Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 02:20
Static task
static1
Behavioral task
behavioral1
Sample
56389de1f15f32b25323914f7bd85c90.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
56389de1f15f32b25323914f7bd85c90.exe
Resource
win10v2004-20240508-en
General
-
Target
56389de1f15f32b25323914f7bd85c90.exe
-
Size
98KB
-
MD5
56389de1f15f32b25323914f7bd85c90
-
SHA1
e82eaebb883e9b227ab2a534e9b1cd1c6d2a1ae0
-
SHA256
a597ce260fd134394cf4fd1e2550db5f69f31afbec67296c37b8bee90fa90161
-
SHA512
18fad97a6253c9792936dccd996e158d0eece4f5a12faa4e623ec1c276b0697cbe90a745b8ea576cd883e41bb7d1d9303c0ac35fe7037105fae49cab2452dd1b
-
SSDEEP
768:5vw981UMhKQLros4/wQ4pNrfrunMxVFA3b7glw6:lEG00osl3zunMxVS3Hgl
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0190A239-2DC0-4ff9-B111-3FA7454D893C}\stubpath = "C:\\Windows\\{0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe" {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E41FF63A-FC9F-43d8-B63D-0D721CDAD510} {0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DB1728-DF76-4d3c-8494-9A450B045BA4}\stubpath = "C:\\Windows\\{51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe" 56389de1f15f32b25323914f7bd85c90.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E01D441-A2AA-4baa-9E7E-763F28516616} {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B} {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{397EAFDC-397E-4fba-8D2D-8692D4AA2728}\stubpath = "C:\\Windows\\{397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe" {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B8F49EF-D9E5-468e-AE1A-14482FCB307B} {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0190A239-2DC0-4ff9-B111-3FA7454D893C} {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DB1728-DF76-4d3c-8494-9A450B045BA4} 56389de1f15f32b25323914f7bd85c90.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57247325-0D06-4a84-AA1D-7D512228296D} {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57247325-0D06-4a84-AA1D-7D512228296D}\stubpath = "C:\\Windows\\{57247325-0D06-4a84-AA1D-7D512228296D}.exe" {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC92A09B-07BB-4761-819F-B60A39F8A3E3} {57247325-0D06-4a84-AA1D-7D512228296D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC92A09B-07BB-4761-819F-B60A39F8A3E3}\stubpath = "C:\\Windows\\{DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe" {57247325-0D06-4a84-AA1D-7D512228296D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E01D441-A2AA-4baa-9E7E-763F28516616}\stubpath = "C:\\Windows\\{8E01D441-A2AA-4baa-9E7E-763F28516616}.exe" {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC737609-4DCE-4450-8A63-5274BE8760DB} {E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC737609-4DCE-4450-8A63-5274BE8760DB}\stubpath = "C:\\Windows\\{DC737609-4DCE-4450-8A63-5274BE8760DB}.exe" {E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8B60983-3CED-4072-B6D7-360435D55D9C} {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}\stubpath = "C:\\Windows\\{8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe" {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{397EAFDC-397E-4fba-8D2D-8692D4AA2728} {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E} {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}\stubpath = "C:\\Windows\\{0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe" {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E41FF63A-FC9F-43d8-B63D-0D721CDAD510}\stubpath = "C:\\Windows\\{E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe" {0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8B60983-3CED-4072-B6D7-360435D55D9C}\stubpath = "C:\\Windows\\{D8B60983-3CED-4072-B6D7-360435D55D9C}.exe" {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B8F49EF-D9E5-468e-AE1A-14482FCB307B}\stubpath = "C:\\Windows\\{5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe" {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe -
Executes dropped EXE 12 IoCs
pid Process 4488 {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe 968 {57247325-0D06-4a84-AA1D-7D512228296D}.exe 4900 {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe 2200 {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe 2548 {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe 3316 {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe 4864 {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe 2424 {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe 2096 {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe 1624 {0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe 4456 {E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe 4908 {DC737609-4DCE-4450-8A63-5274BE8760DB}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe {57247325-0D06-4a84-AA1D-7D512228296D}.exe File created C:\Windows\{8E01D441-A2AA-4baa-9E7E-763F28516616}.exe {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe File created C:\Windows\{397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe File created C:\Windows\{0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe File created C:\Windows\{E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe {0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe File created C:\Windows\{51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe 56389de1f15f32b25323914f7bd85c90.exe File created C:\Windows\{57247325-0D06-4a84-AA1D-7D512228296D}.exe {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe File created C:\Windows\{D8B60983-3CED-4072-B6D7-360435D55D9C}.exe {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe File created C:\Windows\{8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe File created C:\Windows\{5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe File created C:\Windows\{0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe File created C:\Windows\{DC737609-4DCE-4450-8A63-5274BE8760DB}.exe {E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4724 56389de1f15f32b25323914f7bd85c90.exe Token: SeIncBasePriorityPrivilege 4488 {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe Token: SeIncBasePriorityPrivilege 968 {57247325-0D06-4a84-AA1D-7D512228296D}.exe Token: SeIncBasePriorityPrivilege 4900 {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe Token: SeIncBasePriorityPrivilege 2200 {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe Token: SeIncBasePriorityPrivilege 2548 {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe Token: SeIncBasePriorityPrivilege 3316 {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe Token: SeIncBasePriorityPrivilege 4864 {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe Token: SeIncBasePriorityPrivilege 2424 {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe Token: SeIncBasePriorityPrivilege 2096 {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe Token: SeIncBasePriorityPrivilege 1624 {0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe Token: SeIncBasePriorityPrivilege 4456 {E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4724 wrote to memory of 4488 4724 56389de1f15f32b25323914f7bd85c90.exe 85 PID 4724 wrote to memory of 4488 4724 56389de1f15f32b25323914f7bd85c90.exe 85 PID 4724 wrote to memory of 4488 4724 56389de1f15f32b25323914f7bd85c90.exe 85 PID 4724 wrote to memory of 2916 4724 56389de1f15f32b25323914f7bd85c90.exe 86 PID 4724 wrote to memory of 2916 4724 56389de1f15f32b25323914f7bd85c90.exe 86 PID 4724 wrote to memory of 2916 4724 56389de1f15f32b25323914f7bd85c90.exe 86 PID 4488 wrote to memory of 968 4488 {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe 87 PID 4488 wrote to memory of 968 4488 {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe 87 PID 4488 wrote to memory of 968 4488 {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe 87 PID 4488 wrote to memory of 2420 4488 {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe 88 PID 4488 wrote to memory of 2420 4488 {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe 88 PID 4488 wrote to memory of 2420 4488 {51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe 88 PID 968 wrote to memory of 4900 968 {57247325-0D06-4a84-AA1D-7D512228296D}.exe 91 PID 968 wrote to memory of 4900 968 {57247325-0D06-4a84-AA1D-7D512228296D}.exe 91 PID 968 wrote to memory of 4900 968 {57247325-0D06-4a84-AA1D-7D512228296D}.exe 91 PID 968 wrote to memory of 2808 968 {57247325-0D06-4a84-AA1D-7D512228296D}.exe 92 PID 968 wrote to memory of 2808 968 {57247325-0D06-4a84-AA1D-7D512228296D}.exe 92 PID 968 wrote to memory of 2808 968 {57247325-0D06-4a84-AA1D-7D512228296D}.exe 92 PID 4900 wrote to memory of 2200 4900 {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe 97 PID 4900 wrote to memory of 2200 4900 {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe 97 PID 4900 wrote to memory of 2200 4900 {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe 97 PID 4900 wrote to memory of 4620 4900 {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe 98 PID 4900 wrote to memory of 4620 4900 {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe 98 PID 4900 wrote to memory of 4620 4900 {DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe 98 PID 2200 wrote to memory of 2548 2200 {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe 100 PID 2200 wrote to memory of 2548 2200 {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe 100 PID 2200 wrote to memory of 2548 2200 {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe 100 PID 2200 wrote to memory of 4480 2200 {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe 101 PID 2200 wrote to memory of 4480 2200 {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe 101 PID 2200 wrote to memory of 4480 2200 {8E01D441-A2AA-4baa-9E7E-763F28516616}.exe 