Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe
Resource
win10v2004-20240508-en
General
-
Target
35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe
-
Size
98KB
-
MD5
18ee73c98555b308c2bf65ef39a41a5a
-
SHA1
f1f94cd13f36a4e5622cc9cdfbb362c841df8607
-
SHA256
35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a
-
SHA512
42e3d70c5006a5da1b352f8c07626ec6cc28fae86bc62aeb2e209a996b9ed098a837d6e8ffd81c8a1b31617da0ce517dfc6787b9c0046e922c8deb448ff0a8c0
-
SSDEEP
768:5vw9816thKQLroFL4/wQkNrfrunMxVFA3b7glws:lEG/0oFLlbunMxVS3Hgz
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11C020A-32AD-4857-99E0-02B4486DD17B}\stubpath = "C:\\Windows\\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe" 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}\stubpath = "C:\\Windows\\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe" {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CADB709-4AB0-49e2-8030-8965C12B5090} {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}\stubpath = "C:\\Windows\\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe" {A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8B925B6-4DF9-4434-A670-35874C97CDC0}\stubpath = "C:\\Windows\\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe" {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F89BE992-56EF-419e-9A60-C0D8F4C4D327} {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CADB709-4AB0-49e2-8030-8965C12B5090}\stubpath = "C:\\Windows\\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe" {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03} {A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2669C1F-52ED-411d-9D57-6675FC70DBCE} {1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C194F340-2985-4f26-B208-CC54E202F18E} {D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5} {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}\stubpath = "C:\\Windows\\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe" {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9} {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11C020A-32AD-4857-99E0-02B4486DD17B} 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8B925B6-4DF9-4434-A670-35874C97CDC0} {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}\stubpath = "C:\\Windows\\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe" {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5} {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}\stubpath = "C:\\Windows\\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe" {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7} {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}\stubpath = "C:\\Windows\\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe" {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}\stubpath = "C:\\Windows\\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe" {1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C194F340-2985-4f26-B208-CC54E202F18E}\stubpath = "C:\\Windows\\{C194F340-2985-4f26-B208-CC54E202F18E}.exe" {D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe -
Deletes itself 1 IoCs
pid Process 2928 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe 2132 {A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe 548 {1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe 2692 {D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe 1804 {C194F340-2985-4f26-B208-CC54E202F18E}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe File created C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe {1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe File created C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe File created C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe File created C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe File created C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe File created C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe File created C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe {A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe File created C:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exe {D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe File created C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe File created C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1556 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe Token: SeIncBasePriorityPrivilege 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe Token: SeIncBasePriorityPrivilege 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe Token: SeIncBasePriorityPrivilege 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe Token: SeIncBasePriorityPrivilege 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe Token: SeIncBasePriorityPrivilege 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe Token: SeIncBasePriorityPrivilege 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe Token: SeIncBasePriorityPrivilege 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe Token: SeIncBasePriorityPrivilege 2132 {A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe Token: SeIncBasePriorityPrivilege 548 {1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe Token: SeIncBasePriorityPrivilege 2692 {D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1556 wrote to memory of 3004 1556 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 