Resubmissions
18-06-2024 10:26
240618-mglccatcpr 818-06-2024 10:22
240618-mefdbatbrp 418-06-2024 10:17
240618-mblqxsyglg 818-06-2024 10:15
240618-majvyaygje 818-06-2024 10:13
240618-l9cp8stakr 718-06-2024 10:11
240618-l7x86ayfke 818-06-2024 10:08
240618-l6ds5ayenh 818-06-2024 10:05
240618-l4jatssgmp 818-06-2024 10:03
240618-l3pq8aydqc 7Analysis
-
max time kernel
45s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
erdre gdps/erdre GDPS install.exe
Resource
win10v2004-20240611-en
Errors
General
-
Target
erdre gdps/erdre GDPS install.exe
-
Size
1.6MB
-
MD5
3d266248c5b1c72bc74474f0dc5faf10
-
SHA1
9462f26700a5c8fa7e4c4529799c8f5a7bd24381
-
SHA256
d628ff4a5c320986919947540a8ac6c453ceefeb3167ec7930e744da77ac3a1d
-
SHA512
2969e21eb6ef4db7eee7b5b4afa3bdff437be0ccc3ca4238847e256e84dd76e539baf991d709fa9a3dac74e3df2c6376bce7094c8e8392978210b24859b41941
-
SSDEEP
24576:sawwKusHwEwSimy1d/v1SnxSGM1aXzV6YjDty+YTUxyVl:MwRED2d/vMxgajVxQ++U4D
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
erdre GDPS install.tmperdresem`s GDPS.exepid process 3540 erdre GDPS install.tmp 2876 erdresem`s GDPS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3656 taskkill.exe 4560 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{16317FB1-2E2C-49FD-8F3D-D7518D0C658D} explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{87B1BBA4-4E6B-48AC-BD42-8D3385CF0D4B} explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
erdre GDPS install.tmpmspaint.exepid process 3540 erdre GDPS install.tmp 3540 erdre GDPS install.tmp 4416 mspaint.exe 4416 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
taskkill.exeshutdown.exetaskkill.exeexplorer.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3656 taskkill.exe Token: SeShutdownPrivilege 4084 shutdown.exe Token: SeRemoteShutdownPrivilege 4084 shutdown.exe Token: SeDebugPrivilege 4560 taskkill.exe Token: SeShutdownPrivilege 3460 explorer.exe Token: SeCreatePagefilePrivilege 3460 explorer.exe Token: SeShutdownPrivilege 3460 explorer.exe Token: SeCreatePagefilePrivilege 3460 explorer.exe Token: SeShutdownPrivilege 388 explorer.exe Token: SeCreatePagefilePrivilege 388 explorer.exe Token: SeShutdownPrivilege 388 explorer.exe Token: SeCreatePagefilePrivilege 388 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
erdre GDPS install.tmppid process 3540 erdre GDPS install.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mspaint.exepid process 4416 mspaint.exe 4416 mspaint.exe 4416 mspaint.exe 4416 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
erdre GDPS install.exeerdre GDPS install.tmperdresem`s GDPS.execmd.exedescription pid process target process PID 640 wrote to memory of 3540 640 erdre GDPS install.exe erdre GDPS install.tmp PID 640 wrote to memory of 3540 640 erdre GDPS install.exe erdre GDPS install.tmp PID 640 wrote to memory of 3540 640 erdre GDPS install.exe erdre GDPS install.tmp PID 3540 wrote to memory of 2876 3540 erdre GDPS install.tmp erdresem`s GDPS.exe PID 3540 wrote to memory of 2876 3540 erdre GDPS install.tmp erdresem`s GDPS.exe PID 3540 wrote to memory of 2876 3540 erdre GDPS install.tmp erdresem`s GDPS.exe PID 2876 wrote to memory of 2988 2876 erdresem`s GDPS.exe cmd.exe PID 2876 wrote to memory of 2988 2876 erdresem`s GDPS.exe cmd.exe PID 2988 wrote to memory of 2060 2988 cmd.exe chcp.com PID 2988 wrote to memory of 2060 2988 cmd.exe chcp.com PID 2988 wrote to memory of 3656 2988 cmd.exe taskkill.exe PID 2988 wrote to memory of 3656 2988 cmd.exe taskkill.exe PID 2988 wrote to memory of 4084 2988 cmd.exe shutdown.exe PID 2988 wrote to memory of 4084 2988 cmd.exe shutdown.exe PID 2988 wrote to memory of 3460 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 3460 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 4560 2988 cmd.exe taskkill.exe PID 2988 wrote to memory of 4560 2988 cmd.exe taskkill.exe PID 2988 wrote to memory of 4400 2988 cmd.exe calc.exe PID 2988 wrote to memory of 4400 2988 cmd.exe calc.exe PID 2988 wrote to memory of 2844 2988 cmd.exe calc.exe PID 2988 wrote to memory of 2844 2988 cmd.exe calc.exe PID 2988 wrote to memory of 2592 2988 cmd.exe calc.exe PID 2988 wrote to memory of 2592 2988 cmd.exe calc.exe PID 2988 wrote to memory of 388 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 388 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 2636 2988 cmd.exe calc.exe PID 2988 wrote to memory of 2636 2988 cmd.exe calc.exe PID 2988 wrote to memory of 2276 2988 cmd.exe calc.exe PID 2988 wrote to memory of 2276 2988 cmd.exe calc.exe PID 2988 wrote to memory of 3468 2988 cmd.exe calc.exe PID 2988 wrote to memory of 3468 2988 cmd.exe calc.exe PID 2988 wrote to memory of 2944 2988 cmd.exe calc.exe PID 2988 wrote to memory of 2944 2988 cmd.exe calc.exe PID 2988 wrote to memory of 936 2988 cmd.exe calc.exe PID 2988 wrote to memory of 936 2988 cmd.exe calc.exe PID 2988 wrote to memory of 4812 2988 cmd.exe calc.exe PID 2988 wrote to memory of 4812 2988 cmd.exe calc.exe PID 2988 wrote to memory of 3248 2988 cmd.exe calc.exe PID 2988 wrote to memory of 3248 2988 cmd.exe calc.exe PID 2988 wrote to memory of 3500 2988 cmd.exe calc.exe PID 2988 wrote to memory of 3500 2988 cmd.exe calc.exe PID 2988 wrote to memory of 4416 2988 cmd.exe mspaint.exe PID 2988 wrote to memory of 4416 2988 cmd.exe mspaint.exe PID 2988 wrote to memory of 3912 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 3912 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 3084 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 3084 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 3096 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 3096 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 4440 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 4440 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 2908 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 2908 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 4632 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 4632 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 5040 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 5040 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 1504 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 1504 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 4024 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 4024 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 1312 2988 cmd.exe explorer.exe PID 2988 wrote to memory of 1312 2988 cmd.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\is-KS422.tmp\erdre GDPS install.tmp"C:\Users\Admin\AppData\Local\Temp\is-KS422.tmp\erdre GDPS install.tmp" /SL5="$401E8,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\6E6A.tmp\6E6B.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\chcp.comchcp 12515⤵PID:2060
-
C:\Windows\system32\taskkill.exeTaskkill /f /im explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3656 -
C:\Windows\system32\shutdown.exeshutdown /r5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3460 -
C:\Windows\system32\taskkill.exetaskkill /f /IM explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\Windows\system32\calc.execalc5⤵PID:4400
-
C:\Windows\system32\calc.execalc5⤵PID:2844
-
C:\Windows\system32\calc.execalc5⤵PID:2592
-
C:\Windows\explorer.exeexplorer5⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Windows\system32\calc.execalc5⤵PID:2636
-
C:\Windows\system32\calc.execalc5⤵PID:2276
-
C:\Windows\system32\calc.execalc5⤵PID:3468
-
C:\Windows\system32\calc.execalc5⤵PID:2944
-
C:\Windows\system32\calc.execalc5⤵PID:936
-
C:\Windows\system32\calc.execalc5⤵PID:4812
-
C:\Windows\system32\calc.execalc5⤵PID:3248
-
C:\Windows\system32\calc.execalc5⤵PID:3500
-
C:\Windows\system32\mspaint.exemspaint5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4416 -
C:\Windows\explorer.exeexplorer5⤵PID:3912
-
C:\Windows\explorer.exeexplorer5⤵PID:3084
-
C:\Windows\explorer.exeexplorer5⤵PID:3096
-
C:\Windows\explorer.exeexplorer5⤵PID:4440
-
C:\Windows\explorer.exeexplorer5⤵PID:2908
-
C:\Windows\explorer.exeexplorer5⤵PID:4632
-
C:\Windows\explorer.exeexplorer5⤵PID:5040
-
C:\Windows\explorer.exeexplorer5⤵PID:1504
-
C:\Windows\explorer.exeexplorer5⤵PID:4024
-
C:\Windows\explorer.exeexplorer5⤵PID:1312
-
C:\Windows\explorer.exeexplorer5⤵PID:2588
-
C:\Windows\explorer.exeexplorer5⤵PID:2472
-
C:\Windows\explorer.exeexplorer5⤵PID:4972
-
C:\Windows\explorer.exeexplorer5⤵PID:1800
-
C:\Windows\explorer.exeexplorer5⤵PID:4664
-
C:\Windows\system32\charmap.execharmap5⤵PID:3700
-
C:\Windows\system32\charmap.execharmap5⤵PID:2688
-
C:\Windows\system32\charmap.execharmap5⤵PID:4668
-
C:\Windows\system32\charmap.execharmap5⤵PID:4644
-
C:\Windows\system32\charmap.execharmap5⤵PID:396
-
C:\Windows\system32\charmap.execharmap5⤵PID:2000
-
C:\Windows\system32\charmap.execharmap5⤵PID:2308
-
C:\Windows\system32\charmap.execharmap5⤵PID:3544
-
C:\Windows\system32\charmap.execharmap5⤵PID:3956
-
C:\Windows\system32\charmap.execharmap5⤵PID:2060
-
C:\Windows\system32\charmap.execharmap5⤵PID:4576
-
C:\Windows\system32\charmap.execharmap5⤵PID:3704
-
C:\Windows\system32\charmap.execharmap5⤵PID:3768
-
C:\Windows\system32\charmap.execharmap5⤵PID:3812
-
C:\Windows\system32\charmap.execharmap5⤵PID:3684
-
C:\Windows\system32\charmap.execharmap5⤵PID:4064
-
C:\Windows\system32\charmap.execharmap5⤵PID:3748
-
C:\Windows\system32\charmap.execharmap5⤵PID:4156
-
C:\Windows\system32\charmap.execharmap5⤵PID:3508
-
C:\Windows\system32\charmap.execharmap5⤵PID:2180
-
C:\Windows\system32\charmap.execharmap5⤵PID:4528
-
C:\Windows\system32\charmap.execharmap5⤵PID:2296
-
C:\Windows\system32\charmap.execharmap5⤵PID:3660
-
C:\Windows\system32\charmap.execharmap5⤵PID:4636
-
C:\Windows\system32\charmap.execharmap5⤵PID:3968
-
C:\Windows\system32\charmap.execharmap5⤵PID:3960
-
C:\Windows\system32\charmap.execharmap5⤵PID:3944
-
C:\Windows\system32\charmap.execharmap5⤵PID:4108
-
C:\Windows\system32\charmap.execharmap5⤵PID:3564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:3580
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:528
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:2428
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4184
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:1076
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4164
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:1824
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:864
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5140
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5180
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5248
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5304
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:4312
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3460
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3963855 /state1:0x41c64e6d1⤵PID:6112
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:5160
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4064
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2308
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:888
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3684
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3564
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:2140
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:760
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3744
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4972
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:452
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:5552
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:5744
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3928
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:5620
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3944
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3968
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3812
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:5812
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1800
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4664
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:2676
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3040
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133631791517407389.txt
Filesize75KB
MD5ec861d1b31e9e99a4a6548f1e0b504e1
SHA18bf1243597aba54793caf29c5e6c258507f15652
SHA2569dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da
SHA51230cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd
-
Filesize
100KB
MD51f2cec484d93617fa81ecff025ebd981
SHA12a0e9083aa48236edd47a140380b800dc56579c1
SHA2562aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8
SHA51257c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562
-
Filesize
1KB
MD5d46f641fd04723e353e062eff5679ef6
SHA1319637221e4edaf0d59836285d065e58542afbdb
SHA25694c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74
SHA5129d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b
-
Filesize
2.9MB
MD5fe9bea77f231fb8526ce2a8a2ccd58dc
SHA10c502b1e730e1274e90e08b35cb5f62430db3862
SHA2560b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7
SHA512c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855