Analysis
-
max time kernel
129s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
10-02-2025 20:39
General
-
Target
bootstrapper/Bootstrapper.exe
-
Size
117.7MB
-
MD5
e7e6cc81288e3b35d2efb5f6846c1ec8
-
SHA1
c73545e645192d8171be823385ac345ea96fc0b1
-
SHA256
a501e15cc6ca645b0c690d07cb83ddea73daa3660ddb82ceb8ee20517deabf79
-
SHA512
d39514f656d1ca8a52d8599a8bb1f776f2cf0eb220782c1f8b7a526ba1f3e26d959096fefb867012df8f401d13b330be8fb69f43fb04c42bd764a936ec1d330a
-
SSDEEP
1572864:/idzDXWP7g6zRByS9LnLgZNcRLYaxgC5gbu:imTCW/LYaxBgq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution 1 TTPs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Runs regedit.exe 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exeC:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Binance /prefetch:7 --no-rate-limit --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Binance\Crashpad --url=https://report.binance.gg/api/597/minidump?sentry_key=db5e5bdef255402d9f02cbe4f3acf95a --annotation=_productName=Binance --annotation=_version=1.7.2 --annotation=prod=Electron --annotation=ver=10.1.5 --initial-client-data=0x31c,0x320,0x324,0x2e4,0x328,0x14631bce0,0x14631bcf0,0x14631bd002⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"2⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"2⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"2⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"2⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"2⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"2⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe" --type=gpu-process --field-trial-handle=1452,1097744065538828842,4181865413024752444,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,OutOfBlinkCors,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1460 /prefetch:22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,1097744065538828842,4181865413024752444,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,OutOfBlinkCors,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --standard-schemes=binance-resources,app --secure-schemes=binance-resources,app --bypasscsp-schemes --cors-schemes=binance-resources,app --fetch-schemes=binance-resources,app --service-worker-schemes --mojo-platform-channel-handle=1736 /prefetch:82⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe" --type=renderer --field-trial-handle=1452,1097744065538828842,4181865413024752444,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,OutOfBlinkCors,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --standard-schemes=binance-resources,app --secure-schemes=binance-resources,app --bypasscsp-schemes --cors-schemes=binance-resources,app --fetch-schemes=binance-resources,app --service-worker-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\bootstrapper\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#0E121C --disable-blink-features=Auxclick --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"3⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"3⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"3⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe os get /value"2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe os get /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe" --type=gpu-process --field-trial-handle=1452,1097744065538828842,4181865413024752444,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,OutOfBlinkCors,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1460 /prefetch:22⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""2⤵
-
C:\Windows\system32\findstr.exefindstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe csproduct get /value"2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe csproduct get /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value"2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get MACAddress, name, NetEnabled, Speed, NetConnectionStatus, AdapterTypeId /value"2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get MACAddress, name, NetEnabled, Speed, NetConnectionStatus, AdapterTypeId /value3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"2⤵
-
C:\Windows\system32\netsh.exenetsh lan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get MACAddress, name, NetEnabled, Speed, NetConnectionStatus, AdapterTypeId /value"2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nic get MACAddress, name, NetEnabled, Speed, NetConnectionStatus, AdapterTypeId /value3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"2⤵
-
