Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe
Resource
win10v2004-20240508-en
General
-
Target
06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe
-
Size
168KB
-
MD5
7d0cc5c7e32554c39bba1a4c4990f077
-
SHA1
5db293c74833611d361eab059423130434a3d248
-
SHA256
06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612
-
SHA512
c88b27df34a0583113fb39f0a548ecd90f1a548b5d3330f0add59c53624c4e404cb9b56e2e0895960a48206a6db6fee05869be6cdeab06237d48a7d972ef9a88
-
SSDEEP
192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwYUr4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLroVr4/CFsrd
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11F3D28A-D8DD-4ec2-B187-35991BA6C152} {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}\stubpath = "C:\\Windows\\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe" {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}\stubpath = "C:\\Windows\\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe" {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BD92855-6260-465a-92E4-C08D9F837A87}\stubpath = "C:\\Windows\\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe" {496BE844-EE47-450c-9802-4025A86DA30A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FA15A01-554C-4695-BB78-8D1AE9377523} {5BD92855-6260-465a-92E4-C08D9F837A87}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}\stubpath = "C:\\Windows\\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe" {8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081} {C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FA15A01-554C-4695-BB78-8D1AE9377523}\stubpath = "C:\\Windows\\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe" {5BD92855-6260-465a-92E4-C08D9F837A87}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F} {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857} {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}\stubpath = "C:\\Windows\\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe" {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD} 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{496BE844-EE47-450c-9802-4025A86DA30A} {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{496BE844-EE47-450c-9802-4025A86DA30A}\stubpath = "C:\\Windows\\{496BE844-EE47-450c-9802-4025A86DA30A}.exe" {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BD92855-6260-465a-92E4-C08D9F837A87} {496BE844-EE47-450c-9802-4025A86DA30A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9} {8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4} {0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}\stubpath = "C:\\Windows\\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe" {C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}\stubpath = "C:\\Windows\\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe" 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366} {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}\stubpath = "C:\\Windows\\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe" {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}\stubpath = "C:\\Windows\\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe" {0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe -
Deletes itself 1 IoCs
pid Process 2356 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe 1420 {8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe 1636 {0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe 1392 {C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe 324 {1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe File created C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe {496BE844-EE47-450c-9802-4025A86DA30A}.exe File created C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe {5BD92855-6260-465a-92E4-C08D9F837A87}.exe File created C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe File created C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe File created C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe {8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe File created C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe {0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe File created C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe File created C:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe {C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe File created C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe File created C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2864 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe Token: SeIncBasePriorityPrivilege 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe Token: SeIncBasePriorityPrivilege 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe Token: SeIncBasePriorityPrivilege 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe Token: SeIncBasePriorityPrivilege 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe Token: SeIncBasePriorityPrivilege 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe Token: SeIncBasePriorityPrivilege 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe Token: SeIncBasePriorityPrivilege 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe Token: SeIncBasePriorityPrivilege 1420 {8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe Token: SeIncBasePriorityPrivilege 1636 {0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe Token: SeIncBasePriorityPrivilege 1392 {C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2864 wrote to memory of 1976 2864 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 28 PID 2864 wrote to memory of 1976 2864 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 28 PID 2864 wrote to memory of 1976 2864 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 28 PID 2864 wrote to memory of 1976 2864 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 28 PID 2864 wrote to memory of 2356 2864 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 29 PID 2864 wrote to memory of 2356 2864 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 29 PID 2864 wrote to memory of 2356 2864 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 29 PID 2864 wrote to memory of 2356 2864 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 29 PID 1976 wrote to memory of 2560 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 30 PID 1976 wrote to memory of 2560 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 30 PID 1976 wrote to memory of 2560 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 30 PID 1976 wrote to memory of 2560 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 30 PID 1976 wrote to memory of 2656 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 31 PID 1976 wrote to memory of 2656 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 31 PID 1976 wrote to memory of 2656 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 31 PID 1976 wrote to memory of 2656 1976 {8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe 31 PID 2560 wrote to memory of 2588 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe 32 PID 2560 wrote to memory of 2588 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe 32 PID 2560 wrote to memory of 2588 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe 32 PID 2560 wrote to memory of 2588 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe 32 PID 2560 wrote to memory of 2732 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe 33 PID 2560 wrote to memory of 2732 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe 33 PID 2560 wrote to memory of 2732 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe 33 PID 2560 wrote to memory of 2732 2560 {496BE844-EE47-450c-9802-4025A86DA30A}.exe 33 PID 2588 wrote to memory of 2484 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe 36 PID 2588 wrote to memory of 2484 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe 36 PID 2588 wrote to memory of 2484 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe 36 PID 2588 wrote to memory of 2484 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe 36 PID 2588 wrote to memory of 2624 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe 37 PID 2588 wrote to memory of 2624 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe 37 PID 2588 wrote to memory of 2624 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe 37 PID 2588 wrote to memory of 2624 2588 {5BD92855-6260-465a-92E4-C08D9F837A87}.exe 37 PID 2484 wrote to memory of 2020 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe 38 PID 2484 wrote to memory of 2020 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe 38 PID 2484 wrote to memory of 2020 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe 38 PID 2484 wrote to memory of 2020 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe 38 PID 2484 wrote to memory of 2640 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe 39 PID 2484 wrote to memory of 2640 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe 39 PID 2484 wrote to memory of 2640 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe 39 PID 2484 wrote to memory of 2640 2484 {7FA15A01-554C-4695-BB78-8D1AE9377523}.exe 39 PID 2020 wrote to memory of 804 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe 40 PID 2020 wrote to memory of 804 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe 40 PID 2020 wrote to memory of 804 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe 40 PID 2020 wrote to memory of 804 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe 40 PID 2020 wrote to memory of 3048 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe 41 PID 2020 wrote to memory of 3048 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe 41 PID 2020 wrote to memory of 3048 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe 41 PID 2020 wrote to memory of 3048 2020 {B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe 41 PID 804 wrote to memory of 2348 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe 42 PID 804 wrote to memory of 2348 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe 42 PID 804 wrote to memory of 2348 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe 42 PID 804 wrote to memory of 2348 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe 42 PID 804 wrote to memory of 1760 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe 43 PID 804 wrote to memory of 1760 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe 43 PID 804 wrote to memory of 1760 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe 43 PID 804 wrote to memory of 1760 804 {11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe 43 PID 2348 wrote to memory of 1420 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe 44 PID 2348 wrote to memory of 1420 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe 44 PID 2348 wrote to memory of 1420 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe 44 PID 2348 wrote to memory of 1420 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe 44 PID 2348 wrote to memory of 1424 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe 45 PID 2348 wrote to memory of 1424 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe 45 PID 2348 wrote to memory of 1424 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe 45 PID 2348 wrote to memory of 1424 2348 {AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exeC:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exeC:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exeC:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exeC:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exeC:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exeC:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exeC:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exeC:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exeC:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exeC:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exeC:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe12⤵
- Executes dropped EXE
PID:324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6D2B~1.EXE > nul12⤵PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0A3E0~1.EXE > nul11⤵PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8D9BA~1.EXE > nul10⤵PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AC022~1.EXE > nul9⤵PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{11F3D~1.EXE > nul8⤵PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B3C4E~1.EXE > nul7⤵PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7FA15~1.EXE > nul6⤵PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5BD92~1.EXE > nul5⤵PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{496BE~1.EXE > nul4⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8B4E2~1.EXE > nul3⤵PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\06FBFA~1.EXE > nul2⤵
- Deletes itself
PID:2356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5151c1d780567a4e2023e90133a44a5a3
SHA1f91121bf089140aa3801bdc939f64e02d48133ba
SHA256062eea1d149e226a1cbeb76a9c6eb21d0b7ffb70efa9af1ae1d653bdd9c23072
SHA512da75d209d184f167db6a9e4d8919c62a5f1b45b9fcbf7c8c858c9c5d716347c83f7935af5e267d9b7e1ca72fb656d65601391aaeafcb436d2e224062905d4fbe
-
Filesize
168KB
MD5b9caf1df98d8d67726541c9037362720
SHA10d310719e981d067f6d2a4d232303a63f403913b
SHA256527b4c580715a56768c19a883c2722d147fcc92bc6ed2ea6fcdb62d6836b65c9
SHA512fa0467c5fecfd11b71b06d0d86b0ef078ab5f0a4c739fce194a7390d284a715a99d72d41f17894bdfb327f9fa624212e217bdd27a6ec9ce0639c4b836db241d3
-
Filesize
168KB
MD57e2b4a3c5fb022a5a927bafe7cb94700
SHA182af7f34e86febc71c20c5dcc2e97d0b70b311a4
SHA2564ee60a7473ba929bdb4a24a165e53cca6155506844e0b1d5f64521ad1eff3dd6
SHA5127d277554374c3ae8bf051452b682c4de91490c885edb9ce77962128377f7074337857df1f9077dbeeb5d147df570bcd15c1908d168d73b43e93e2f720c20b6f3
-
Filesize
168KB
MD55b13c233faf7e20eec8beb6e9dfebbcb
SHA1533aa1825e278229de84e56b802dddf6ae6fe86e
SHA2568bec9c978d7f3fc66a5c22e31abf79b5b439904168aad904f20bd27c9c5948e9
SHA51230241c432c56b358ccdbf93a136bc99a2bc275236b89f18bf9b081055c8c0c55acc4f274d0b2622048537746691081d26aef7496f0a34e5f6f72929b1f65e4d8
-
Filesize
168KB
MD5384fd64cd09db2c32b2e247a183167f9
SHA10fe4528ef8ff070218c198359ef42dfa62ea9bc8
SHA256281b05ae56253a08d2fa940e1fe4674914c102b196aa0e281e73d26df20a40aa
SHA5128ee1737ccab921e8e853dbacf8165188ec758c6f1c9787746d394eb8a9a38dc83dbfb7a321da6e9f9449aa9828597b7f16be04ec9a75e2949b5a71006609496d
-
Filesize
168KB
MD5b5f7dba88f84c4b8fc306f34b4a5ce10
SHA1e3dd0970aa82ed221985105d0ec655457188097e
SHA256d464a2141ef9b08261bd03c27747055ef49f51b7b8e467225536aca7c57141a3
SHA5120355e3398f98d3552702a343262ef247920c74770a11d0c2ef1e61def72697e46be50eb4922bb6495e8bd1db64f5f27d5d7bb3d9e82d6e604dfa294e0c9cf008
-
Filesize
168KB
MD579797b5ed8f13d93e5c00e120903b6d6
SHA12493d2fa5444064ed4e767fdff1e078e2fa21621
SHA2561b73a318753598e01325b01b45bdfcb356de48e64bff8b6057d39a8d290d72ca
SHA512613cc2eda48df39258062a2e7d724fc0b9e42bfaeb06d26dde49bcce83581aac179ea04245bb2a70d622f608d619c7972fe32f3b682f200713df0225545417f7
-
Filesize
168KB
MD53e4a0a2b8c41dd98e9eb0af750b8ca2f
SHA1b97242c1330c10decd29d6e8fe4a99e5201a0f31
SHA256b1875ec7ed36f40e18efe1289dd8cdaf18cd390f1d97a2137f2ed515ded51725
SHA512405076e0e10ddd7bf6144309c9cd88dd7ea20ea93cf2fbf3781dab62218461464ff02199bfd207dcb9c600afd6b66fa8facd7f2f811d06d5059d7671ff19a832
-
Filesize
168KB
MD52c4466b8bc1137a516d14ef041fc340b
SHA117e4776539dcfe8f1d48a5b6201e082cf4d921b1
SHA256f5c7d67b07a2055c0a9039cd8fecf67989cb431cbcd27843aee1934ac3ec9880
SHA512e3950e2bf4cdc49d7cdd83c42cc66819e2a072028ad104d8d9e51f91b74fa0ecb813bf71527cc9ae237d8906ea977d0ce14a247ef1c21b902f5e17fab92ff707
-
Filesize
168KB
MD5295435613d33e1f61e3f8b3bf8633974
SHA14c27a8b2fa03c7d03a182f9a9acf6b25c27ccc8c
SHA256c430dff9a693477c0740640320c92e8dc6848ccfb3cdab444f0ed6abefabb973
SHA512de3f41a7f09f6132b12e01c09aa28f23b0b71fd4fcad5369f9aafd0eded9664dc5277990363f39045521bdcc5e567dca08f9f9666122c36cd94d170c14a973dd
-
Filesize
168KB
MD597e1cb6a3c2dd585e360f20e061d9653
SHA133e725d5786cafe5d8f24663690bf31122d0fbe5
SHA25649c91de8f0b3d092877a4b0aaec690d563ee77d496b401dbf389f118e5c9fc1b
SHA51252923cf04d1e350e6c492fbfb4257915815934b3a71df79f8d444136483c96e326af62638c61a84fafdc2ce5fc09ec77b0a970abe0d38e1a28fc5637c830f9e8