2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Size

4.1MB
MD5

a785432652389c62cd64eb86e75d0770
SHA1

488cb0811b8b864c86d4b2de185e5881b6da0819
SHA256

2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0
SHA512

7daf47e0920f88e0de3f57b733c4ac9e7bdb52fe7d2bd20dd72517a2c3478718ad458b46eb19f223dc8779ecaf8282a2110ff6fc7eb31e3660e733de54aa6e65
SSDEEP

49152:FZVu5f+7Ij5OPY9+Zj7+/V7ct33Cefih+1X2EQ4JN/8rL:jcF+0tM+2tnCefisjQ4JBw

Score

6^/10

defense_evasion discovery

Malware Config

Signatures

Indicator Removal: Clear Persistence 1 TTPs 42 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\groove.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstore.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ose.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\accicons.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstordb.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onelev.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv .exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infopath.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwtrig20.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe\debugger	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dkjkgbbld	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
Token: SeDebugPrivilege	2648	2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe

C:\Users\Admin\AppData\Local\Temp\2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe
"C:\Users\Admin\AppData\Local\Temp\2b6f33a2a44c2e77d8c312d891e7737078dd59854a6b1ddb40a8e4d472b0f6e0.exe"
1⤵
- Indicator Removal: Clear Persistence
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\dkjkgbbld

Filesize
206B

MD5
948fa97d70082719857298dbc41bcf6b

SHA1
43bc0b900c4ee2dc36b63635d8f15b860580e90b

SHA256
9e1788ca3feb67fa3b7d2b0e0d73e881f0a93f5d7682d68e0b15f1172d313155

SHA512
bd8be88cdc39cae9f3ed42df17b4c43ed095fffe03bc620ca76d088d75f035105f087fd41e97500836eec0bb3203d678e196d9bcb87932e49d15b97ac718a90c

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
b321406a69703583a6d674d5ecc4fd80

SHA1
b91a14568582b36a50feed6680da4f8bedcd939b

SHA256
7b685d5f7b7952fd1763ad4f68fec53c64203cddb3b2b2f250629de09b87a6b7

SHA512
a539e1c889d3ec050de8f8a64647ca925ac01e1d23802f296beb4bc952399f8d702dbb3ecbb58540e6a49e7e79edb145858b77828880c1ff0df027d04eb19c2e

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
35bd4940812be064b267150c17cd63bc

SHA1
6245b1fac0ad0680bd7ed3c25ee0969727723cdf

SHA256
7a5e18757cafc6ce9fcc825162009cafa0751521e36d8cb2d974271a787f6ac5

SHA512
4ce1a2cae4c57ba7848068dd7ced2bbd89b290f4fbb90e6758894fda8751388515e736c804ea1f4934f47bdca0437a4ff9231a2cb852bd9e8bd80727bda73a06

Download Submit
C:\Windows\dkjkgbbld

Filesize
2KB

MD5
00066ce69373016fee926b8b5a1275aa

SHA1
342b9c1c62b4c8d6bf897bbf35d4461900a2ff14

SHA256
e46c20c999017746a8fa3f2b8a28ebe74a0dd103a4fc3ee3203fe70dbc6fbb06

SHA512
29f1c6afa935f168b8c083a4aba6e49b817f3efc7c5a9d676c3bde1bf3431e958cad70d08cb11e3ef70e7b0a38bda1f9ffc2445e6b1df9a2e7cf253db18f806b

Download Submit
C:\Windows\dkjkgbbld

Filesize
2KB

MD5
536023e29969a0fbd422a63e0fcaa592

SHA1
e6cea59490e2b407cd17fcbc9274a392ffcd2f38

SHA256
c89d1085fb88f1a1eec57764fcd404f7c7c0377b14135c0c485129b569e50cbd

SHA512
5f9271b6cf15c026f4759be7ad67f2653983d631b23a3d832b1ed322c0ecee832fa2360e77cf0a3f65532d3859ab8f804bd8f46a9cdda24b07592e049ad663c8