C:\Windows\System32\reg.exeC:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\bootstrapper\Bootstrapper.exe" --type=renderer --field-trial-handle=1452,1097744065538828842,4181865413024752444,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,OutOfBlinkCors,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --standard-schemes=binance-resources,app --secure-schemes=binance-resources,app --bypasscsp-schemes --cors-schemes=binance-resources,app --fetch-schemes=binance-resources,app --service-worker-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\bootstrapper\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#0E121C --disable-blink-features=Auxclick --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"3⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"3⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"3⤵
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"3⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"3⤵
-
C:\Windows\System32\reg.exeC:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD55f279e714e2b3eee5ed7573f47f2c4d5
SHA16dc1e4476e7690f787b0cf909f80337f0063e09f
SHA2567d62fe7a37879127c3a8d5d4d46ebd805db62cf0fa456720ac8730f0c7dc76c3
SHA5126f624f8560bfe8b22ef2f06231a0341fa0f0e9b6754204f0e57f50d4bc55b8dba427c4ae9191463befe7aac4a074d2f989cba76ab3088b1a27bbb09c0b8db62f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
187B
MD553d78c860595d4a80df62723916e35fe
SHA196c1681e7f01646561cc34105635185105f16cdc
SHA256fadd70320bf4be1e31268c19fa82fe6e60b1fde0440fb37bda5d1cf50be56bd6
SHA5122b1c6e0460f0ac0de4ec51744f0a3ad64403286b9c0302cdf98cb85718205b389e0a7213418eaa84cc852a5018e71295952eeade136ffcce5e22cae9d123d5a8
-
Filesize
48B
MD5137473944236a2168c708a8609c1ac8d
SHA13693a4b3c4c982f635be8d883a55d6640cfc8ee2
SHA256eb0523c3c728b9e586e8e26b8df0b779ee7c3f8d4b7991117fabe8626f87281d
SHA51294c40bb6abe6bbd8e78d226d56bb5354cf4eedb068eb0accf0fec8a0f3059c22874c514baed21711dd96bfbeb015e09392b1b15f8d122a0647bbf5c0a04f1d30
-
Filesize
40B
MD5be367e9fe5a3660262b3fbb04cc5037a
SHA19c2ed359fbafe477b5b8aa41aedcd19c1ca135d1
SHA2567c607d85732e66972165a9f79516d2ab69f1720045dae6c8f89f7bfd2beec315
SHA512a51b96ba19b97a4ff8d1495ee45bc1c28dceede14dd6d0b8936d7bbc31bd151c88d7acf26d1cb002c298535aff598b8abb871c21fc1ce74df2fd0c02fc7259f4
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
8KB
MD5259e7ed5fb3c6c90533b963da5b2fc1b
SHA1df90eabda434ca50828abb039b4f80b7f051ec77
SHA25635bb2f189c643dcf52ecf037603d104035ecdc490bf059b7736e58ef7d821a09
SHA5129d401053ac21a73863b461b0361df1a17850f42fd5fc7a77763a124aa33f2e9493fad018c78cdff63ca10f6710e53255ce891ad6ec56ec77d770c4630f274933
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
48B
MD5d97f8b9f50be101a80288987ba5324ba
SHA1a63f54a3cd3e09cf3da514184aa045b4e5132e76
SHA25617e68b0404ae610b75d9aa9d8c0df38494c9bda0770122f7835112c5d59eabc6
SHA512eafa4bd984121c07918deac957629f33ef0f09ac76c0bd767763ad69759d3e76e66acaa063b0b4bc25ded65df22442b85edfd2324c52442dfbde848a43125967
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
441KB
MD5a78ad14e77147e7de3647e61964c0335
SHA1cecc3dd41f4cea0192b24300c71e1911bd4fce45
SHA2560d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa
SHA512dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
3KB
MD51f26d69aef0691804fea5e14d3004686
SHA1935014cb2a45d480e9e4fab22449be857b24d348
SHA2563aa2c66cbb4cb798124e5bae1fa7599d53ab4fdfbb2db49f8060a68659b12729
SHA5120407b1f2d827a7e65bc589db79d0a8d1d322b85dbc5fb54faf8f2504a407512fa03773592847d833fff3cb0ffb9dfca2851e79f8c6df8b7ce15b859605c84537
-
Filesize
4KB
MD5e3d37d243a41ed0a8a8843bbf3a5c8d2
SHA15c91daac05ef85464936d4f54d0b0f02bcf56d6c
SHA2565abd8582acfc05fdf7461797241b88525bfcd000f78f2b2ead2535b18ef90f2a
SHA5129aeea79f7f17dd9e2b5bdf6995f314b3069232500e61ab0851723315ef01d321e7349bf2a9a1a82f75123fd249f207261439777f3feddb4741ca4d5fc52a1c5d
-
Filesize
4KB
MD52af1373e20fa735b819486184732734a
SHA16b7eda5ffcd00b944027726fc38a6b8356257888
SHA256a5c3602cff64ac9e9db738735ac41cf2bc4531d8ab1adfad21500e4e4a25e4de
SHA51249508cd93ccc1c06b4672da9ab302dac066b8439705346f3fb90398e26478cde3b7dc4a2232676bcd7534a9bd781d2cedd44fd9dea0b180046f823cc173f0763
-
Filesize
4KB
MD55019be07bf0d4749f1705e9d0b465084
SHA1701db8b21c524b3b46a649740705e1864fd4fa42
SHA2562d26d2be47f46d711ab0dc41a79b7c5506c7630ad51d67bef6e6550d45f2e21f
SHA5120a901602297104e68ded9de273feda19d60dca6ed0024cffb9b6f420b7cb97eb2dff1b194ea20617da3a3971b13affeb0c46d024074b0060cde9bf84bbf083a1
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
Filesize
13KB
MD56bf095f916e2ee34eb530acf97474b84
SHA179f17b31a73067919c9ba3baecfb806b5c59b39b
SHA2569b92d56e4f05af69edafd8410487dd54c1684ad56e3297315493ec61558805b9
SHA512cc882eb4df2197cbd7d19b42ca7aacc24df3ceb780baeaac3923c0d72d0b73c2395fc267a93dcf6767fc19fc1bae4b14026cac9dab31c3623bf1d5500ecd30d2
-
Filesize
7KB
MD5e0e68c953ed9b60f9124320704c93268
SHA127cc4c09e350598735a94f3b88713df1e47c4317
SHA256d7751a5cdb8c7baae806e19aa68713efcae396761191bfa8bcd1f89368cd85c3
SHA512e95534043e20037188d269076379e688243355b4ffb195e0aa567063bacdb40132d4b165b093bdf6c887545c5ff463f1852faccdc1e533a6b3fdb82a3f787067
-
Filesize
516KB
-
Filesize
516KB