b8bcd7862c8d1d41c40e3dec3b4988b3c443cc62ca3b43d235fc3cc456699a47

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f06151047b4390exeexeexeex.exe
Size

372KB
MD5

f06151047b4390b87b5f683cb315add1
SHA1

eeafdf08781682912822bd2375127c46d60ec20a
SHA256

b8bcd7862c8d1d41c40e3dec3b4988b3c443cc62ca3b43d235fc3cc456699a47
SHA512

61c349208cbd2d1d41c0bc6b004d6fc2838dc9b54b6e0856c124f342f62097c8c1ffc70a669a169d58e0bde77421f39066d02c539f14837349d7dbc70b8ecfe4
SSDEEP

3072:CEGh0oSmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG5l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D64D45-FA2B-4124-BB80-4767B73BC730}	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}\stubpath = "C:\\Windows\\{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe"	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}	{EC69C11B-E881-4062-BFFB-F24688E76883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{983301CA-5655-4afe-B888-3EA61EBB2F56}	f06151047b4390exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F301BEAF-792E-4690-967E-2AFC4AF50EAB}	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}\stubpath = "C:\\Windows\\{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe"	{EC69C11B-E881-4062-BFFB-F24688E76883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48380CC7-4AB9-4e57-B7A9-A837B1C0AA5B}	{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{983301CA-5655-4afe-B888-3EA61EBB2F56}\stubpath = "C:\\Windows\\{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe"	f06151047b4390exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}\stubpath = "C:\\Windows\\{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe"	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}\stubpath = "C:\\Windows\\{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe"	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BF642B-A574-4395-A49D-DC04FAE54F4D}\stubpath = "C:\\Windows\\{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe"	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}\stubpath = "C:\\Windows\\{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe"	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC69C11B-E881-4062-BFFB-F24688E76883}	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC69C11B-E881-4062-BFFB-F24688E76883}\stubpath = "C:\\Windows\\{EC69C11B-E881-4062-BFFB-F24688E76883}.exe"	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F301BEAF-792E-4690-967E-2AFC4AF50EAB}\stubpath = "C:\\Windows\\{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe"	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BF642B-A574-4395-A49D-DC04FAE54F4D}	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}\stubpath = "C:\\Windows\\{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe"	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D64D45-FA2B-4124-BB80-4767B73BC730}\stubpath = "C:\\Windows\\{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe"	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48380CC7-4AB9-4e57-B7A9-A837B1C0AA5B}\stubpath = "C:\\Windows\\{48380CC7-4AB9-4e57-B7A9-A837B1C0AA5B}.exe"	{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe

Executes dropped EXE 12 IoCs

pid	Process
1724	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe
4144	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe
4632	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe
1648	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe
2636	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe
4972	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe
5096	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe
4488	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe
988	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe
2204	{EC69C11B-E881-4062-BFFB-F24688E76883}.exe
4548	{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe
2936	{48380CC7-4AB9-4e57-B7A9-A837B1C0AA5B}.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5F48B34F-36F4-47F9-B861-C507A5E82505}.catalogItem	svchost.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe
File created	C:\Windows\{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe	f06151047b4390exeexeexeex.exe
File created	C:\Windows\{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe
File created	C:\Windows\{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe
File created	C:\Windows\{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe
File created	C:\Windows\{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe
File created	C:\Windows\{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe
File created	C:\Windows\{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe
File created	C:\Windows\{EC69C11B-E881-4062-BFFB-F24688E76883}.exe	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe
File created	C:\Windows\{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe	{EC69C11B-E881-4062-BFFB-F24688E76883}.exe
File created	C:\Windows\{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe
File created	C:\Windows\{48380CC7-4AB9-4e57-B7A9-A837B1C0AA5B}.exe	{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3716	f06151047b4390exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1724	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe
Token: SeIncBasePriorityPrivilege	4144	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe
Token: SeIncBasePriorityPrivilege	4632	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe
Token: SeIncBasePriorityPrivilege	1648	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe
Token: SeIncBasePriorityPrivilege	2636	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe
Token: SeIncBasePriorityPrivilege	4972	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe
Token: SeIncBasePriorityPrivilege	5096	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe
Token: SeIncBasePriorityPrivilege	4488	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe
Token: SeIncBasePriorityPrivilege	988	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe
Token: SeIncBasePriorityPrivilege	2204	{EC69C11B-E881-4062-BFFB-F24688E76883}.exe
Token: SeIncBasePriorityPrivilege	4548	{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 1724	3716	f06151047b4390exeexeexeex.exe	95
PID 3716 wrote to memory of 1724	3716	f06151047b4390exeexeexeex.exe	95
PID 3716 wrote to memory of 1724	3716	f06151047b4390exeexeexeex.exe	95
PID 3716 wrote to memory of 2956	3716	f06151047b4390exeexeexeex.exe	96
PID 3716 wrote to memory of 2956	3716	f06151047b4390exeexeexeex.exe	96
PID 3716 wrote to memory of 2956	3716	f06151047b4390exeexeexeex.exe	96
PID 1724 wrote to memory of 4144	1724	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe	99
PID 1724 wrote to memory of 4144	1724	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe	99
PID 1724 wrote to memory of 4144	1724	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe	99
PID 1724 wrote to memory of 1112	1724	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe	100
PID 1724 wrote to memory of 1112	1724	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe	100
PID 1724 wrote to memory of 1112	1724	{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe	100
PID 4144 wrote to memory of 4632	4144	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe	102
PID 4144 wrote to memory of 4632	4144	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe	102
PID 4144 wrote to memory of 4632	4144	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe	102
PID 4144 wrote to memory of 1608	4144	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe	103
PID 4144 wrote to memory of 1608	4144	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe	103
PID 4144 wrote to memory of 1608	4144	{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe	103
PID 4632 wrote to memory of 1648	4632	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe	104
PID 4632 wrote to memory of 1648	4632	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe	104
PID 4632 wrote to memory of 1648	4632	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe	104
PID 4632 wrote to memory of 1804	4632	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe	105
PID 4632 wrote to memory of 1804	4632	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe	105
PID 4632 wrote to memory of 1804	4632	{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe	105
PID 1648 wrote to memory of 2636	1648	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe	106
PID 1648 wrote to memory of 2636	1648	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe	106
PID 1648 wrote to memory of 2636	1648	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe	106
PID 1648 wrote to memory of 5000	1648	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe	107
PID 1648 wrote to memory of 5000	1648	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe	107
PID 1648 wrote to memory of 5000	1648	{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe	107
PID 2636 wrote to memory of 4972	2636	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe	108
PID 2636 wrote to memory of 4972	2636	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe	108
PID 2636 wrote to memory of 4972	2636	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe	108
PID 2636 wrote to memory of 4524	2636	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe	109
PID 2636 wrote to memory of 4524	2636	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe	109
PID 2636 wrote to memory of 4524	2636	{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe	109
PID 4972 wrote to memory of 5096	4972	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe	110
PID 4972 wrote to memory of 5096	4972	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe	110
PID 4972 wrote to memory of 5096	4972	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe	110
PID 4972 wrote to memory of 880	4972	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe	111
PID 4972 wrote to memory of 880	4972	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe	111
PID 4972 wrote to memory of 880	4972	{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe	111
PID 5096 wrote to memory of 4488	5096	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe	112
PID 5096 wrote to memory of 4488	5096	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe	112
PID 5096 wrote to memory of 4488	5096	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe	112
PID 5096 wrote to memory of 3700	5096	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe	113
PID 5096 wrote to memory of 3700	5096	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe	113
PID 5096 wrote to memory of 3700	5096	{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe	113
PID 4488 wrote to memory of 988	4488	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe	115
PID 4488 wrote to memory of 988	4488	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe	115
PID 4488 wrote to memory of 988	4488	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe	115
PID 4488 wrote to memory of 1108	4488	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe	114
PID 4488 wrote to memory of 1108	4488	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe	114
PID 4488 wrote to memory of 1108	4488	{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe	114
PID 988 wrote to memory of 2204	988	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe	116
PID 988 wrote to memory of 2204	988	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe	116
PID 988 wrote to memory of 2204	988	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe	116
PID 988 wrote to memory of 1164	988	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe	117
PID 988 wrote to memory of 1164	988	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe	117
PID 988 wrote to memory of 1164	988	{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe	117
PID 2204 wrote to memory of 4548	2204	{EC69C11B-E881-4062-BFFB-F24688E76883}.exe	118
PID 2204 wrote to memory of 4548	2204	{EC69C11B-E881-4062-BFFB-F24688E76883}.exe	118
PID 2204 wrote to memory of 4548	2204	{EC69C11B-E881-4062-BFFB-F24688E76883}.exe	118
PID 2204 wrote to memory of 4016	2204	{EC69C11B-E881-4062-BFFB-F24688E76883}.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1332