30 PID 1556 wrote to memory of 3004 1556 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 30 PID 1556 wrote to memory of 3004 1556 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 30 PID 1556 wrote to memory of 3004 1556 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 30 PID 1556 wrote to memory of 2928 1556 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 31 PID 1556 wrote to memory of 2928 1556 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 31 PID 1556 wrote to memory of 2928 1556 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 31 PID 1556 wrote to memory of 2928 1556 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 31 PID 3004 wrote to memory of 2488 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 32 PID 3004 wrote to memory of 2488 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 32 PID 3004 wrote to memory of 2488 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 32 PID 3004 wrote to memory of 2488 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 32 PID 3004 wrote to memory of 2612 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 33 PID 3004 wrote to memory of 2612 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 33 PID 3004 wrote to memory of 2612 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 33 PID 3004 wrote to memory of 2612 3004 {A11C020A-32AD-4857-99E0-02B4486DD17B}.exe 33 PID 2488 wrote to memory of 2544 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe 34 PID 2488 wrote to memory of 2544 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe 34 PID 2488 wrote to memory of 2544 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe 34 PID 2488 wrote to memory of 2544 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe 34 PID 2488 wrote to memory of 1428 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe 35 PID 2488 wrote to memory of 1428 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe 35 PID 2488 wrote to memory of 1428 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe 35 PID 2488 wrote to memory of 1428 2488 {F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe 35 PID 2544 wrote to memory of 2428 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe 36 PID 2544 wrote to memory of 2428 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe 36 PID 2544 wrote to memory of 2428 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe 36 PID 2544 wrote to memory of 2428 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe 36 PID 2544 wrote to memory of 2396 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe 37 PID 2544 wrote to memory of 2396 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe 37 PID 2544 wrote to memory of 2396 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe 37 PID 2544 wrote to memory of 2396 2544 {A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe 37 PID 2428 wrote to memory of 3008 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe 38 PID 2428 wrote to memory of 3008 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe 38 PID 2428 wrote to memory of 3008 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe 38 PID 2428 wrote to memory of 3008 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe 38 PID 2428 wrote to memory of 1260 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe 39 PID 2428 wrote to memory of 1260 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe 39 PID 2428 wrote to memory of 1260 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe 39 PID 2428 wrote to memory of 1260 2428 {F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe 39 PID 3008 wrote to memory of 1724 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe 40 PID 3008 wrote to memory of 1724 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe 40 PID 3008 wrote to memory of 1724 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe 40 PID 3008 wrote to memory of 1724 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe 40 PID 3008 wrote to memory of 1956 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe 41 PID 3008 wrote to memory of 1956 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe 41 PID 3008 wrote to memory of 1956 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe 41 PID 3008 wrote to memory of 1956 3008 {EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe 41 PID 1724 wrote to memory of 2220 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe 42 PID 1724 wrote to memory of 2220 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe 42 PID 1724 wrote to memory of 2220 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe 42 PID 1724 wrote to memory of 2220 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe 42 PID 1724 wrote to memory of 908 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe 43 PID 1724 wrote to memory of 908 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe 43 PID 1724 wrote to memory of 908 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe 43 PID 1724 wrote to memory of 908 1724 {3CADB709-4AB0-49e2-8030-8965C12B5090}.exe 43 PID 2220 wrote to memory of 2132 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe 44 PID 2220 wrote to memory of 2132 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe 44 PID 2220 wrote to memory of 2132 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe 44 PID 2220 wrote to memory of 2132 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe 44 PID 2220 wrote to memory of 540 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe 45 PID 2220 wrote to memory of 540 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe 45 PID 2220 wrote to memory of 540 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe 45 PID 2220 wrote to memory of 540 2220 {38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exeC:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exeC:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exeC:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exeC:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exeC:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exeC:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exeC:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exeC:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exeC:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exeC:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exeC:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exe12⤵
- Executes dropped EXE
PID:1804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D2669~1.EXE > nul12⤵PID:824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1B722~1.EXE > nul11⤵PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A10BE~1.EXE > nul10⤵PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{38A5B~1.EXE > nul9⤵PID:540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3CADB~1.EXE > nul8⤵PID:908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EC419~1.EXE > nul7⤵PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F89BE~1.EXE > nul6⤵PID:1260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A8F24~1.EXE > nul5⤵PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F8B92~1.EXE > nul4⤵PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A11C0~1.EXE > nul3⤵PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35C65B~1.EXE > nul2⤵
- Deletes itself
PID:2928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD57deb7bb80e8cbf21f45d53ccb6dd12e7
SHA1444ec0f4a3892e374520c5eaa1657d83d8831492
SHA25644f7b94cf390fac4cbcda79b8e77c214a405664d4cef77feac8799f8acb7c1f1
SHA5124c8b0ea59df10ad6570b54aaa2330498eb0021e8921aa4d5dd96f311c661e00ab577f753ce1da989ef4a50e7e750183c88dd9b40bd7520488f6476637fb8cc95
-
Filesize
98KB
MD57ff2d382b803252a1b59dad72cd9854a
SHA1a7d1a54c3fdb27eb2492c8eeed7860b8d64ee1eb
SHA25635f35adb731b145d8c8cc5fb99155d5281a301a7d47d155e84d9318a3660be4d
SHA5123b0e7079ad0d859cda96277587a00c2e38cf09c250cc9c14b2b36da2b5bd2e2b7e6485efe681657f1ea5f69c8f49e5cc590579782f7a0a992309af01d330e521
-
Filesize
98KB
MD5f025ba68bd814e211c11c583d06058d3
SHA1c1f0a7faf2b3d1e9c58441bb581991cdc983c9de
SHA2566c3a19298253bfad8348d254db5bc82849bc29e9b6ae8c94249dab52411e70f4
SHA512f814d272295c4fc650691a9802f47dd8545513ef00d13934cf17fc394878cdc22fcd5bcca9316205e4136e491d3504044425cccc8e8e13360c4d289f2dbe57b1
-
Filesize
98KB
MD5ce10e7337ee244c7c69e8a05b1b9b88d
SHA14b5ca0d8816ae383d041f8c2df60bf947222d934
SHA2567e3c287d983568dc6b1910c17a592e2dc6e46e504ce33e9046e20a6c67012011
SHA512de9f8b39e9693bdb08d07ff28b06ef7d79d5b855d8b42d55461e91c33f02d65624549d80cf5b01390215a5e5989f4a9931ae7c6bae59eedbd2c1898382622d3c
-
Filesize
98KB
MD56687deccb783fbf2bea37b0738e9efe7
SHA14b31d7ad2c472003ae9dddc678da13dc7456bffd
SHA256708e0fbc393aff80c1f0c2453d97d43f985340e50d532143caf7c4c741add77e
SHA5128429e306fb61b01556309f7a86d1d6c9d159eb4cd8d23555cfd9bddc3558c274b9b405ab6222210d2738019410e0c7c70b50a9f00c1274d6b0dd09e2a5941772
-
Filesize
98KB
MD568cc12b611e8f202c106af112e0d4504
SHA1ffc383ec10e1f29765f8d034f646a03cd3cea471
SHA2563a6f394ca8950f17c1eb6637519b44f610fef986d84b28f93c3cfa10b2af46e5
SHA512e494a33fb39824c5888330a41a0cfdbf15922b40210167ac82adf6c7fae67c41dcdcd33bcba7e5e372f40d1ba74bd3d8627a9c348532cab3eabe09a898adf474
-
Filesize
98KB
MD511f8a0d87c55e910fbd5fc6c22460dff
SHA147384d43607f46080982b12194420753c42be43c
SHA256ff43506c1d8874725550b4310f24f3f819a883e4037a4a5ea5c1cf3b2074aa4e
SHA512bd0a8aa51ef7d65dd4d4da151bdcbf369e875aec4f743d3586fb9b1ccae18fc16de15a23e2a1037f9b44f84f9f4e1e3965edb94b920d6086b0eb8cc9dcfff994
-
Filesize
98KB
MD5ba6d5118b5e620bd31ca8d0a5b871d8b
SHA1ce970efb68c9bace583d4c851559de24b8e5e85d
SHA2564ad64fd14c1115144daeab40b0a495c990a0e263ad6168735db920010519b8c9
SHA5122d3143296ead86c75d75a44a291c9e70133d0e522122b8028872dac2088f4d29cf65df36b05e31bf52a9f8b806267976d1e10c256353e1b75843ffff55e26083
-
Filesize
98KB
MD50e7e6212a59610681180ec5c105631ac
SHA10bf1b29e85efa7f882f31d9dcc2150ec9b83f072
SHA25640e30d8e2983628aef7bb3741f27b8dec33902a3287c0879e823dc97cab13d75
SHA512e81a1c29834df297900db38d53e9c3b7310bcd9816123ac5b0e8df4057eee48a440e6244022ebf0a3ce46e0328e3d990c85b90e0de236146bd5cc7fe988964df
-
Filesize
98KB
MD5ba91662474f3d6490fb2194b084ed2be
SHA1055dad1ffbbe1536c764a93a3b60325a069cf53f
SHA256629ac607a75de4e6817987a6e85f63e0547eafe88470b6b67cad33a440601502
SHA51273313297ffe540998c029403fa3cbca7a8e6143fd970fc25ac55bc8f0da26683fb50045ac8e6c6a02dff72d0cfc5e58ebc5e65483ecd56687df362539d24357c
-
Filesize
98KB
MD5febe5562e6b8e6ea6147cf15e21d023a
SHA13e682e0f6db9e3bbca29ad2a86807274ebaa3623
SHA25662e0d40a92d54326212f8d643ada127971bf1813b1d69d1d8bf2858f588c34c9
SHA5126c25213642268c2a655f6b804539ebd5b8987c72b0d7f6aef6c213a2fdaa3139c3fa6f190f10466585b0b53b76ff383c5a76043e5d4ad69cf87056368bdc896f