Download Submit
C:\Windows\dkjkgbbld

Filesize
2KB

MD5
3b044e7f3389225fc6bd8c27eebc377a

SHA1
a2cadef507b29931040999680696a90750de07a9

SHA256
1d8402f6a340f443f2c45b1fc94f4e14ac29ecbf3329d3d2607df605e8a57e54

SHA512
ecd62ef6b52f7273b7f4d8d1751c091ef740d90d82275a81882f11688844e671cd36a00c355cb3bec93ba952b37c677f0c512db43a5bbdd0df39154e6fd2902d

Download Submit
C:\Windows\dkjkgbbld

Filesize
52B

MD5
f855d6402836966c20f1c8cb4f1bd511

SHA1
9bb59f89f9632234aef0a8f21d167341043ae41c

SHA256
f2e05aca2c7a38cc07369a3542c93f53e06a6c44faa382fba660bff01e083610

SHA512
e501a5a34e231c597321deff133d49c53cc1a5bc4530e5509dc6c28c760e608aa84b632adf8aa87da51983fc43c3d5f542bd6edf3d655e45d729a2f502b4f28b

Download Submit
C:\Windows\dkjkgbbld

Filesize
416B

MD5
4167cb77ac1f5821a26d0f4d351a577b

SHA1
8ea6edd3cb1b0696cc03d4406fe07c7c6d7f17f1

SHA256
9dbb76b7ad77409ea2d6c743722875325299c13cc04e367dda8477821d1eadeb

SHA512
ceb2a95142c711609bc875f9e2216b55c1ee41b81d86dba18e3cb6263ea17c2dc81d7f2c483143f8b896d88d6cfaea18eda8ef583a2bac97e64f0ff6ec3980cf

Download Submit
C:\Windows\dkjkgbbld

Filesize
442B

MD5
9bfa0e9e1702d2035d6ab5feabdcc2b5

SHA1
ab1295c794e109c456979da75a61c189aa6c03ef

SHA256
d9db4af00010014699a32f87488f5da2ed011eaf82cdab5c082806ecc44510e6

SHA512
1c960a2e2666d0ca40446f6556f4d04421ab1d962fc1fff21498aafcf92edc0b073e706a45482129e83f98ff86a841582abd0ebdb57a8bf0c4dab29ea89f5db5

Download Submit
C:\Windows\dkjkgbbld

Filesize
521B

MD5
21b157a05575ada2ae3db23f2825c507

SHA1
34aaf8abf14fbfcf45d0795cae98646e9ec91919

SHA256
2f7cfdf3d24c2feef8115c0243c8e352d9decef9f1c5193397e511b5cef913e7

SHA512
15ded6e1db1b40d4c3a8ac3a61fc6c90c8b4f60e1e96292bc749304f53bb6411bfaf7f26b77a89d73675f1af94022deaeedd310566b8d8df5c3de969537ba56d

Download Submit
C:\Windows\dkjkgbbld

Filesize
559B

MD5
ea173703934293e953e1ae2c812706f6

SHA1
1c8c53dab8190ce1265ce1b3161b0075efc0cdaa

SHA256
568044941e5257d323b1b314b7234606e0e76fa9cf7e4dffe44ede7f15967204

SHA512
bff65952845d003576dfa274bdb63e323df3acc5cc4878de3051140864ab34e7f4225225241e4bdcb585f923bc0ffe788317df554336c3c0d4a6c71e08b89aa8

Download Submit
C:\Windows\dkjkgbbld

Filesize
573B

MD5
1e6767ab73f546700438e6f6f276182f

SHA1
b21aca4b98cad27f55c7b50657dbd0d3e0ceb686

SHA256
dbc9ee0e80521b7a3900b91d2f989cec66fab05c256156a4f00066255d14e3e1

SHA512
172ebfc006bba37b50c24de02b30930dc7cd8818d4f1f1a872f31ecb112fb036a2be0ed38a6c786015706d5729dbbeb0c938c71c8db94c9c580cd35cdf7afcd8

Download Submit
C:\Windows\dkjkgbbld

Filesize
104B

MD5
22f7eac47347025e49b9f47a5a042799

SHA1
0ebdd95d542583626ff0a30e9ddd716b9f96d124

SHA256
e2e15c8c34363ee0941fd25ba406d993500b627ad4b534e2844dbb9280c97a4c

SHA512
f8cfb848a8f13affd239bfe1fd4dc3cad8f3c43e4f527353cc3eb74824690e4a462e9e7c6e47a438a363e77c4744e16514dc3aa65604778b1714a7775d475de9