C:\Users\Admin\AppData\Local\Temp\f06151047b4390exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\f06151047b4390exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe
  C:\Windows\{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe
    C:\Windows\{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe
      C:\Windows\{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe
        
        C:\Windows\{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe
        
        C:\Windows\{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe
        
        C:\Windows\{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe
        
        C:\Windows\{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe
        
        C:\Windows\{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA5E9~1.EXE > nul
        10⤵
        
        PID:1108
        
        C:\Windows\{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe
        
        C:\Windows\{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\{EC69C11B-E881-4062-BFFB-F24688E76883}.exe
        
        C:\Windows\{EC69C11B-E881-4062-BFFB-F24688E76883}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe
        
        C:\Windows\{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Windows\{48380CC7-4AB9-4e57-B7A9-A837B1C0AA5B}.exe
        
        C:\Windows\{48380CC7-4AB9-4e57-B7A9-A837B1C0AA5B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A78C3~1.EXE > nul
        13⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC69C~1.EXE > nul
        12⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6AA7~1.EXE > nul
        11⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80D64~1.EXE > nul
        9⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF5AB~1.EXE > nul
        8⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CE52~1.EXE > nul
        7⤵
        
        PID:4524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FAF4~1.EXE > nul
        6⤵
        
        PID:5000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81BF6~1.EXE > nul
        5⤵
        
        PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F301B~1.EXE > nul
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{98330~1.EXE > nul
    3⤵
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F06151~1.EXE > nul
  2⤵
  PID:2956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{48380CC7-4AB9-4e57-B7A9-A837B1C0AA5B}.exe

Filesize
372KB

MD5
8f330c18adf7d10ae7f3bcc00329f715

SHA1
5b677aa8e046d3ef610fa929e8eda6456945fcc1

SHA256
7d18dd9f5bbe4ade9d77180c57f9b2fa81db88d29bd1317a4cce57a91217129a

SHA512
54012f03d50b19c32594428e9ffa1b2d4afef9a0658dfdb76b0d4593373ce2734a637b4e5cd08e174fc6350ac0d9dc9443f92b025b406332c6977f6c5b11dfa8

Download Submit
C:\Windows\{48380CC7-4AB9-4e57-B7A9-A837B1C0AA5B}.exe

Filesize
372KB

MD5
8f330c18adf7d10ae7f3bcc00329f715

SHA1
5b677aa8e046d3ef610fa929e8eda6456945fcc1

SHA256
7d18dd9f5bbe4ade9d77180c57f9b2fa81db88d29bd1317a4cce57a91217129a

SHA512
54012f03d50b19c32594428e9ffa1b2d4afef9a0658dfdb76b0d4593373ce2734a637b4e5cd08e174fc6350ac0d9dc9443f92b025b406332c6977f6c5b11dfa8

Download Submit
C:\Windows\{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe

Filesize
372KB

MD5
62ace01f1c190f2844b8c3f1f714e2eb

SHA1
878ec19ef490a301e43c1ece1fab911d2897617c

SHA256
c13ba69c236461d27de0130d42aab82d9b0021bf2e60fa7f825b73e854a62939

SHA512
921dd179b5e2a813da7c271f79d233844e5b79defed30f1a0f7a709c4b8f5b5215ecac671d961659e72da7ffd03d27085744c8c020b31cab97bcab05840f4ed3

Download Submit
C:\Windows\{6FAF4F8C-47D0-4169-BEB3-B838B2BA4CFC}.exe

Filesize
372KB

MD5
62ace01f1c190f2844b8c3f1f714e2eb

SHA1
878ec19ef490a301e43c1ece1fab911d2897617c

SHA256
c13ba69c236461d27de0130d42aab82d9b0021bf2e60fa7f825b73e854a62939

SHA512
921dd179b5e2a813da7c271f79d233844e5b79defed30f1a0f7a709c4b8f5b5215ecac671d961659e72da7ffd03d27085744c8c020b31cab97bcab05840f4ed3

