Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe
Resource
win10v2004-20240508-en
General
-
Target
06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe
-
Size
168KB
-
MD5
7d0cc5c7e32554c39bba1a4c4990f077
-
SHA1
5db293c74833611d361eab059423130434a3d248
-
SHA256
06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612
-
SHA512
c88b27df34a0583113fb39f0a548ecd90f1a548b5d3330f0add59c53624c4e404cb9b56e2e0895960a48206a6db6fee05869be6cdeab06237d48a7d972ef9a88
-
SSDEEP
192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwYUr4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLroVr4/CFsrd
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91697043-EA59-4ef1-885C-D12248315A4C}\stubpath = "C:\\Windows\\{91697043-EA59-4ef1-885C-D12248315A4C}.exe" {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DD25BD-2067-47bb-8C96-5F6297DD7965} {91697043-EA59-4ef1-885C-D12248315A4C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}\stubpath = "C:\\Windows\\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe" {91697043-EA59-4ef1-885C-D12248315A4C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35FB6E59-3E39-4010-A3FE-C84D725296F8} {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D4FE0E-4057-4664-B8FB-B81FA347978B}\stubpath = "C:\\Windows\\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe" {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE19830-1173-4c5b-ABC3-6FD420129889} {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B} {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{668A4223-EA7B-434b-94FA-A329A407AA7F}\stubpath = "C:\\Windows\\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe" {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}\stubpath = "C:\\Windows\\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe" {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADE19830-1173-4c5b-ABC3-6FD420129889}\stubpath = "C:\\Windows\\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe" {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{116C2D37-F090-463c-8B22-0648C84A9477} {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{116C2D37-F090-463c-8B22-0648C84A9477}\stubpath = "C:\\Windows\\{116C2D37-F090-463c-8B22-0648C84A9477}.exe" {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}\stubpath = "C:\\Windows\\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe" {116C2D37-F090-463c-8B22-0648C84A9477}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}\stubpath = "C:\\Windows\\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe" {E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{668A4223-EA7B-434b-94FA-A329A407AA7F} {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9207E61E-E895-45b0-9272-7E4FD4A6827F}\stubpath = "C:\\Windows\\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe" {CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB72E0C2-2B50-426c-B8ED-15D41772A202}\stubpath = "C:\\Windows\\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe" 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35FB6E59-3E39-4010-A3FE-C84D725296F8}\stubpath = "C:\\Windows\\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe" {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D4FE0E-4057-4664-B8FB-B81FA347978B} {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9207E61E-E895-45b0-9272-7E4FD4A6827F} {CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB72E0C2-2B50-426c-B8ED-15D41772A202} 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A} {116C2D37-F090-463c-8B22-0648C84A9477}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE} {E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91697043-EA59-4ef1-885C-D12248315A4C} {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe -
Executes dropped EXE 12 IoCs
pid Process 2492 {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe 2412 {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe 4076 {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe 4004 {91697043-EA59-4ef1-885C-D12248315A4C}.exe 1388 {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe 2540 {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe 3956 {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe 408 {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe 4348 {116C2D37-F090-463c-8B22-0648C84A9477}.exe 2516 {E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe 4368 {CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe 1496 {9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe File created