Download Submit
C:\Windows\dkjkgbbld

Filesize
626B

MD5
67f086dd8231181d2228d4173579d8fb

SHA1
fa25828bae47b091c1461ec433d86edd72f52c1a

SHA256
9f896bc19cc2e57e5a0b44a592cfb47f69fac156aeadada40d4a4262e7188bff

SHA512
a77afb6f4ffdd2ed5b57a009aeadc32cae8bfb568a31af87651891a77bfdcc52f24c3a2dd5553f44ac2bcbac44d22040e524c825bb64c4fb0cd944d6315d19ec

Download Submit
C:\Windows\dkjkgbbld

Filesize
678B

MD5
c3a3df3a26d2d8cd9e7fcf7abbbf12a1

SHA1
49bea156edfc4aa10863792fa136b0dc98e29efa

SHA256
4c146710299c681d07c8a5b6d9f7d4bac9d8cb7120e664b4ccd5594edb4e885b

SHA512
215c26715b1696f2c0394e6b37e5495c174d3f508667bb01b3a76541eb648a8cedb194dcbc13c53f062c847cb4245968e939c2a1c4e4f41ba40a6de6441fa4b5

Download Submit
C:\Windows\dkjkgbbld

Filesize
731B

MD5
9799aa0fd6298da7789beff0ea82c6fe

SHA1
3fc8b6ffa06260b2c75ae7af0f206254578975f8

SHA256
7ef3648a4fa3afa6ce5a5764b954ac958f2196c1b31545061774a10aa4785d1a

SHA512
8893f2abc62ce06b6356e240c1910f68da03e6e55dca348777156f61eb9f0987d176a6e33f5f446f5e49ee9508e6478e4ca31634dafc2438506ad80f893b2d42

Download Submit
C:\Windows\dkjkgbbld

Filesize
809B

MD5
80f305483f9eca53cedead4051bd6932

SHA1
bb25e0c81c7789af3b99b7507a2c5112968d6e78

SHA256
542c2809d02abe3a910c700b40d415b9889b70a4f2d149e9855638e40a411cac

SHA512
256f0946934c6f6d3aa0e351d4eb93a281fdb59f7884d462fd0a6376be7ea8e3079228c2e7aa6bc318fb85cd2ff741f0039a045a9bcbd2916d97a8d2d4c92a86

Download Submit
C:\Windows\dkjkgbbld

Filesize
836B

MD5
90fbb2fef2e2c0bc9b8163bd94714fd7

SHA1
37f70b89bbc9427bf0bc663591ed38f3e1d27891

SHA256
bc4b4bd9ddd4506ead10795610b1b3c725ab4814f3330ecad84634cfdd269552

SHA512
d35e8cec7338fd2c0d8d53f998c2710e707dafd1ffe80c08296d0aa5c0ca82b5e9f45b40c12c70d30cc32f2e79585eca93b5a0a0c27e0ec6b89cc115ebf555a8

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
1145287441b66bfb71f915c5a02ff15a

SHA1
e024cd4fb9b13d8db831cb33aa93129474a7c69a

SHA256
23ed2e4aa89a7de3d670352957e06c40a494d91fbb3dbace547e7562a6235eae

SHA512
3b5f0661682afe317f5a5288284c0f16bd964b605827fd0d972491b1d74c854223ce6dc5e4f4e18f55800d2058c5549a37c8c8bb4504da0dcee583899fdeee00

Download Submit
C:\Windows\dkjkgbbld

Filesize
129B

MD5
3281bdaf9722622871cf2d2f8da4148d

SHA1
bfa613f04167d01b0b80760eecb1f02c28d56ece

SHA256
8e914a54821ed8cf147178a3388542790c48b6bd5ef7580be525766ed6455471

SHA512
d22852a10a58ba1070275015d24807b7ba21b1e0fff7d12437d6608bee38cca7f2276c44766c43a54907f45481b859bc30a08d44f798d3815f3232d11c477f95

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
08c38fe021bfd3460a9b9aced278ed3c

SHA1
6f58d3be11653e90dc8afd74a9612958bf912e32

SHA256
5b20eb25920defb2c2e4537094ecbcbb5ac642686c36d8b668fec65f4681d46c

SHA512
d130787a8a63c3473b0f0e7bd722b406aa17bde57308e4856ac3c92d803d44816946a277bf2e8f3179203663ef2b1ecae8ecb172aaceb6c727e71bd82afa971e

Download Submit
C:\Windows\dkjkgbbld

Filesize
154B

MD5
a07b87403f5dae4bfdb9d4f472caa618

SHA1
bcf2caeb01010860fd9a8baff9fd85627b008823

SHA256
d5658782bd98388b5b67f529a77c6628d9a1a004c622cb85a8bb4e2c3919f836

SHA512
4b78c2e115267b0111fe9590a92a8f86e72855b3b95f2d4e051e42abb8515782f49f0059a1deeb5d20bb18c4c4ee8a10874a34bc6cad8982105ffc267d8d1ed4

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
3e4c84d600c5137b1b3a5ef45cd521a5

SHA1
099691aca8f47fe23f6932b1318525a1bf308075

SHA256
7627a57feb01449616fbd5870b7982264804a82fba85a33fd2bb6f4588ed0bb9

SHA512
ecccf01d6dae5deebeffa5c46d64940d6b83c4c1f918c2eefb672c314e617295bfc68e480d797c6d18faa1179d0c7904ef83a8823165d31b93715877a7df8a43

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
2bd893438a5897d078afaacbc8b6c369

SHA1
fedaff32662544329bcb35fb750db84f56f570c7

SHA256
e31c844675557d896af096508011e67b5daf090ec90024a26074ac6d686044c9

SHA512
4b0736d4493a7e93b10da5316a7ddfa7943f72a6ed889a81660f9f1a81b7299117e237a91845155c2cd027d3dfd2936ac744188b37cf467801685e8e1a9b01ff

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
05c6a7e80467bbc4f7b9102bf629a8a5

SHA1
ef32137be2fd23ccec0bfcb0c9dc0774755e4177

SHA256
2cbef7dba01509887425e1b7efd87aebf406ddf2ca6679be14e34d8a3246078d

SHA512
cb18c9136859fa6ede8114a5a9dbb5a41ce64894c1d7fa7b9631c4a547ec5ad5b247a013cf4ef61fad63002e8e37abef9b603a96ac36d943ca29b939a577482c

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
504b79d88dec9e6548f8c38764ab05fd

SHA1
f0da9a4b070e05aca6c3d7dadae77a2cf9077d8f

SHA256
e51f5256d1e66388bb4c17205f76d594dd1ce2152b4f1a9c375ad2ecdc3cfd17

SHA512
4407b885637ea1c876494ff392dc88de3c9656e87f8b34431d1f4bba8eb610bd86f47ebba28f7462b88e3018b707b7c7508440f9ed8803920b0156a5cde185da

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
9f81e7878ac7abbb7cf44dbf04630439

SHA1
9baadd0bc7b684af2b3c032f9e2343a78be9d9f1

SHA256
8547a0adec71f1c175af844d54d2d0abcff5dbf5d98952691873a8c98cbb4e03

SHA512
b66f666c762f527f539cf36aa2b6a936be8c9f1ef9cb5aec48f8fa4880a719eb0c5cb6e7bc1165a7543960a62f0f714bc9de48f1339e5722b13d965e9e66019d

Download Submit
C:\Windows\dkjkgbbld

Filesize
1KB

MD5
b9e09e12b9337daadb9388eef37c17cf

SHA1
40017fd3535cc2ec654d111a1569ba34c4a2766b

SHA256
b25563274c9fb122e581ece357fec246478fe078964d9b9a3e5be99c4bc4f82a

SHA512
1751888aefa551561c9e04d1bf00ab9e8f1af0ea45fd4ab4a1d3f39c015064d1831cc0ff7af3948d17e91a8c3ffdacaed3425658267fd64bb22f057b31e4b1f6

Download Submit