Download Submit
C:\Windows\{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe

Filesize
372KB

MD5
01be32929b58b68fc56e4bcedcf2bd07

SHA1
24b07716810760467e4fb70fb5f3c989ab093c97

SHA256
62123d70bacbfec9449bf5fe6e74ad3080ca76da71d6afc03d7d82b72578e31d

SHA512
e3205322e5de2cb0f8f552dd731f301a1e4be0d344b0186aeafc15ca7b661cc3c0c2f81db27020750f9488e52d0354c7fd95da573de7395393b3c58099195fde

Download Submit
C:\Windows\{7CE52440-C09A-469c-9AB2-7D2EE97F6FF9}.exe

Filesize
372KB

MD5
01be32929b58b68fc56e4bcedcf2bd07

SHA1
24b07716810760467e4fb70fb5f3c989ab093c97

SHA256
62123d70bacbfec9449bf5fe6e74ad3080ca76da71d6afc03d7d82b72578e31d

SHA512
e3205322e5de2cb0f8f552dd731f301a1e4be0d344b0186aeafc15ca7b661cc3c0c2f81db27020750f9488e52d0354c7fd95da573de7395393b3c58099195fde

Download Submit
C:\Windows\{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe

Filesize
372KB

MD5
52eff89c8c50d45a887ac6aabd8f7f37

SHA1
f1f89fedd35c6f16be73e690e8b40fc8f05a4578

SHA256
92dbdace332fc2517dbd7dc5bb2f3574c7a82a25dbc167db02be007c857dbe94

SHA512
4b9737f338e8fc0222b890f3bc8d235d5cd0951eb2e2a7df95938bbbfcb5652df9d504379337f5169aabcefb804eab2e8c0002d321e0c7f8e3fb7c98789f31a1

Download Submit
C:\Windows\{80D64D45-FA2B-4124-BB80-4767B73BC730}.exe

Filesize
372KB

MD5
52eff89c8c50d45a887ac6aabd8f7f37

SHA1
f1f89fedd35c6f16be73e690e8b40fc8f05a4578

SHA256
92dbdace332fc2517dbd7dc5bb2f3574c7a82a25dbc167db02be007c857dbe94

SHA512
4b9737f338e8fc0222b890f3bc8d235d5cd0951eb2e2a7df95938bbbfcb5652df9d504379337f5169aabcefb804eab2e8c0002d321e0c7f8e3fb7c98789f31a1

Download Submit
C:\Windows\{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe

Filesize
372KB

MD5
9ce1c2d0164b75982969e2a39b659e44

SHA1
11616221827962a37492d657b233cf769f8d45d6

SHA256
56d0d71646df845900e5cd62be3bd169270eddfaae174d9b6a75d7682ada718d

SHA512
43c263e6c7d5bc3b01dbb1279eb653a8fc4f6147badd6cf24dc67f051fa3b44b47379b0aa0af08cc6bd94d689fadc8a02642f8d9206f94408eeaff1ee613debf

Download Submit
C:\Windows\{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe

Filesize
372KB

MD5
9ce1c2d0164b75982969e2a39b659e44

SHA1
11616221827962a37492d657b233cf769f8d45d6

SHA256
56d0d71646df845900e5cd62be3bd169270eddfaae174d9b6a75d7682ada718d

SHA512
43c263e6c7d5bc3b01dbb1279eb653a8fc4f6147badd6cf24dc67f051fa3b44b47379b0aa0af08cc6bd94d689fadc8a02642f8d9206f94408eeaff1ee613debf

Download Submit
C:\Windows\{81BF642B-A574-4395-A49D-DC04FAE54F4D}.exe

Filesize
372KB

MD5
9ce1c2d0164b75982969e2a39b659e44

SHA1
11616221827962a37492d657b233cf769f8d45d6

SHA256
56d0d71646df845900e5cd62be3bd169270eddfaae174d9b6a75d7682ada718d

SHA512
43c263e6c7d5bc3b01dbb1279eb653a8fc4f6147badd6cf24dc67f051fa3b44b47379b0aa0af08cc6bd94d689fadc8a02642f8d9206f94408eeaff1ee613debf

