHA512619054e022deb9a3dd5a794c2d1cfb165b07afbe0c7ce2ed24340eadf67972b2f18bfd6b950e099fdcc9d85c4bf36b5674622f8f6fa94a612ca7ed9a8eeb53e2
-
Filesize
410B
MD50a16aa826f8e9b6ad08c76a5fa2a452c
SHA1225c2d47999ef2330544c3f2ae0c6b02c5ad3f03
SHA2568a80a2623b406c6117548c0b8b8b6df760052c660a1430ecfde2ed308f3a2e3a
SHA512316ca3afff29d1439a4e5613d96ec8da3b494f575b19ea8af5c97a421ddf98da6d2cdaf9796d2be8cd43d0c19e10aedff39ce930e1d66a37504e87ddd1aabac2
-
Filesize
540B
MD5f13f05dc8e6f6b4e193ba68f98262b99
SHA1378e5935b6f9bc1dabf250f5193808b41ad1e9da
SHA2568e7c40157c47ea7f96cb893f78f34e671e48017488e2c1a3ef903ee41fc49139
SHA51236f78899bb4bd26b410dacf343ff2b2512f1a93881a476789348c70df3e26d7e7a21b8462f4d37603fe3229ed34889a80c02cc761cba50dd40f21c4488a2adfb
-
Filesize
402B
MD599a066708a114d699faee6a891b516f7
SHA1f167cbfe6b7b2b67191207763e3a8e8aa88a1f60
SHA25685285e923067b47c29fef09c4de5d254a238b44e07553e24d0dcd2d41a6bd76c
SHA512f69e4844369a8b0f49f97917d6434844372524e185e7ff9f9d6761feaa8613ac84f94dea39ff12a1805d608c9d18cbb58ec68bf539c650db7521a34ceed86bb2
-
Filesize
412B
MD505f6e12c270e6a2a0a9f38e4fae35045
SHA1ffc2ca00846eb938fdde2122e17620ca66034d81
SHA25694f67a7d2cc3037e5f40f58d086f943aee5d8818418a503f2bead93e278bdb70
SHA51215d656a0c6eb4f06c630dd51ff519d2527aca1cf2d3b722c7c79ce07f717cc04f3f8556cdbd64c1353143515c595e3c7356e0fab2b13bb1aaf888949ad53e16f
-
Filesize
649B
MD5f83dd7f187fbccddc6121a3562aefc34
SHA142c97c388f8bede8c1b4206d5b0614436529f892
SHA256e2c0e2c1dadca8000688ad9bf60eaaa9595759f2b642121b65f8471c339ff607
SHA512ca434686b0cf0619edf197a6b4370eb3871d4653806c006497fa782dbf0e4ae18895fe67e46d8a86569646a532599f32e4c112107daf7c460c4db1f0c748019f
-
Filesize
216B
MD59290091a7a6fd5fb64a62a5c0c873895
SHA149c5eeaef6d6fdd17da460d0b2f0353808f484db
SHA256efef1b5d9146964dda01aed5d70f51f990f10644f5b2bd1ff9720c93401a3057
SHA512ab0b3f66deee08a5371e12f3536eb81886a2207f4040c5c66a16b5b96a3d0f0aa05a6dcb9cad5784a1d75e985ae45c09de1c0d5e92efd2cd97d4859e4bff8089
-
Filesize
1KB
MD592396d917023d7b1bed20282eb34f3e0
SHA1b18b0e717bdbbe1a1a81ea3e4ba2ddc2bb167e15
SHA256824a01b2627e2293df882e1ea9c1832490485a8a87a2c611bfe97fa68692437d
SHA512946357dcdcfe5abc62591321b292fe61d6690d7653c5623a9d6592769a6145e8788cf214deb3fe47b97a0fb865663d9891c8807f113866991478c5925b3eeb46
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD51ea7cc7f8100c43b3e2ff74c0eb43244
SHA1d16b6aaeed9db60b458610b36ffd747d2329a0ff
SHA2562685c72ccfbd98e8ce898b2bfeee9821dcaf5a5c5cc9660a628498b30c41fc94
SHA512d04058fac48146184f4382efc8debc8deff2c2587aea7be4f1c79e1b5c5d2645de2847be83c3fab7b10d5e2319ccb6623dfab18a4358ecaf5f3c90afd4014d66
-
Filesize
9KB
MD552a3f820a700ae352f24f62410ea10a4
SHA1fa1fa0614f0c0bf77ac8912245a7dc7d97849ceb
SHA256b1ada74518e05da671d4ae344eb92a711087f0385342ebd673089ae3d9c0f469
