Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe
Resource
win10v2004-20240508-en
General
-
Target
35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe
-
Size
98KB
-
MD5
18ee73c98555b308c2bf65ef39a41a5a
-
SHA1
f1f94cd13f36a4e5622cc9cdfbb362c841df8607
-
SHA256
35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a
-
SHA512
42e3d70c5006a5da1b352f8c07626ec6cc28fae86bc62aeb2e209a996b9ed098a837d6e8ffd81c8a1b31617da0ce517dfc6787b9c0046e922c8deb448ff0a8c0
-
SSDEEP
768:5vw9816thKQLroFL4/wQkNrfrunMxVFA3b7glws:lEG/0oFLlbunMxVS3Hgz
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}\stubpath = "C:\\Windows\\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe" {E5989A06-D50E-477a-966B-5F93C1740C38}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E47358A5-9ED2-4262-958A-59D6C7CD205E} {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35354BD1-1F4D-4f09-BB5A-1A7727B92009} {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B52AFCF4-334F-401c-970B-F2FB224E0225}\stubpath = "C:\\Windows\\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe" {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5989A06-D50E-477a-966B-5F93C1740C38}\stubpath = "C:\\Windows\\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe" {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}\stubpath = "C:\\Windows\\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe" {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}\stubpath = "C:\\Windows\\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe" {35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D352423-EF38-4244-BA75-0804A572F504} 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D352423-EF38-4244-BA75-0804A572F504}\stubpath = "C:\\Windows\\{5D352423-EF38-4244-BA75-0804A572F504}.exe" 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B294F4-59B3-4210-A7E5-08AB595C334B}\stubpath = "C:\\Windows\\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe" {5D352423-EF38-4244-BA75-0804A572F504}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}\stubpath = "C:\\Windows\\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe" {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7} {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5989A06-D50E-477a-966B-5F93C1740C38} {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627} {35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}\stubpath = "C:\\Windows\\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe" {3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B294F4-59B3-4210-A7E5-08AB595C334B} {5D352423-EF38-4244-BA75-0804A572F504}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}\stubpath = "C:\\Windows\\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe" {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48} {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0} {E5989A06-D50E-477a-966B-5F93C1740C38}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E47358A5-9ED2-4262-958A-59D6C7CD205E}\stubpath = "C:\\Windows\\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe" {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887} {3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E} {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B52AFCF4-334F-401c-970B-F2FB224E0225} {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}\stubpath = "C:\\Windows\\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe" {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe -
Executes dropped EXE 12 IoCs
pid Process 4620 {5D352423-EF38-4244-BA75-0804A572F504}.exe 2088 {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe 744 {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe 4944 {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe 908 {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe 2044 {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe 592 {E5989A06-D50E-477a-966B-5F93C1740C38}.exe 4996 {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe 4508 {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe 2836 {35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe 4024 {3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe 4208 {D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe File created C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe File created C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe File created C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe {5D352423-EF38-4244-BA75-0804A572F504}.exe File created C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe File created C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe File created C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe File created C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe File created C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe {35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe File created C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe {E5989A06-D50E-477a-966B-5F93C1740C38}.exe File created C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe File created C:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe {3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4744 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe Token: SeIncBasePriorityPrivilege 4620 {5D352423-EF38-4244-BA75-0804A572F504}.exe Token: SeIncBasePriorityPrivilege 2088 {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe Token: SeIncBasePriorityPrivilege 744 {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe Token: SeIncBasePriorityPrivilege 4944 {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe Token: SeIncBasePriorityPrivilege 908 {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe Token: SeIncBasePriorityPrivilege 2044 {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe Token: SeIncBasePriorityPrivilege 592 {E5989A06-D50E-477a-966B-5F93C1740C38}.exe Token: SeIncBasePriorityPrivilege 4996 {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe Token: SeIncBasePriorityPrivilege 4508 {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe Token: SeIncBasePriorityPrivilege 2836 {35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe Token: SeIncBasePriorityPrivilege 4024 {3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4744 wrote to memory of 4620 4744 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 93 PID 4744 wrote to memory of 4620 4744 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 93 PID 4744 wrote to memory of 4620 4744 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 93 PID 4744 wrote to memory of 2844 4744 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 94 PID 4744 wrote to memory of 2844 4744 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 94 PID 4744 wrote to memory of 2844 4744 35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe 94 PID 4620 wrote to memory of 2088 4620 {5D352423-EF38-4244-BA75-0804A572F504}.exe 95 PID 4620 wrote to memory of 2088 4620 {5D352423-EF38-4244-BA75-0804A572F504}.exe 95 PID 4620 wrote to memory of 2088 4620 {5D352423-EF38-4244-BA75-0804A572F504}.exe 95 PID 4620 wrote to memory of 4516 4620 {5D352423-EF38-4244-BA75-0804A572F504}.exe 96 PID 4620 wrote to memory of 4516 4620 {5D352423-EF38-4244-BA75-0804A572F504}.exe 96 PID 4620 wrote to memory of 4516 4620 {5D352423-EF38-4244-BA75-0804A572F504}.exe 96 PID 2088 wrote to memory of 744 2088 {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe 100 PID 2088 wrote to memory of 744 2088 {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe 100 PID 2088 wrote to memory of 744 2088 {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe 100 PID 2088 wrote to memory of 3484 2088 {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe 101 PID 2088 wrote to memory of 3484 2088 {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe 101 PID 2088 wrote to memory of 3484 2088 {35B294F4-59B3-4210-A7E5-08AB595C334B}.exe 101 PID 744 wrote to memory of 4944 744 {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe 102 PID 744 wrote to memory of 4944 744 {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe 102 PID 744 wrote to memory of 4944 744 {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe 102 PID 744 wrote to memory of 4780 744 {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe 103 PID 744 wrote to memory of 4780 744 {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe 103 PID 744 wrote to memory of 4780 744 {A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe 103 PID 4944 wrote to memory of 908 4944 {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe 104 PID 4944 wrote to memory of 908 4944 {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe 104 PID 4944 wrote to memory of 908 4944 {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe 104 PID 4944 wrote to memory of 916 4944 {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe 105 PID 4944 wrote to memory of 916 4944 {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe 105 PID 4944 wrote to memory of 916 4944 {B52AFCF4-334F-401c-970B-F2FB224E0225}.exe 105 PID 908 wrote to memory of 2044 908 {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe 107 PID 908 wrote to memory of 2044 908 {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe 107 PID 908 wrote to memory of 2044 908 {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe 107 PID 908 wrote to memory of 3312 908 {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe 108 PID 908 wrote to memory of 3312 908 {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe 108 PID 908 wrote to memory of 3312 908 {562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe 108 PID 2044 wrote to memory of 592 2044 {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe 109 PID 2044 wrote to memory of 592 2044 {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe 109 PID 2044 wrote to memory of 592 2044 {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe 109 PID 2044 wrote to memory of 2068 2044 {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe 110 PID 2044 wrote to memory of 2068 2044 {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe 110 PID 2044 wrote to memory of 2068 2044 {92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe 110 PID 592 wrote to memory of 4996 592 {E5989A06-D50E-477a-966B-5F93C1740C38}.exe 115 PID 592 wrote to memory of 4996 592 {E5989A06-D50E-477a-966B-5F93C1740C38}.exe 115 PID 592 wrote to memory of 4996 592 {E5989A06-D50E-477a-966B-5F93C1740C38}.exe 115 PID 592 wrote to memory of 1704 592 {E5989A06-D50E-477a-966B-5F93C1740C38}.exe 116 PID 592 wrote to memory of 1704 592 {E5989A06-D50E-477a-966B-5F93C1740C38}.exe 116 PID 592 wrote to memory of 1704 592 {E5989A06-D50E-477a-966B-5F93C1740C38}.exe 116 PID 4996 wrote to memory of 4508 4996 {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe 120 PID 4996 wrote to memory of 4508 4996 {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe 120 PID 4996 wrote to memory of 4508 4996 {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe 120 PID 4996 wrote to memory of 1160 4996 {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe 121 PID 4996 wrote to memory of 1160 4996 {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe 121 PID 4996 wrote to memory of 1160 4996 {BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe 121 PID 4508 wrote to memory of 2836 4508 {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe 122 PID 4508 wrote to memory of 2836 4508 {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe 122 PID 4508 wrote to memory of 2836 4508 {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe 122 PID 4508 wrote to memory of 1752 4508 {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe 123 PID 4508 wrote to memory of 1752 4508 {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe 123 PID 4508 wrote to memory of 1752 4508 {E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe 123 PID 2836 wrote to memory of 4024 2836 {35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe 127 PID 2836 wrote to memory of 4024 2836 {35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe 127 PID 2836 wrote to memory of 4024 2836 {35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe 127 PID 2836 wrote to memory of 2600 2836 {35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exeC:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exeC:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exeC:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exeC:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exeC:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exeC:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exeC:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exeC:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exeC:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exeC:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exeC:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4024 -
C:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exeC:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe13⤵
- Executes dropped EXE
PID:4208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3C067~1.EXE > nul13⤵PID:1348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35354~1.EXE > nul12⤵PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E4735~1.EXE > nul11⤵PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BD081~1.EXE > nul10⤵PID:1160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E5989~1.EXE > nul9⤵PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{92F7E~1.EXE > nul8⤵PID:2068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{562E1~1.EXE > nul7⤵PID:3312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B52AF~1.EXE > nul6⤵PID:916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A2579~1.EXE > nul5⤵PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35B29~1.EXE > nul4⤵PID:3484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D352~1.EXE > nul3⤵PID:4516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35C65B~1.EXE > nul2⤵PID:2844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD5befe102344d9c421ea29a787a00a3ab4
SHA18e51d2b654d663072df6ccaa4d91fa188b90758d
SHA256f17f66567c22bad3b834c1a552b0077d05b6fcf14feb0dc926bef778ecfb772b
SHA51210766795bba9a4b44ef24aabb80c46b9499ba8112dfae2513cb18b650ea5ef3656ee5157b71c364cac330505d9e842bfb838d1810967a72480f2b44037c0fd7a
-
Filesize
98KB
MD59d5e941ec1ce5fdf42a5e75b4214cdf5
SHA113ab04047abfd2441f737e05992cb963f5eba649
SHA256faa8aed34b19a1272ea21e7f13c8a5538da8080dad433b3fb51af1a459c2d240
SHA512a192ba679486f49cf2f79f1a2d80a0efee9d27cee18f2651421a6e4fdc81d5ca920022897eb4744e105271967a66c67cdc762fe87f3c562523a4c457f9099009
-
Filesize
98KB
MD5d396d55d03b75879e64a2a1ea6c79e1f
SHA1c1f2b2c8669995b720f85ea4c32a46f4ee23abe0
SHA25691d63a0448241c010ae7e4e647dd8ff7df7d56442fa6cec40b050b4af416d4d9
SHA5124069eeb12c85ce28236b716f13c266c29fef8bbb0c831600ac63f0e007c2e74881db8c44c26ab41ff05dcdc92558bc65ad8c5fb758f24f5312e96446916da210
-
Filesize
98KB
MD5268fa8693908e82cffe3af9321a481e0
SHA1733ecb128a819044283af4bd4ed96d19def199de
SHA256ff88c824de3f7762b1d5f1469b5a40984941572f240d0ce66c5ef17280ae6759
SHA512f366dfce8991432dbe41658902da0494f7ab542b2b81a1dc27068e2007fa1a3649e3c9b59590687b76914afaac2e831c8b22b0683f68dca8ef355cb109d6b360
-
Filesize
98KB
MD58ef9638833800624c72d8cca83544f69
SHA1a9a693977186c1ae20b5899f90ebbf6e1d6f8921
SHA2568355b5c524b18cbfb3431fca14393990180a4f89824e498b6b44517c998eaa6a
SHA5120a894f7ab20b376d5c1559ad72aaa20348d11d115862d27b202a32a57c9d9c27dc4f647e48bb821eb6d818fbf627136de119b367843331ba9f580066aa94c163
-
Filesize
98KB
MD51f8a0aaf93b480635b1dbe196de6968f
SHA13ff783023a4c455d1b54c03946b9ba1acbffb424
SHA25691688642aaff8a56953b2295f73764916f94686da646c51af70d74e69db55a23
SHA512a8a9b8e4a73fef7ea68eee26e2d573dd124cd0c9bb9c0a04ca50fde1238a11f294c5225ab424e12e30bc6552396421e60613a7c762111b891b6ecb7ddbb53219
-
Filesize
98KB
MD50f3603f73d0ed9218f3a889a06cd4480
SHA1e4ed3b1d8cad65e734d4efecc7a5fcf69136eeae
SHA2567897a04fdf8f28cd4fc05aefde78663b6d065f37b703429a65f33a9ff5a6f81d
SHA512e6e506bb843704c6071a81974319997bd103a33431e903bb41114159f407d547a58e77cb96f5e0722968c9192f6ccb56992fecb4abe525f3230e61b5d7900e1c
-
Filesize
98KB
MD58be65cb347f3795b15d12eee700ccc84
SHA18ce9513c8658a7936650e9c28009fba99d48b8f1
SHA256bd05cd4a8b4cca3484035c9f7a65c996faa04b7345d2a492eaf2e8c76e8fc7ea
SHA5122f78d3c563b2b41031b3cf5f8b256fc76a5495ea16ec7377412905ccc82e7157b287152ec7e4cc607137ba9b1deb70e3117a9e8653da21de3f7830bdf9aac27f
-
Filesize
98KB
MD5163c8ea6acd7b62c4d7ddc21a4bd4628
SHA1da56145f159e53a4f1bd5958ae03e1ec9b5c4ccd
SHA2566f0951d2b4ebb377c535684d593b19843617d750739a4fc438b9e8fead46c294
SHA51244bf9c1507351dc87d3c77ffe5a75b50a7b37dc494bbf0dc73f44fc89e9336769abefe886990a21b77dbb1e72eb3ec664dd56d81130e99c341b45593777c0d0c
-
Filesize
98KB
MD559aa121a2ac6d3d9df8c45f7d34cf417
SHA1d9819b01e0d36998c44b93fb888d24ea56869113
SHA256bc714638869cf47d7930cf3debdce514aaf72feffd57e498311ded3967c50057
SHA51296170f99b49076145594826772f80af610ce58287ef86a53747a5c507877460070101c707cb2fa90e51d6fbb33ac91bac302f64ce0b369ffbfd6a39f6c23bbde
-
Filesize
98KB
MD58e210b1a91253ad83835d7e89a5be2bf
SHA1022f06b95b42e4dab0cab8536dbcddd8a3de238d
SHA256b1de14b4b775cc162763a9c5ad2c76361026ef8ad1766294f0b73e718e071aa9
SHA5129a1e141828f23c637baeb44f4ac52fa9a72210f435485727eef57dc798263d42ac2e9f07114515fdd4f7c0ca7addce315e82b98867a507645c16a7e0732434d1
-
Filesize
98KB
MD5e2b47d702bcc9a83b35529e382fd6e35
SHA182878f6b97d69ab6b0a161b071696cde8df78d0f
SHA25668b559b3c83ddc8af1af4483ee24bba686ed228322947d045e5ac8912a12d91e
SHA51258df57c5ba2941ece6955f8a9109dca3b63b124a89dbe5204e7191ed5e8a0c11fc6355e133ceb9c598cb9cd7fa181a79d0824b31cd90ed638b33239cc28a1eb6