Download Submit
C:\Windows\{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe

Filesize
372KB

MD5
906ead242f7f82c98100485a205bf305

SHA1
a0500c358eceb0b794082b0bfe74889932f1a1cd

SHA256
017e44c0bf1582ad10bcf5a8469541b9a681fa27163a46e919db38216a0528c7

SHA512
13d83374a0cf3529bc463fea4e24849a40e1ca4ac2186f5edff6520752e49be1d59d7fcc40a674191afb16ad1751a9bb5f38244e762ed5e85fe23ee302f8215b

Download Submit
C:\Windows\{983301CA-5655-4afe-B888-3EA61EBB2F56}.exe

Filesize
372KB

MD5
906ead242f7f82c98100485a205bf305

SHA1
a0500c358eceb0b794082b0bfe74889932f1a1cd

SHA256
017e44c0bf1582ad10bcf5a8469541b9a681fa27163a46e919db38216a0528c7

SHA512
13d83374a0cf3529bc463fea4e24849a40e1ca4ac2186f5edff6520752e49be1d59d7fcc40a674191afb16ad1751a9bb5f38244e762ed5e85fe23ee302f8215b

Download Submit
C:\Windows\{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe

Filesize
372KB

MD5
6e10f79127adda77945ad35c7594b8bb

SHA1
d3c585740f5b4e49234ec1df9a1f7a50d40359b2

SHA256
18d56b61b4b98dc4fc23f15cf0793255cb7cf358bfe6c93aebb228d537ec62c8

SHA512
dccfa2a37a154f1f3529d57a1f4a200e2c59914e2019afee5f558d8fec50fa659c6c9805aa8e74a4eb76af7b2e9c519a58f190f209cbeada0e17aedc89a53106

Download Submit
C:\Windows\{A6AA7B5F-1793-4ccf-93B7-0CAB69F255A5}.exe

Filesize
372KB

MD5
6e10f79127adda77945ad35c7594b8bb

SHA1
d3c585740f5b4e49234ec1df9a1f7a50d40359b2

SHA256
18d56b61b4b98dc4fc23f15cf0793255cb7cf358bfe6c93aebb228d537ec62c8

SHA512
dccfa2a37a154f1f3529d57a1f4a200e2c59914e2019afee5f558d8fec50fa659c6c9805aa8e74a4eb76af7b2e9c519a58f190f209cbeada0e17aedc89a53106

Download Submit
C:\Windows\{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe

Filesize
372KB

MD5
4aee6593ff42fa137dda181350e21bd5

SHA1
d69a0efee030f4ae5df4b10568df932c60a730e5

SHA256
3e51fcfff2b8e196dc2a993688916464a5e8f8e8ef7238404f38783a00972a21

SHA512
94e638fcaf505053dcf55e8bd1f867eb7217f42925a6ed09fdcba05d582c28c30788786f1f167f68b4a38cc01a69ec2b1bfcdb7f4b4053a4329c1fbdc39d1ed4

Download Submit
C:\Windows\{A78C34EE-3D16-4dd4-9113-F6AF56A67E53}.exe

Filesize
372KB

MD5
4aee6593ff42fa137dda181350e21bd5

SHA1
d69a0efee030f4ae5df4b10568df932c60a730e5

SHA256
3e51fcfff2b8e196dc2a993688916464a5e8f8e8ef7238404f38783a00972a21

SHA512
94e638fcaf505053dcf55e8bd1f867eb7217f42925a6ed09fdcba05d582c28c30788786f1f167f68b4a38cc01a69ec2b1bfcdb7f4b4053a4329c1fbdc39d1ed4

Download Submit
C:\Windows\{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe

Filesize
372KB

MD5
030d07f184308e1e617936d3ca5204b6

SHA1
656f3c8ad583f591b4b8c3aafd7d2667011022ec

SHA256
d43ed2e0e0e9ced0ef690ced4476fec740119645602dead1caee647052e83683

SHA512
fc6d3d31fc4614feaba1316f5eb00f77dcac93ae5cfcaffbce74efec49f65b618fb392fe0e572dca8f3958837b51282f2da4fa671445bc519be4f71a3c84090c