SHA512d71142f64d700794998b78563f23ec8c676cd7b26d1da5621b9da89b01986a2902d55f2254cba0d2c289c4584fc23b91f95c396d936dffbf0a12e52a86a16cd9
-
Filesize
9KB
MD514e5cd14e36a8e6d801a473f209b3834
SHA11a32c12028f46aacf7f1269f21fd9b55cb71bc6c
SHA2563f87ff203bcb1c1200186a0bf0d3e3850dc3c4374734611eb2db581ef7ea222b
SHA512b830a4f4bd4c94bd1b9074a01f6def2059c16a5391e5895a3360d909ddd5452bcb27dcff99be7b1bcc76272acc5eb64038a4bd9b8baad886ef9d88eaaa767506
-
Filesize
9KB
MD5b63b2fdbe20f1626612dedbdeba7fdb8
SHA16b5bf63a4d2fe8b6556fade5e13d5a51b74955e7
SHA25610df8cb7a97e7288b4451fa69c8a8680447ab7d9c0df0df249e6ca462ab3ca2d
SHA512ff6dacbdfff152411aa1b89cc24051baace96f39060aaf03131cf6b435be6bffdbbef8e8375c0a03f7efa4a681a4c22c4e292ab01422d2711a300a838c88f7eb
-
Filesize
10KB
MD56d061f45618a025f571223da97620f0b
SHA189052e8608497c716d2765d95cdba262c48076bd
SHA256d4a7bf1e319e8bd5f24fa2ba657587579344ae9eaf310984f47709b23b277e11
SHA5125e5319b42d0389d910aa03dbd32c9f902b54e439af8cf2ef2cf0b408c75376ae1a263e4a288dcaefb992df466e03f4676ca4aafd052b7edbb9efbc3f02af0352
-
Filesize
15KB
MD503669680374141df1bd25ae98c1d2e8a
SHA1be2416e7f5903ee7819b69faacfa7d689bf775be
SHA256d224f157ffb5d73ca026b3f0bc47bd67747882f33c698e2f0b3f68179433d17d
SHA512a12259923942c840147bc43fea2dc9fa3247b97f07ddd3be276c4085227938f0433ad4b8c62c2fb9794b42984304044ef2ab2dbff14dbcae73aec23dd33fa48b
-
Filesize
205KB
MD56de82e8fe1a9f021141d982d32317ffd
SHA106f25713e9cf83ed89b1a3a735859bf7e033702e
SHA256eb2a350a443272862a8fc7d7fff5a57aed137b3c6750b150fc2f60f744937a85
SHA5126c7f58141bbafe4296e6026ec761f7dc328835cb684c0f4e603aaeb1246a690d619dca5a6cb0ee72fcdfb0b8e51d3aa8d140804ec4b29645b99645eb93c29b13
-
Filesize
205KB
MD55c3abce1de022f6960cd315c76288131
SHA1964f7296c5722027a694acb46e7269c4aff8d30d
SHA256fe8d0704455e0cadbd919dff2599f2459228c5eff8085b7430c9194eaa1d04d1
SHA5128b464c5d72a8c7b51c633d977d1af07d8e5325523f3855544f4c7ce82c5720672cd696183a69c07ddaa6a5903b885c25ea4a99b2739cb1bffe54679bb958c0f4
-
Filesize
205KB
MD5ae4ae305edec60f7829b16358efc786d
SHA1f6b9d5c2393412ead59390d34631ee06ff2c2ea3
SHA2561b56088102aebf555dccea5848035031c97415d5d96525107407798366e260df
SHA5120f7db53199c8bcec867c3ec25c83b1e5c81c657ceaef128b1de9bddececc0c17908c64c2e882e22f5d8f783e52b83ffbab122cf2bb766341794c1c0691b6bbe1
-
Filesize
264KB
MD5f850f1c1817376ffe6c76977261ae2f0
SHA1e101411627a516e37051bda14a76c4bd7b377a9a
SHA25629427022faf4401de8b361a0a63813aacdc9e299e11569cc72b73ebb00d821e7
SHA512e8c42cedd316ce022c804e1c26649357e5dfe7d330b90f12c80bbfa369b53beca7fa6e9eb19fd06bab19636e0335cb5793b161da89d3f65aa0a580a2368bfc46
-
Filesize
1KB
MD58805fb5d1b60df8d01331eb3809121fa
SHA1ee86356548584ad3054fa7ecf99e86dc30bfce1d
SHA256035b5785da3c70c796d5f01dec2885944ec0e5a05a07ca9b60f3e989c936c692
SHA5127bf7e57b9c38ff4cc9e6c16b9fa3a86f2d62b984dad827053df55eac23bce2f6b8fb773d2f47e1ba74f203ee6e2026ff65726f7346d269cf70b33b1449d9b179
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
170KB
MD5720154f34d46169913b631c7eb087d4b
SHA1d5d484293c2bb3f3f8a12eaf50b51eef54c72734
SHA2566b93a6c34b49eca55ea0fedd49f76c53369d65e4651af71c15440c9293d924a5
SHA512c4a8f2a81ca3a0030c6d0f4d90c34950067792cbcf6fe1b3a9bd95b70ad8ac6b57d2c36e5a741e74083f23dfd2f500a9c9852f30a56b92974574ffaf17265f91
-
Filesize
320KB
MD51860cdd48aea9511bbd598c3d6e80ec2
SHA14d80fb389297d1b42330fc9cc043890b7de843ef
SHA256c72ac8cb5ac91290357dd9c931f52757bd17d6792cc0b6cda581e4f97d72f035
SHA51264718fa5631271dd34463b67d7c95c87ffa80f914f61d2dfd2b33262ad9e7aaa8e3ba5ec6b53e39c8eea8a8baa0b0364dfa0954d1192ab483e07dc1f8a5485e5
-
Filesize
12KB
MD5daff8fc6221dea7c65bcf79c722d4a51
SHA13a58dd50f785e8e3e9cbfcd84b0b901812039fab
SHA2566f13d47ab8cbfc329d48fccd043da7407351878af1818eb1001560f7ab5db55a
SHA512ce131a7c2a0da3436e8296577ca90357931cd6d0338bad0ce7c7de8de1872c30d8f073187d4ec862cb1881d902e7511615cb766e3e725a2f7847f4406ac373c1
-
Filesize
24KB
MD547259151c6150629d583c62e3972db99
SHA1fd6b4e71b4b3ab2a4258aee52016a44c32b6874b
SHA256dc0d4afcfc4a0e7c863eef828c29e893beceabffecbff13d08a8c0ea56713993
SHA512fa0d84868ee6bbc20b7fe172269c21681694b1e528595d5163339dc0d46ca71780211aff04f2f1ba91544bf86a7ed20b0ae258ef2160848e7c52338f1b7c785b
-
Filesize
381B
MD52074ad66418fba4ca2d48fa9ffc62548
SHA19c43ed9713bb328d2d4c9dd9048461d90b50c924
SHA25606dfcb2670b18cfb095c8c69e4944421e119f3e9cf89997dced15db0a1f66667
SHA5120f4d85d06b2a7881c6db387fb3c286bd002e9c1fba2a0677473cb82e96674e4ce604163ed0b3a563b38a2742cf28dd82fc44e3da2bf6d0c2233edb096a2e1383
-
Filesize
381B
MD5cf2d5ea9d706360c38ddf3160419734a
SHA16c88cd0d7d70bf785bc1aa8df8c8fac83da076e7
SHA2560949455b51169414775f518c64fa2dd77ee1b9798edc66df58ab0a4cb1e1b82c
SHA5120131aa77499483a0837093603e3b727e494015c525d189ddfa02f2cc3520a119630b028b16b0f50416c43869b29c6bfdbe7abe49cabef0555622bfcd45f1752a
-
Filesize
142KB
MD5cbcc30d5c2bef49d406cdaf40d83291f
SHA11868b5d8a467aaa7b6199163bf4bae5cf1a00bc5
SHA256452a061b7b1c5fc98af54d81f672243ee4bd0eb27700254b660956f44808c093
SHA5128eea9e08771655abdc05b05f21423e5a5fd247d38b9ae7cb1941ba0850b8d48d52026e8f6be98eb2d549c80bff61d52311d47dcbbf6344107b926e868916d061
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
8.6MB
MD54cea17c844a02332a5c5710e5c0a85f1
SHA1606437280389be921c3da93b1fc45c04942dac6b
SHA256e00f30fbf89010df952f9ee593655c3f1ccd4dc5e6a6ad733d0c91c1266336db
SHA5129fe35b63ad3aa57be8ce6b35b63ffad25f281fe60ff129d602d80841bbcbfffc794d6bf70c1cfed79b00f41ad2f34a41a5b69a563e90c0a02595edcc4e401f0f
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
240KB
-
Filesize
2.0MB
-
Filesize
1.3MB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
8.6MB
-
Filesize
584KB