101 PID 2548 wrote to memory of 3316 2548 {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe 102 PID 2548 wrote to memory of 3316 2548 {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe 102 PID 2548 wrote to memory of 3316 2548 {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe 102 PID 2548 wrote to memory of 4988 2548 {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe 103 PID 2548 wrote to memory of 4988 2548 {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe 103 PID 2548 wrote to memory of 4988 2548 {D8B60983-3CED-4072-B6D7-360435D55D9C}.exe 103 PID 3316 wrote to memory of 4864 3316 {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe 104 PID 3316 wrote to memory of 4864 3316 {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe 104 PID 3316 wrote to memory of 4864 3316 {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe 104 PID 3316 wrote to memory of 3140 3316 {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe 105 PID 3316 wrote to memory of 3140 3316 {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe 105 PID 3316 wrote to memory of 3140 3316 {8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe 105 PID 4864 wrote to memory of 2424 4864 {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe 106 PID 4864 wrote to memory of 2424 4864 {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe 106 PID 4864 wrote to memory of 2424 4864 {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe 106 PID 4864 wrote to memory of 1416 4864 {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe 107 PID 4864 wrote to memory of 1416 4864 {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe 107 PID 4864 wrote to memory of 1416 4864 {397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe 107 PID 2424 wrote to memory of 2096 2424 {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe 108 PID 2424 wrote to memory of 2096 2424 {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe 108 PID 2424 wrote to memory of 2096 2424 {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe 108 PID 2424 wrote to memory of 904 2424 {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe 109 PID 2424 wrote to memory of 904 2424 {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe 109 PID 2424 wrote to memory of 904 2424 {5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe 109 PID 2096 wrote to memory of 1624 2096 {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe 110 PID 2096 wrote to memory of 1624 2096 {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe 110 PID 2096 wrote to memory of 1624 2096 {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe 110 PID 2096 wrote to memory of 3944 2096 {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe 111 PID 2096 wrote to memory of 3944 2096 {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe 111 PID 2096 wrote to memory of 3944 2096 {0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe 111 PID 1624 wrote to memory of 4456 1624 {0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe 112 PID 1624 wrote to memory of 4456 1624 {0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe 112 PID 1624 wrote to memory of 4456 1624 {0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe 112 PID 1624 wrote to memory of 1860 1624 {0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\56389de1f15f32b25323914f7bd85c90.exe"C:\Users\Admin\AppData\Local\Temp\56389de1f15f32b25323914f7bd85c90.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\{51DB1728-DF76-4d3c-8494-9A450B045BA4}.exeC:\Windows\{51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\{57247325-0D06-4a84-AA1D-7D512228296D}.exeC:\Windows\{57247325-0D06-4a84-AA1D-7D512228296D}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\{DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exeC:\Windows\{DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\{8E01D441-A2AA-4baa-9E7E-763F28516616}.exeC:\Windows\{8E01D441-A2AA-4baa-9E7E-763F28516616}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\{D8B60983-3CED-4072-B6D7-360435D55D9C}.exeC:\Windows\{D8B60983-3CED-4072-B6D7-360435D55D9C}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\{8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exeC:\Windows\{8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\{397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exeC:\Windows\{397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\{5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exeC:\Windows\{5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\{0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exeC:\Windows\{0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\{0190A239-2DC0-4ff9-B111-3FA7454D893C}.exeC:\Windows\{0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\{E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exeC:\Windows\{E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4456 -
C:\Windows\{DC737609-4DCE-4450-8A63-5274BE8760DB}.exeC:\Windows\{DC737609-4DCE-4450-8A63-5274BE8760DB}.exe13⤵
- Executes dropped EXE
PID:4908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E41FF~1.EXE > nul13⤵PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0190A~1.EXE > nul12⤵PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0DE94~1.EXE > nul11⤵PID:3944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5B8F4~1.EXE > nul10⤵PID:904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{397EA~1.EXE > nul9⤵PID:1416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8EDC8~1.EXE > nul8⤵PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D8B60~1.EXE > nul7⤵PID:4988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8E01D~1.EXE > nul6⤵PID:4480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DC92A~1.EXE > nul5⤵PID:4620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{57247~1.EXE > nul4⤵PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{51DB1~1.EXE > nul3⤵PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56389D~1.EXE > nul2⤵PID:2916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD56e74af9554f9c1eb059e0e50c9ed6321
SHA1d3e85938e1057c72bdd134aa56a0b947ac305c69
SHA256da5af4549e0d393dacf5be5eb749b4613e1de937795bc31e9f5e6c7ebec71429
SHA5128f51b015b4fb2882eeff6ca82b4cb85a19f1ce989d81f13e19852b124e5fe7c7db4a311a65ab22b928997320f47ae5bc44c4c6ec1e061dee591201df5232a2fe
-
Filesize
98KB
MD5df02bee8f8596b08965116996b414eee
SHA1d9461a1c7c8d4e3843fa61824869c57ef2064c1e
SHA2565a63781ad86699dcf6642a839714ba7f053d6f9cc15f30ef352cc74a852829b6
SHA512c394e8d5a16d5ec43ed7e4962c2d72b69eb4a0ae935187ad615d2894229efdca89f5e907f92995a16d39f1dafed1407aa3f2be49d2b77f1992c02cf1a79a05e1
-
Filesize
98KB
MD516cf65febe1ec1cfa6e6cfb9b4e8d106
SHA1138d8f0e538ab4ab49bd0adb781cefeab70c56a9
SHA256a4a522ca28787849131e9766aa6ab9b70193aad561ed28250e4c839577daf263
SHA512fe0e6c4dc27091237976405a154e3b47b947f94f15edb54b7815aa4b85f2cff2b7e25155efc3e827b43599b56ede873056a7cda4713cd653a4e2d000409cdaf9
-
Filesize
98KB
MD566f3a79009978f9cba1e0d82f4ac5ba1
SHA140f5900c8f7b72c3ac48481d5eb625b84a6a3c33
SHA256af1f982bc885dc12f55834e44bbbb3d2bfce9b8c6d217950d5142298d59da012
SHA51286ad9512dc1c481daf46849bfd1989ac6597cb3c753dcca8c7b05e4c9671c3475eb522d611cfa87e860344f6b9360d771ca2d72ea1c0a4332b25ac4b294cba3e
-
Filesize
98KB
MD5a952575f80574ae6b20aa9432d858432
SHA17719655688fe63c29f61b5f9e6c4e155c3004086
SHA256c0be9d6b0d672b5752368d1834371851d80b90d25db318ca3b681c1463a66db6
SHA5122fa9ff9e039e0e237df80aab8249d41503ed81564aed5a6e072f5d9f79b261a30c330b4efa7857fb188845c20f89a20d05c664af3e318c82eab81e617df0e5f9
-
Filesize
98KB
MD574b06289fac084c5fb383dd977037c69
SHA14a5e41bcb71e443eeb0501cbd8157880b99bfc1c
SHA256d1ead9fedf5a3dd8edac748b01f150b32c41215d3a02cf6f483feda2747dff0d
SHA5126e211bd2a1784a1f80f9dbfcd79d41484166ed2e9511decbaca90ad19700ae16fcf3d9fe250fd38c243e4e623ae0963ef6e835c194fe6ec81000806271459199
-
Filesize
98KB
MD59c7912fe257e83586a8c071d00bd4e13
SHA1ef68fcca70196d981d04a2e23609457eb3320474
SHA256eb95b071c477688617663fed1f6eb2e24d973b438120c04f867d20765dca6b22
SHA512c0cb1d1db5601d6f0d59999961def7756dac7fe022c1e1e0dc4bec0f0a6992d11d162c6a5ef8ea08eb6b6a548c362b0ec117cfddb845f581559af68089753801
-
Filesize
98KB
MD5d2ec1a955ed2e1daaf7dcf61bc19c703
SHA1c6ff5cb201b3d1632ba7923967f3052bc877e7cc
SHA2565c616da0f950e0055709c28d5719c2b79b76b5f0105a790e1ee04a6b442d9a46
SHA512ab7c7da079ebadd04e19b8b8d905ca74e4e1a034ced9b80052b738e8a5acfa30b150d2c14a8628d7ecaf9a3fc3d6a500094c19a8f1addeab4f34f63f13dd947c
-
Filesize
98KB
MD5154157d49c249e9faa30371ebf1afbf9
SHA14cef621d803966be46ad47307609d301351dbb8a
SHA256f4d97957f4e4fc02571ea7e6e0cfeb813849bcbd4a8c3e4aa93a6829b546ac5d
SHA51249fec4ff7948023bdd4e6febcff5353e841c59791fdf63eebd9697127fa603196c935db427d10d057717e982e689bbeacc8a8e9ca6139bab1b85760c7a9273f0
-
Filesize
98KB
MD586f8017057b7c03e6126cec3fc9eab22
SHA172c200b87223b5893b9e106052c4c8b0ed81b5be
SHA256085a9763c98bb6615d7f1476032848e762ecc0ad9327a0038c43f2dc19b072aa
SHA512dddd931bf9e24e904593bf98cbcc371b86849acc47274a6b0e423edb9d4b1eed1ff5a69bbd33a1b5e76055409fcc610862183e3e207d93674beb30aff8246d7a
-
Filesize
98KB
MD50f979c3cbdd193e42c573c71a1f3001a
SHA1544483a5733787fbb6fd0d0e4239f3b8c2276ec8
SHA2567f7522d4666443c5dd23ab40c5e34b3ddbc7fd02b4373816ed95be7c246c37e1
SHA5123130d80d44f54a0819a2a3665ea31089410adfaa94e2b83d981524e906998b5aa2a5951127b672832ef4a1689a85e4b57722652073867bdc1e8b411b980ee477
-
Filesize
98KB
MD57b465936cbd96656d86173e0f51abea1
SHA11255a4fdbdf9ab3a2d81683b38e22e86c11ff73b
SHA256c76dbe34932ca44d6a61e804a2fe50d5ca8dde628098f4a081a1ecb781bfe53c
SHA51287674dc9a73301a2248cb15e374cecfb647681f4add1694e141086dbf4ae616612f9991683d94342281712e89e3a78fec62a33d6fc48354454b2d78d89ccc154