Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-03-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
6538f3adde737517d34a8746dadeaff7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6538f3adde737517d34a8746dadeaff7.exe
Resource
win10v2004-20240226-en
General
-
Target
6538f3adde737517d34a8746dadeaff7.exe
-
Size
192KB
-
MD5
6538f3adde737517d34a8746dadeaff7
-
SHA1
34795b3256e1c1cc3f214b77a65b97e259844822
-
SHA256
7ed34929829fd3d141c5c67d69906b1264fb982f4b88d7db033ddd0269d5d8a2
-
SHA512
0926e6dc2274144ca76f5e3e6c315ab24c50e9e52cfc8a1c14a7fd4dce551d0ef974713f19afc8f325a6db52c8209b311d13dbc4b526f5f28b4501887a1e9822
-
SSDEEP
1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81962FF1-09AF-4fd3-A82C-B4A554DF8BE3} 6538f3adde737517d34a8746dadeaff7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6} {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}\stubpath = "C:\\Windows\\{9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe" {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D714C5EE-65CF-4fff-B46C-7F50977A1ECE}\stubpath = "C:\\Windows\\{D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe" {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A18332-B12E-413f-916D-AF45474EAE4D} {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A83AF555-2F0E-4a19-998D-62CC51471A15}\stubpath = "C:\\Windows\\{A83AF555-2F0E-4a19-998D-62CC51471A15}.exe" {F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA0BECC-660A-41c9-88C7-6AA625037830} {A83AF555-2F0E-4a19-998D-62CC51471A15}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}\stubpath = "C:\\Windows\\{81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe" 6538f3adde737517d34a8746dadeaff7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D714C5EE-65CF-4fff-B46C-7F50977A1ECE} {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A070C967-6747-4db1-B99C-897F3889119A} {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F665B63C-3424-442f-8629-9DBEA8E0D85A} {A070C967-6747-4db1-B99C-897F3889119A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DF39A86-C685-4972-A643-72197C0C5AE0}\stubpath = "C:\\Windows\\{8DF39A86-C685-4972-A643-72197C0C5AE0}.exe" {EBA0BECC-660A-41c9-88C7-6AA625037830}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CF71C1B-D84A-4a87-A95B-B1260E4A964D} {8DF39A86-C685-4972-A643-72197C0C5AE0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3484F4E6-052E-4f7c-889D-E6137F872E93} {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A18332-B12E-413f-916D-AF45474EAE4D}\stubpath = "C:\\Windows\\{04A18332-B12E-413f-916D-AF45474EAE4D}.exe" {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AA15387-7A76-41ba-8B20-0453263D9FFB} {04A18332-B12E-413f-916D-AF45474EAE4D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A070C967-6747-4db1-B99C-897F3889119A}\stubpath = "C:\\Windows\\{A070C967-6747-4db1-B99C-897F3889119A}.exe" {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F665B63C-3424-442f-8629-9DBEA8E0D85A}\stubpath = "C:\\Windows\\{F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe" {A070C967-6747-4db1-B99C-897F3889119A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA0BECC-660A-41c9-88C7-6AA625037830}\stubpath = "C:\\Windows\\{EBA0BECC-660A-41c9-88C7-6AA625037830}.exe" {A83AF555-2F0E-4a19-998D-62CC51471A15}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3484F4E6-052E-4f7c-889D-E6137F872E93}\stubpath = "C:\\Windows\\{3484F4E6-052E-4f7c-889D-E6137F872E93}.exe" {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AA15387-7A76-41ba-8B20-0453263D9FFB}\stubpath = "C:\\Windows\\{3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe" {04A18332-B12E-413f-916D-AF45474EAE4D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A83AF555-2F0E-4a19-998D-62CC51471A15} {F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DF39A86-C685-4972-A643-72197C0C5AE0} {EBA0BECC-660A-41c9-88C7-6AA625037830}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CF71C1B-D84A-4a87-A95B-B1260E4A964D}\stubpath = "C:\\Windows\\{0CF71C1B-D84A-4a87-A95B-B1260E4A964D}.exe" {8DF39A86-C685-4972-A643-72197C0C5AE0}.exe -
Deletes itself 1 IoCs
pid Process 2552 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe 1656 {F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe 1396 {A83AF555-2F0E-4a19-998D-62CC51471A15}.exe 1808 {EBA0BECC-660A-41c9-88C7-6AA625037830}.exe 1876 {8DF39A86-C685-4972-A643-72197C0C5AE0}.exe 436 {0CF71C1B-D84A-4a87-A95B-B1260E4A964D}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe {04A18332-B12E-413f-916D-AF45474EAE4D}.exe File created C:\Windows\{F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe {A070C967-6747-4db1-B99C-897F3889119A}.exe File created C:\Windows\{A83AF555-2F0E-4a19-998D-62CC51471A15}.exe {F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe File created C:\Windows\{8DF39A86-C685-4972-A643-72197C0C5AE0}.exe {EBA0BECC-660A-41c9-88C7-6AA625037830}.exe File created C:\Windows\{D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe File created C:\Windows\{9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe File created C:\Windows\{3484F4E6-052E-4f7c-889D-E6137F872E93}.exe {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe File created C:\Windows\{04A18332-B12E-413f-916D-AF45474EAE4D}.exe {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe File created C:\Windows\{A070C967-6747-4db1-B99C-897F3889119A}.exe {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe File created C:\Windows\{EBA0BECC-660A-41c9-88C7-6AA625037830}.exe {A83AF555-2F0E-4a19-998D-62CC51471A15}.exe File created C:\Windows\{0CF71C1B-D84A-4a87-A95B-B1260E4A964D}.exe {8DF39A86-C685-4972-A643-72197C0C5AE0}.exe File created C:\Windows\{81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 6538f3adde737517d34a8746dadeaff7.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1764 6538f3adde737517d34a8746dadeaff7.exe Token: SeIncBasePriorityPrivilege 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe Token: SeIncBasePriorityPrivilege 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe Token: SeIncBasePriorityPrivilege 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe Token: SeIncBasePriorityPrivilege 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe Token: SeIncBasePriorityPrivilege 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe Token: SeIncBasePriorityPrivilege 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe Token: SeIncBasePriorityPrivilege 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe Token: SeIncBasePriorityPrivilege 1656 {F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe Token: SeIncBasePriorityPrivilege 1396 {A83AF555-2F0E-4a19-998D-62CC51471A15}.exe Token: SeIncBasePriorityPrivilege 1808 {EBA0BECC-660A-41c9-88C7-6AA625037830}.exe Token: SeIncBasePriorityPrivilege 1876 {8DF39A86-C685-4972-A643-72197C0C5AE0}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1764 wrote to memory of 1228 1764 6538f3adde737517d34a8746dadeaff7.exe 28 PID 1764 wrote to memory of 1228 1764 6538f3adde737517d34a8746dadeaff7.exe 28 PID 1764 wrote to memory of 1228 1764 6538f3adde737517d34a8746dadeaff7.exe 28 PID 1764 wrote to memory of 1228 1764 6538f3adde737517d34a8746dadeaff7.exe 28 PID 1764 wrote to memory of 2552 1764 6538f3adde737517d34a8746dadeaff7.exe 29 PID 1764 wrote to memory of 2552 1764 6538f3adde737517d34a8746dadeaff7.exe 29 PID 1764 wrote to memory of 2552 1764 6538f3adde737517d34a8746dadeaff7.exe 29 PID 1764 wrote to memory of 2552 1764 6538f3adde737517d34a8746dadeaff7.exe 29 PID 1228 wrote to memory of 2536 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 30 PID 1228 wrote to memory of 2536 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 30 PID 1228 wrote to memory of 2536 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 30 PID 1228 wrote to memory of 2536 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 30 PID 1228 wrote to memory of 2968 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 31 PID 1228 wrote to memory of 2968 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 31 PID 1228 wrote to memory of 2968 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 31 PID 1228 wrote to memory of 2968 1228 {81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe 31 PID 2536 wrote to memory of 2164 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe 34 PID 2536 wrote to memory of 2164 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe 34 PID 2536 wrote to memory of 2164 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe 34 PID 2536 wrote to memory of 2164 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe 34 PID 2536 wrote to memory of 2488 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe 35 PID 2536 wrote to memory of 2488 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe 35 PID 2536 wrote to memory of 2488 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe 35 PID 2536 wrote to memory of 2488 2536 {9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe 35 PID 2164 wrote to memory of 1948 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe 36 PID 2164 wrote to memory of 1948 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe 36 PID 2164 wrote to memory of 1948 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe 36 PID 2164 wrote to memory of 1948 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe 36 PID 2164 wrote to memory of 2696 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe 37 PID 2164 wrote to memory of 2696 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe 37 PID 2164 wrote to memory of 2696 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe 37 PID 2164 wrote to memory of 2696 2164 {3484F4E6-052E-4f7c-889D-E6137F872E93}.exe 37 PID 1948 wrote to memory of 2908 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe 38 PID 1948 wrote to memory of 2908 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe 38 PID 1948 wrote to memory of 2908 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe 38 PID 1948 wrote to memory of 2908 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe 38 PID 1948 wrote to memory of 2892 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe 39 PID 1948 wrote to memory of 2892 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe 39 PID 1948 wrote to memory of 2892 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe 39 PID 1948 wrote to memory of 2892 1948 {D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe 39 PID 2908 wrote to memory of 1472 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe 40 PID 2908 wrote to memory of 1472 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe 40 PID 2908 wrote to memory of 1472 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe 40 PID 2908 wrote to memory of 1472 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe 40 PID 2908 wrote to memory of 2680 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe 41 PID 2908 wrote to memory of 2680 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe 41 PID 2908 wrote to memory of 2680 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe 41 PID 2908 wrote to memory of 2680 2908 {04A18332-B12E-413f-916D-AF45474EAE4D}.exe 41 PID 1472 wrote to memory of 2668 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe 42 PID 1472 wrote to memory of 2668 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe 42 PID 1472 wrote to memory of 2668 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe 42 PID 1472 wrote to memory of 2668 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe 42 PID 1472 wrote to memory of 2820 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe 43 PID 1472 wrote to memory of 2820 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe 43 PID 1472 wrote to memory of 2820 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe 43 PID 1472 wrote to memory of 2820 1472 {3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe 43 PID 2668 wrote to memory of 1656 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe 44 PID 2668 wrote to memory of 1656 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe 44 PID 2668 wrote to memory of 1656 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe 44 PID 2668 wrote to memory of 1656 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe 44 PID 2668 wrote to memory of 2848 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe 45 PID 2668 wrote to memory of 2848 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe 45 PID 2668 wrote to memory of 2848 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe 45 PID 2668 wrote to memory of 2848 2668 {A070C967-6747-4db1-B99C-897F3889119A}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6538f3adde737517d34a8746dadeaff7.exe"C:\Users\Admin\AppData\Local\Temp\6538f3adde737517d34a8746dadeaff7.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\{81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exeC:\Windows\{81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\{9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exeC:\Windows\{9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\{3484F4E6-052E-4f7c-889D-E6137F872E93}.exeC:\Windows\{3484F4E6-052E-4f7c-889D-E6137F872E93}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\{D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exeC:\Windows\{D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\{04A18332-B12E-413f-916D-AF45474EAE4D}.exeC:\Windows\{04A18332-B12E-413f-916D-AF45474EAE4D}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\{3AA15387-7A76-41ba-8B20-0453263D9FFB}.exeC:\Windows\{3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\{A070C967-6747-4db1-B99C-897F3889119A}.exeC:\Windows\{A070C967-6747-4db1-B99C-897F3889119A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\{F665B63C-3424-442f-8629-9DBEA8E0D85A}.exeC:\Windows\{F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\{A83AF555-2F0E-4a19-998D-62CC51471A15}.exeC:\Windows\{A83AF555-2F0E-4a19-998D-62CC51471A15}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\{EBA0BECC-660A-41c9-88C7-6AA625037830}.exeC:\Windows\{EBA0BECC-660A-41c9-88C7-6AA625037830}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\{8DF39A86-C685-4972-A643-72197C0C5AE0}.exeC:\Windows\{8DF39A86-C685-4972-A643-72197C0C5AE0}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1876 -
C:\Windows\{0CF71C1B-D84A-4a87-A95B-B1260E4A964D}.exeC:\Windows\{0CF71C1B-D84A-4a87-A95B-B1260E4A964D}.exe13⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8DF39~1.EXE > nul13⤵PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EBA0B~1.EXE > nul12⤵PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A83AF~1.EXE > nul11⤵PID:2996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F665B~1.EXE > nul10⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A070C~1.EXE > nul9⤵PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3AA15~1.EXE > nul8⤵PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{04A18~1.EXE > nul7⤵PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D714C~1.EXE > nul6⤵PID:2892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3484F~1.EXE > nul5⤵PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9D7B5~1.EXE > nul4⤵PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{81962~1.EXE > nul3⤵PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6538F3~1.EXE > nul2⤵
- Deletes itself
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5ee0653c76ef601eb39cba569f46368a4
SHA1ffba063e6ea2d90b8ef309b3f283b03146c878a6
SHA2565269ca7fcba81c50aeebd168e48d1de0bc57692c0b14f4bfc7edf5d3729d86b4
SHA512db23eecaa6243b8164d263cd0f793a08d54e841c18177c020b10ea210951c29b4cbc774a61b788bd7338f0b07a7cb269d748ea92bba810a1f0f31d417e8c60d0
-
Filesize
192KB
MD552ef1a7d74d6c503ac8716220e293817
SHA16bda25044c240250e1a707762a44a2fea2f077ac
SHA2566a3883bc5849ad7a0a610e2d0d7e1e035c90779645cf867857186e8bdcc695ca
SHA51231ee3d492f106b71a3e6d1f1488ea5ae0415b2565e8f3d88c6c42ce17ceb5d4e02c9b01e8cfffd9f0c28767a5acbf0568d0c68676ed40bd89eb77d1d4efb1e39
-
Filesize
192KB
MD5e9d6e7a7196e6c0d20cb469dc1253c79
SHA17f113f6999972b9014d139fefc5a23ef07bc2ad0
SHA2563a711faa0a5749b95397963b80c1106882df7e9f8799c0c52fa8ccf317bff2af
SHA51268626332cc6191194f8248044f7defa22d28cf307214932fe813ef0b256886ead54fd888cadcf73a395acee53394a449f714327b91dc882cc31b0eaec654eb6a
-
Filesize
192KB
MD5d8455c3fb1dda79ba8fe62a2d304a2ba
SHA15980196c9e247f45205812b1fc396941e329ac50
SHA2568383afeaa95c284d93e0772d59db599bf1d10e35e420c7c3380908d1dabd338b
SHA5124326f327201f2096459b7f1e2f83d84673aa305b32385ef7b1d14f8c8dc6a6b0f67b12f6b58b06fba23b871abd8a60e095363d2b44e2facbdeabebe710f22d8e
-
Filesize
192KB
MD59e7d8cf155d5e5010c02cbad2c963de1
SHA18daf9bed78c08527fb2a602e2d9c97fbad384053
SHA25657b43fbf9259f2b0557624ddc25261a2d3d6b6f54bc0515e5a399872a2f13421
SHA5123f1d6c4faca2d3575f017d2f95547ca643345805312174c8b762b8fb1c31ea0dd8e60793f77cd642adf4eced32e38efbb93ac55db2d56c9881a570d8219fcd01
-
Filesize
192KB
MD5c9a5c34e4993ad4123a99f9a9841785e
SHA1c8fcce0589671cf334fbe576882a3198c34a1df4
SHA2566a07828bc03afd18cdbbd8f90cfce1dd7e02be443ecc59104c0fe61b45bf83bf
SHA512024ab8f7e254c7da091fe3247d4044be93fab9eb2f360a1f4bf6bbf2b60a52edeb30a0bd95a7a80fbcee68c26de5ebe1cd1fe0ddf9acb8b8e9a64d4444c70e5c
-
Filesize
192KB
MD5b901aad1c64af513ccdde3c59a8a4e22
SHA14c40cf77a2c4d1a5a15e83294d5d672dd8ec5a7b
SHA256a4de343aa17ba72e4d30aa5033c76669ccbb81332f25dd59573a77490db3753a
SHA5126a7bc8e340891cb2159e5b97e1261516a6fc5929a15cc4f058818bdc34156eb420e46d38973a069f711bfbfba4135dd0302d85a9e2039d885ce4d25f3e31d7a6
-
Filesize
192KB
MD53f2d450997a041613ca56a59781a0054
SHA1ed63bcabbb7a9b8b00db493349ca908c423965a8
SHA25650e0afda65998bcee3c45b197da441c3c4a2097435a36e12baf028daa180d905
SHA5122cb524e2d8ec959b1305c95374378ae531196caf7a517a6a829600c373bb858639c636e8fab7b13201af78f54a3b1e145f6ac6e61faaf9d2edc753632ed0777c
-
Filesize
192KB
MD54c81aad96152ccbe0c927a6025eac57e
SHA1142fa2245da6572f369429143cb55df087bbac84
SHA2561b3177e5185abfdf3d7784faac82249eef58479b7b1198cfd332263f72a64e68
SHA512841279ba2906504f66c7002949349f37d50b076c4350158ab52fa1c419d56cb7389f7b55a1c6c397083418342f7f210b81f5b83d0e49725bc51a0c8bf391e73a
-
Filesize
192KB
MD5d8561d45f46d5fd0ad86fc4be0ef61dd
SHA18c7d98452e95efc32f23688f4e84c53f74f62019
SHA256fc365b23ebe26889c0c1560faf11477a09dbdf11fc94eb3324b3e0efaa244b47
SHA512f0074e9f91fbdd05279ff8fd74d956eb182e7a9995a82eb47748c70a8abceb64bdad696a387bbc711916cdd4e3bca6b3e585064b29a8c8f6713f721a8232b3ba
-
Filesize
192KB
MD5aa6560e57b89f76cf92cfa05a7f90c54
SHA1f6dc1c5603e163015f0537a53193236208168ed1
SHA256673506d9b5066d12bd34978a83a7b948d29c73ff226fe3a74a35bc87e0ead3c9
SHA51232fcbcd6dc4081dfbfa5ee58f768224e611b8d5e0268b1bc2dd6c42c5392c0ab1298265b23ee8fb6560f99d4eee6055c5cefcae466118fd1e7762fc7dc6426c3
-
Filesize
192KB
MD5fad479a0a82b05d8ef395778a655aa40
SHA111aa740110b77c560088377739f196e01cdfd597
SHA25601cbd471381b74bf98741392f7efa932e29f26920de5b5e8c2de4d15c6ef22fb
SHA512d176a63e470564602979e255395fbff8c4bb68eb8940ff9ce991dc69c9aa23d3667cb8e0dc46b98be1f727f756ff00c3bf9b9734606ce7a58c39e5288999e60d