C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe File created C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe {116C2D37-F090-463c-8B22-0648C84A9477}.exe File created C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe File created C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe File created C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe File created C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe {91697043-EA59-4ef1-885C-D12248315A4C}.exe File created C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe File created C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe {E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe File created C:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe {CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe File created C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe File created C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1344 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe Token: SeIncBasePriorityPrivilege 2492 {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe Token: SeIncBasePriorityPrivilege 2412 {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe Token: SeIncBasePriorityPrivilege 4076 {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe Token: SeIncBasePriorityPrivilege 4004 {91697043-EA59-4ef1-885C-D12248315A4C}.exe Token: SeIncBasePriorityPrivilege 1388 {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe Token: SeIncBasePriorityPrivilege 2540 {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe Token: SeIncBasePriorityPrivilege 3956 {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe Token: SeIncBasePriorityPrivilege 408 {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe Token: SeIncBasePriorityPrivilege 4348 {116C2D37-F090-463c-8B22-0648C84A9477}.exe Token: SeIncBasePriorityPrivilege 2516 {E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe Token: SeIncBasePriorityPrivilege 4368 {CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1344 wrote to memory of 2492 1344 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 97 PID 1344 wrote to memory of 2492 1344 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 97 PID 1344 wrote to memory of 2492 1344 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 97 PID 1344 wrote to memory of 3472 1344 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 98 PID 1344 wrote to memory of 3472 1344 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 98 PID 1344 wrote to memory of 3472 1344 06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe 98 PID 2492 wrote to memory of 2412 2492 {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe 99 PID 2492 wrote to memory of 2412 2492 {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe 99 PID 2492 wrote to memory of 2412 2492 {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe 99 PID 2492 wrote to memory of 3076 2492 {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe 100 PID 2492 wrote to memory of 3076 2492 {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe 100 PID 2492 wrote to memory of 3076 2492 {FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe 100 PID 2412 wrote to memory of 4076 2412 {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe 103 PID 2412 wrote to memory of 4076 2412 {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe 103 PID 2412 wrote to memory of 4076 2412 {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe 103 PID 2412 wrote to memory of 2568 2412 {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe 104 PID 2412 wrote to memory of 2568 2412 {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe 104 PID 2412 wrote to memory of 2568 2412 {668A4223-EA7B-434b-94FA-A329A407AA7F}.exe 104 PID 4076 wrote to memory of 4004 4076 {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe 105 PID 4076 wrote to memory of 4004 4076 {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe 105 PID 4076 wrote to memory of 4004 4076 {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe 105 PID 4076 wrote to memory of 4628 4076 {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe 106 PID 4076 wrote to memory of 4628 4076 {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe 106 PID 4076 wrote to memory of 4628 4076 {DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe 106 PID 4004 wrote to memory of 1388 4004 {91697043-EA59-4ef1-885C-D12248315A4C}.exe 107 PID 4004 wrote to memory of 1388 4004 {91697043-EA59-4ef1-885C-D12248315A4C}.exe 107 PID 4004 wrote to memory of 1388 4004 {91697043-EA59-4ef1-885C-D12248315A4C}.exe 107 PID 4004 wrote to memory of 1252 4004 {91697043-EA59-4ef1-885C-D12248315A4C}.exe 108 PID 4004 wrote to memory of 1252 4004 {91697043-EA59-4ef1-885C-D12248315A4C}.exe 108 PID 4004 wrote to memory of 1252 4004 {91697043-EA59-4ef1-885C-D12248315A4C}.exe 108 PID 1388 wrote to memory of 2540 1388 {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe 110 PID 1388 wrote to memory of 2540 1388 {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe 110 PID 1388 wrote to memory of 2540 1388 {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe 110 PID 1388 wrote to memory of 3284 1388 {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe 111 PID 1388 wrote to memory of 3284 1388 {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe 111 PID 1388 wrote to memory of 3284 1388 {B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe 111 PID 2540 wrote to memory of 3956 2540 {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe 112 PID 2540 wrote to memory of 3956 2540 {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe 112 PID 2540 wrote to memory of 3956 2540 {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe 112 PID 2540 wrote to memory of 4184 2540 {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe 113 PID 2540 wrote to memory of 4184 2540 {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe 113 PID 2540 wrote to memory of 4184 2540 {35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe 113 PID 3956 wrote to memory of 408 3956 {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe 115 PID 3956 wrote to memory of 408 3956 {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe 115 PID 3956 wrote to memory of 408 3956 {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe 115 PID 3956 wrote to memory of 2740 3956 {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe 116 PID 3956 wrote to memory of 2740 3956 {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe 116 PID 3956 wrote to memory of 2740 3956 {39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe 116 PID 408 wrote to memory of 4348 408 {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe 122 PID 408 wrote to memory of 4348 408 {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe 122 PID 408 wrote to memory of 4348 408 {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe 122 PID 408 wrote to memory of 3104 408 {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe 123 PID 408 wrote to memory of 3104 408 {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe 123 PID 408 wrote to memory of 3104 408 {ADE19830-1173-4c5b-ABC3-6FD420129889}.exe 123 PID 4348 wrote to memory of 2516 4348 {116C2D37-F090-463c-8B22-0648C84A9477}.exe 124 PID 4348 wrote to memory of 2516 4348 {116C2D37-F090-463c-8B22-0648C84A9477}.exe 124 PID 4348 wrote to memory of 2516 4348 {116C2D37-F090-463c-8B22-0648C84A9477}.exe 124 PID 4348 wrote to memory of 3468 4348 {116C2D37-F090-463c-8B22-0648C84A9477}.exe 125 PID 4348 wrote to memory of 3468 4348 {116C2D37-F090-463c-8B22-0648C84A9477}.exe 125 PID 4348 wrote to memory of 3468 4348 {116C2D37-F090-463c-8B22-0648C84A9477}.exe 125 PID 2516 wrote to memory of 4368 2516 {E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe 128 PID 2516 wrote to memory of 4368 2516 {E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe 128 PID 2516 wrote to memory of 4368 2516 {E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe 128 PID 2516 wrote to memory of 4108 2516 {E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exeC:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exeC:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exeC:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exeC:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exeC:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exeC:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exeC:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exeC:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exeC:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exeC:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exeC:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exeC:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe13⤵
- Executes dropped EXE
PID:1496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CB547~1.EXE > nul13⤵PID:3704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E63D3~1.EXE > nul12⤵PID:4108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{116C2~1.EXE > nul11⤵PID:3468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ADE19~1.EXE > nul10⤵PID:3104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{39D4F~1.EXE > nul9⤵PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35FB6~1.EXE > nul8⤵PID:4184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B4DD2~1.EXE > nul7⤵PID:3284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{91697~1.EXE > nul6⤵PID:1252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DBAD1~1.EXE > nul5⤵PID:4628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{668A4~1.EXE > nul4⤵PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FB72E~1.EXE > nul3⤵PID:3076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\06FBFA~1.EXE > nul2⤵PID:3472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5560ddb9c34043387d7029b77daa3393a
SHA112919cec7b98a32837f7f3d5078a100b5dbbb02c
SHA2561bde82f4b0fee88a8cecef541a0bcb01f9d6b3abbdb7d4126ecdc1f5c69d45e0
SHA5121d2e1507726d74005b23d8202ac18716d7ff2d4b1ef900069bebbe57041f09dc6999d1c7547c1d5aa23822ede806d01ab4c710136e5ecf2b72f5c275b1140d6c
-
Filesize
168KB
MD5832d4c368e3533fa011e83c24cbb0766
SHA1bc6bca0875d1f1bf9e6484237500144afd2b00bd
SHA256134654f351b9e0691abb81187c9a5a4bd7b72881fc83908dacfe067060596928
SHA51217b38c729f3ed6b575ebfcf8ec7945c7f19ac077af285a840335c55ded0f934db16a940ed2f63d777e00d64adfb18b01d74fe9ee6e074c92be7adea7fab2e9bf
-
Filesize
168KB
MD5157e292e9f1d7b4144a339c78c114dcf
SHA1320cb690feb45df718a3ddf34ef5b8d47089fc18
SHA256883a2e267240d0bc7a4e257c0a4e1f6f7d6207aafff0c49bfa2d988f184c617c
SHA5121d6f83f3bd142f13e7ab755948d0e107789c1055dd4b5d11e339746c831f69673ee554ce93c9dcfa464e30115671f579f540fd57d42c22c1f33d744d54d7ef12
-
Filesize
168KB
MD53077d6bf3f0fa2e8f162c2880fd40444
SHA10759c9318243260a4eadc5f5f7bbc4bbc990f368
SHA25690083b7fb730aa759ab0838bef066ba977609d7859ad0c3e3df50c4e086b09d3
SHA512ea2567914f1e7868ee639a877130f55d669701ae8d042222828c04aa621af78725fff8f89778a57511238714b779948d0c8f8500ae6b389b7ab1b58fb0bf58d4
-
Filesize
168KB
MD5800ce085edb1d8b1ece86dc90dc5aeb7
SHA11ef1a806ecb7df9df3f146bd55f7595e0d0970f4
SHA256e70f6c47a82501844acf57e618358bc136805c0321aa3e9c506d08cd7b7bee24
SHA512a4b19d19403a17be6466dc27a44b478300e2a9b6344e46a99b4da13c617e781c51281cd153959063f0a734f306631e67b9c88a23d3ae7009556fc20f29459300
-
Filesize
168KB
MD50d88f40deeb776f26217cfbd4dbf9092
SHA1cf13cb872e35f051e846cb04ba8f439e73b93371
SHA256083a592b2b8e0c20857be3cc2edf632ecdb763006f208c0c5d1ce45efa1e05c5
SHA512328967ce78799f53a91e8f9687783012bfb5bcf340b3fd43dae0feea74fe2e84d7e9f4bc7620e103c11348ef45818be47aa4e6e069df81c2ec602bf4ce4d2e44
-
Filesize
168KB
MD580c394ffe199e423b5ba645f876eaa1d
SHA12159393a2858eb7ea0c0180237d0bbc85122a051
SHA2566ccd638c1f4df47c938ccaf63de9c1a6aa0ebaa7f1d758c9e45f567cf3e8647c
SHA512c5c48da979cea481771619a1a762462f12ee2a1b17b8f4807fec4a4cde8fd05821397da6fe6ccbd3dacb3c177855816ba49bf298be70d124e4a85541d5366ca2
-
Filesize
168KB
MD5e8fa048bab164e9ca6ea138d1b45b7bb
SHA11130861882f230d2b234bed11d8a51062ce6a071
SHA256cf631501cfb12d789b98e12b106c9ba0488feb9547d646c9527dc257bf43ff42
SHA512b202cbe6e0ebded7e0342bd268264ea41317c8db940403ee0f0499e04bcc0c5ed25cc8862136aa24bc2b34e9948f19d28c7be94c46f30eacc97320bd9fb31100
-
Filesize
168KB
MD5fbc2b8bc47d3764f576e4e1b89910762
SHA141fd78d48c9a5c8a634131ace12bb6d303792e77
SHA2566573b7883b339cfc0b1e40627140ffa6edcc7017cd6dec0162c743a403d8083c
SHA512d49ee44084b45ff440512fee88a462405670df081be36952028af2f6fe4b2818a666db0dd3c0945a202704e373b851784ce82491958980c8f56dc1a0c4109b32
-
Filesize
168KB
MD54b9695a187cc7a43c4dae7028ed414fe
SHA154e4a93088c84be1185460822a96d56c234fc52b
SHA2567045364e70c74679629a69cc095e99079687a4b7cf275cb41bb9f0ce799e6cb1
SHA512baa6eb44fd16165599538c9a174a680c31f24097fdc489047286fcb78977ee3a8daddc9be11f7d583e946f5df61b636ede809857a8c16ca4e165c2b53c5ea776
-
Filesize
168KB
MD5056fcb88b5b00928325be9b1efd222ad
SHA1c3ccb693baf91481a759ecedd75d63814d56c2b8
SHA2565043a2007174a3312773ba872e7add2aed5e7b08bb337b3aa9d34f0bfe319864
SHA5122f2881a4be0455e61a295a4a4da22cd7190986a3766fe2a588bbe8a1b41a962adc7fc4b4ff985dc2b0c69dca3e04dfea6e44a167c5fb45840937e91c160808a1
-
Filesize
168KB
MD5d131fb6c931a307da56ef4b780f78144
SHA16a59a0aa3c77d8d040fda58079bed7dad935bac3
SHA256e51c4b8edb7526ceaf9752a784b04de716f0ca7fbb04e0cb479846dc4bee79c0
SHA51282d828e9962f2d911f4105a3df8135db87defe8c69e672dd0822541af5b8ced2f928a71e5e4756a55cfc53aedb0d8457c2c9498607ada6a0ebf1e5aa8187ca0a