Analysis
-
max time kernel
104s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 16:39
Static task
static1
Behavioral task
behavioral1
Sample
41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe
Resource
win10v2004-20241007-en
General
-
Target
41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe
-
Size
398KB
-
MD5
7adcc540704242a9785bacd4ee5d51f0
-
SHA1
79db8040b844aa2c59a8941c6493424bfcb20399
-
SHA256
41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380
-
SHA512
6f609e4246e8c26b31b5de3b1575952724f7a8b6f7eacb610fea5c66d288cec511ab70c20bc50c268db163b1b7159694907f3356b38e04ee23b20d9874f9074f
-
SSDEEP
6144:gDCwfG1bnxLERR9sadDCwfG1bnxLERR9saco:g72bntEL9/d72bntEL9/co
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
Processes:
hosts.exe41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exeavscan.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
Processes:
hosts.exe41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exeavscan.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exeWScript.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GYHASOLS = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GYHASOLS = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GYHASOLS = "W_X_C.bat" WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
Processes:
avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 3124 avscan.exe 2780 avscan.exe 4328 hosts.exe 3996 hosts.exe 424 avscan.exe 4444 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
Processes:
REG.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys REG.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exeavscan.exehosts.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
Processes:
avscan.exehosts.exe41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exedescription ioc process File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe File created \??\c:\windows\W_X_C.bat 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe File opened for modification C:\Windows\hosts.exe 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
hosts.exeREG.exeREG.exeREG.execmd.execmd.exeavscan.exeWScript.exeREG.exeREG.exe41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exeavscan.exeavscan.exehosts.exehosts.exeWScript.execmd.exeREG.exeWScript.exeREG.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avscan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avscan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avscan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe -
Modifies registry class 4 IoCs
Processes:
cmd.exe41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.execmd.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 7 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exepid process 948 REG.exe 4856 REG.exe 1684 REG.exe 2184 REG.exe 264 REG.exe 4516 REG.exe 404 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
avscan.exehosts.exepid process 3124 avscan.exe 4328 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe 3124 avscan.exe 2780 avscan.exe 4328 hosts.exe 3996 hosts.exe 424 avscan.exe 4444 hosts.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exeavscan.execmd.execmd.exehosts.execmd.exedescription pid process target process PID 2444 wrote to memory of 264 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe REG.exe PID 2444 wrote to memory of 264 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe REG.exe PID 2444 wrote to memory of 264 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe REG.exe PID 2444 wrote to memory of 3124 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe avscan.exe PID 2444 wrote to memory of 3124 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe avscan.exe PID 2444 wrote to memory of 3124 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe avscan.exe PID 3124 wrote to memory of 2780 3124 avscan.exe avscan.exe PID 3124 wrote to memory of 2780 3124 avscan.exe avscan.exe PID 3124 wrote to memory of 2780 3124 avscan.exe avscan.exe PID 3124 wrote to memory of 2760 3124 avscan.exe cmd.exe PID 3124 wrote to memory of 2760 3124 avscan.exe cmd.exe PID 3124 wrote to memory of 2760 3124 avscan.exe cmd.exe PID 2444 wrote to memory of 3932 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe cmd.exe PID 2444 wrote to memory of 3932 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe cmd.exe PID 2444 wrote to memory of 3932 2444 41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe cmd.exe PID 2760 wrote to memory of 4328 2760 cmd.exe hosts.exe PID 2760 wrote to memory of 4328 2760 cmd.exe hosts.exe PID 2760 wrote to memory of 4328 2760 cmd.exe hosts.exe PID 3932 wrote to memory of 3996 3932 cmd.exe hosts.exe PID 3932 wrote to memory of 3996 3932 cmd.exe hosts.exe PID 3932 wrote to memory of 3996 3932 cmd.exe hosts.exe PID 4328 wrote to memory of 424 4328 hosts.exe avscan.exe PID 4328 wrote to memory of 424 4328 hosts.exe avscan.exe PID 4328 wrote to memory of 424 4328 hosts.exe avscan.exe PID 4328 wrote to memory of 220 4328 hosts.exe cmd.exe PID 4328 wrote to memory of 220 4328 hosts.exe cmd.exe PID 4328 wrote to memory of 220 4328 hosts.exe cmd.exe PID 2760 wrote to memory of 868 2760 cmd.exe WScript.exe PID 2760 wrote to memory of 868 2760 cmd.exe WScript.exe PID 2760 wrote to memory of 868 2760 cmd.exe WScript.exe PID 3932 wrote to memory of 4128 3932 cmd.exe WScript.exe PID 3932 wrote to memory of 4128 3932 cmd.exe WScript.exe PID 3932 wrote to memory of 4128 3932 cmd.exe WScript.exe PID 220 wrote to memory of 4444 220 cmd.exe hosts.exe PID 220 wrote to memory of 4444 220 cmd.exe hosts.exe PID 220 wrote to memory of 4444 220 cmd.exe hosts.exe PID 220 wrote to memory of 948 220 cmd.exe WScript.exe PID 220 wrote to memory of 948 220 cmd.exe WScript.exe PID 220 wrote to memory of 948 220 cmd.exe WScript.exe PID 3124 wrote to memory of 4516 3124 avscan.exe REG.exe PID 3124 wrote to memory of 4516 3124 avscan.exe REG.exe PID 3124 wrote to memory of 4516 3124 avscan.exe REG.exe PID 4328 wrote to memory of 404 4328 hosts.exe REG.exe PID 4328 wrote to memory of 404 4328 hosts.exe REG.exe PID 4328 wrote to memory of 404 4328 hosts.exe REG.exe PID 3124 wrote to memory of 948 3124 avscan.exe REG.exe PID 3124 wrote to memory of 948 3124 avscan.exe REG.exe PID 3124 wrote to memory of 948 3124 avscan.exe REG.exe PID 4328 wrote to memory of 4856 4328 hosts.exe REG.exe PID 4328 wrote to memory of 4856 4328 hosts.exe REG.exe PID 4328 wrote to memory of 4856 4328 hosts.exe REG.exe PID 3124 wrote to memory of 1684 3124 avscan.exe REG.exe PID 3124 wrote to memory of 1684 3124 avscan.exe REG.exe PID 3124 wrote to memory of 1684 3124 avscan.exe REG.exe PID 4328 wrote to memory of 2184 4328 hosts.exe REG.exe PID 4328 wrote to memory of 2184 4328 hosts.exe REG.exe PID 4328 wrote to memory of 2184 4328 hosts.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe"C:\Users\Admin\AppData\Local\Temp\41cec026ceea0d0c30c000ed06e6fcb70fa453028c89e4f8d9660ee5a799f380N.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:264 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4444 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:404 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4856 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2184 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4516 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:948 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
- System Location Discovery: System Language Discovery
PID:4128
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4780
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
398KB
MD53d0da8d50eb2786b3e27b5c6083538c6
SHA150aa28f6dc8667ed197b5e0106f28812997b3e6d
SHA256e86419d24b55a2bb574370a4807040654d529081450f03c97a2d59faaf2bf005
SHA51230ca8f0532185e2db76c038de46f8a4bfae9d0186e0fba477a12dc8c38a9a02b6bdfebf8166f8f61b0a56cc12fd1ce10f5cc2cd0f9e0f9e2e4ba28039ecd90f2
-
Filesize
195B
MD59be26f831791347ee8713881fe32b0fd
SHA1e1ac4891c8a71564bfd25024c1c38b7409ecf9c9
SHA2566048967957b55522fd71e12856ebd19c5571fb0167b0220297d45ebb89414fb4
SHA5126c183db2d791fbe86551380ec058ec585584e0bb4f8d9e855e237a600e1dec7c7ffd1a338655af5c16a2b30b2672b6d3ed865557e5eab1b040210be0794c8bb7
-
Filesize
398KB
MD5b8f629cf0c73c43f3b7bdf95a67795cc
SHA1843b078d4ba307372b326b58486da6beb7465426
SHA256e489d66c345a478e8c0b1c894c829c288a9e6d22b4f964d0913014e9fba2f73b
SHA51229e9e2ba9704c8ac550a1d799f115615b1f865de06de8a1df430dc03617b765cb5bc33be57f9488617493aeeb2ce49215ab6acea9e210bd15338993d3a972f0c
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b