Download Submit
C:\Windows\{AA5E9346-9495-46a5-B6A5-C1EADC4BEADD}.exe

Filesize
372KB

MD5
030d07f184308e1e617936d3ca5204b6

SHA1
656f3c8ad583f591b4b8c3aafd7d2667011022ec

SHA256
d43ed2e0e0e9ced0ef690ced4476fec740119645602dead1caee647052e83683

SHA512
fc6d3d31fc4614feaba1316f5eb00f77dcac93ae5cfcaffbce74efec49f65b618fb392fe0e572dca8f3958837b51282f2da4fa671445bc519be4f71a3c84090c

Download Submit
C:\Windows\{EC69C11B-E881-4062-BFFB-F24688E76883}.exe

Filesize
372KB

MD5
dcf3d4fbfb91fff61b1300f0b8246e1e

SHA1
3e39e5d8ed15af95f16531e7ca3011bd855ef6ea

SHA256
43dd7302e598150dc7f0f5080ff38b87d9ca7ae9a298fc585df56239b7f16365

SHA512
db43fb1266417fdfd979dd964738027d44f2c5f0f9bff39158123590df93bf879d25bd17d620bb88711ea95eaaa2f67fe538f37c57c13c0fb588d1ccf050cab5

Download Submit
C:\Windows\{EC69C11B-E881-4062-BFFB-F24688E76883}.exe

Filesize
372KB

MD5
dcf3d4fbfb91fff61b1300f0b8246e1e

SHA1
3e39e5d8ed15af95f16531e7ca3011bd855ef6ea

SHA256
43dd7302e598150dc7f0f5080ff38b87d9ca7ae9a298fc585df56239b7f16365

SHA512
db43fb1266417fdfd979dd964738027d44f2c5f0f9bff39158123590df93bf879d25bd17d620bb88711ea95eaaa2f67fe538f37c57c13c0fb588d1ccf050cab5

Download Submit
C:\Windows\{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe

Filesize
372KB

MD5
ec2112b6c7d864f77f102149e1bc46b3

SHA1
c14b7cb1af2372e22cd66216196c8e72afd8872b

SHA256
36db91d163d6794072eb68385d8556dbee4c9588c890d5f2c89db13d733d9ff3

SHA512
43804ba9e0fc805dc4ef37310956a53527a54169f241a817a396bc4f4d57c20914f999bbdc3d8182bdfb295d385897a512bf5abfbe19d26104dafdf48a05b6a0

Download Submit
C:\Windows\{F301BEAF-792E-4690-967E-2AFC4AF50EAB}.exe

Filesize
372KB

MD5
ec2112b6c7d864f77f102149e1bc46b3

SHA1
c14b7cb1af2372e22cd66216196c8e72afd8872b

SHA256
36db91d163d6794072eb68385d8556dbee4c9588c890d5f2c89db13d733d9ff3

SHA512
43804ba9e0fc805dc4ef37310956a53527a54169f241a817a396bc4f4d57c20914f999bbdc3d8182bdfb295d385897a512bf5abfbe19d26104dafdf48a05b6a0

Download Submit
C:\Windows\{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe

Filesize
372KB

MD5
ec8dbbb099280f33b4f0a57940969450

SHA1
74abbccf00c6f07610b1ad6a9adb44537800dfbc

SHA256
a617c04995d4f0c5cfe6d85ec28cb9f722af664e37ff1a657eabbf08280ba282

SHA512
36ec427e4e2dbfc5a873d3b6a747795dcaacf2e6feac2c633ec4344e841c0a251b649c50593f099c1fdb7523adc02ea74c9692a9174eace7750d5a6197748f47

Download Submit
C:\Windows\{FF5AB3F7-53E7-4cdc-BAA2-EC14B03349D5}.exe

Filesize
372KB

MD5
ec8dbbb099280f33b4f0a57940969450

SHA1
74abbccf00c6f07610b1ad6a9adb44537800dfbc

SHA256
a617c04995d4f0c5cfe6d85ec28cb9f722af664e37ff1a657eabbf08280ba282

SHA512
36ec427e4e2dbfc5a873d3b6a747795dcaacf2e6feac2c633ec4344e841c0a251b649c50593f099c1fdb7523adc02ea74c9692a9174eace7750d5a6197748f47

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads