18f19d6a088cbbd34c7746594567cf6057917fe76ad39d51d8d44661ddb7cd57

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

400bb9c62735a23a3d4fa824e949cc30_exe32.exe
Size

168KB
MD5

400bb9c62735a23a3d4fa824e949cc30
SHA1

997e89d83cd568a4dfbdcbaca078c56573794f66
SHA256

18f19d6a088cbbd34c7746594567cf6057917fe76ad39d51d8d44661ddb7cd57
SHA512

e7a56cbc4612834021ffcce7ae94adf5d204792384aa1f050a956d6659b0282f13840020a3e7dcf666c42835e5d5df62939c2ff151ab33a2400ccd44bc6d02f5
SSDEEP

192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwoZ4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLro64/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96ACA221-CB1C-4e2e-BD97-C1D887A63530}\stubpath = "C:\\Windows\\{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe"	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93A0D58A-1EFB-456f-B187-4A854B19C1A1}\stubpath = "C:\\Windows\\{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe"	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B82F00A-3960-4135-ACE3-F57A196CB9FD}\stubpath = "C:\\Windows\\{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe"	{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38EBA19-BC13-41b9-B467-D9A254FFF30E}	{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}\stubpath = "C:\\Windows\\{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe"	400bb9c62735a23a3d4fa824e949cc30_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72A4621B-0487-4737-B889-7ED09A1F53BF}\stubpath = "C:\\Windows\\{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe"	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B68E653D-D1F1-450a-884D-76FC39543963}\stubpath = "C:\\Windows\\{B68E653D-D1F1-450a-884D-76FC39543963}.exe"	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B82F00A-3960-4135-ACE3-F57A196CB9FD}	{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C95150BF-7161-441c-8366-CCCF51BF9393}	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C95150BF-7161-441c-8366-CCCF51BF9393}\stubpath = "C:\\Windows\\{C95150BF-7161-441c-8366-CCCF51BF9393}.exe"	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96ACA221-CB1C-4e2e-BD97-C1D887A63530}	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72A4621B-0487-4737-B889-7ED09A1F53BF}	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93A0D58A-1EFB-456f-B187-4A854B19C1A1}	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}	{B68E653D-D1F1-450a-884D-76FC39543963}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}\stubpath = "C:\\Windows\\{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe"	{B68E653D-D1F1-450a-884D-76FC39543963}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38EBA19-BC13-41b9-B467-D9A254FFF30E}\stubpath = "C:\\Windows\\{C38EBA19-BC13-41b9-B467-D9A254FFF30E}.exe"	{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}	400bb9c62735a23a3d4fa824e949cc30_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}\stubpath = "C:\\Windows\\{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe"	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}\stubpath = "C:\\Windows\\{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe"	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}\stubpath = "C:\\Windows\\{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe"	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B68E653D-D1F1-450a-884D-76FC39543963}	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe
2628	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe
4168	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe
3556	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe
5064	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe
3104	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe
2692	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe
3888	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe
2376	{B68E653D-D1F1-450a-884D-76FC39543963}.exe
1980	{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe
3392	{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe
1232	{C38EBA19-BC13-41b9-B467-D9A254FFF30E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C95150BF-7161-441c-8366-CCCF51BF9393}.exe	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe
File created	C:\Windows\{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe
File created	C:\Windows\{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe
File created	C:\Windows\{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe
File created	C:\Windows\{B68E653D-D1F1-450a-884D-76FC39543963}.exe	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe
File created	C:\Windows\{C38EBA19-BC13-41b9-B467-D9A254FFF30E}.exe	{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe
File created	C:\Windows\{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe	400bb9c62735a23a3d4fa824e949cc30_exe32.exe
File created	C:\Windows\{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe
File created	C:\Windows\{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe
File created	C:\Windows\{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe	{B68E653D-D1F1-450a-884D-76FC39543963}.exe
File created	C:\Windows\{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe	{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe
File created	C:\Windows\{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	400bb9c62735a23a3d4fa824e949cc30_exe32.exe
Token: SeIncBasePriorityPrivilege	2724	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe
Token: SeIncBasePriorityPrivilege	2628	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe
Token: SeIncBasePriorityPrivilege	4168	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe
Token: SeIncBasePriorityPrivilege	3556	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe
Token: SeIncBasePriorityPrivilege	5064	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe
Token: SeIncBasePriorityPrivilege	3104	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe
Token: SeIncBasePriorityPrivilege	2692	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe
Token: SeIncBasePriorityPrivilege	3888	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe
Token: SeIncBasePriorityPrivilege	2376	{B68E653D-D1F1-450a-884D-76FC39543963}.exe
Token: SeIncBasePriorityPrivilege	1980	{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe
Token: SeIncBasePriorityPrivilege	3392	{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2724	1720	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	89
PID 1720 wrote to memory of 2724	1720	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	89
PID 1720 wrote to memory of 2724	1720	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	89
PID 1720 wrote to memory of 3720	1720	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	90
PID 1720 wrote to memory of 3720	1720	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	90
PID 1720 wrote to memory of 3720	1720	400bb9c62735a23a3d4fa824e949cc30_exe32.exe	90
PID 2724 wrote to memory of 2628	2724	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe	94
PID 2724 wrote to memory of 2628	2724	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe	94
PID 2724 wrote to memory of 2628	2724	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe	94
PID 2724 wrote to memory of 1656	2724	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe	95
PID 2724 wrote to memory of 1656	2724	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe	95
PID 2724 wrote to memory of 1656	2724	{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe	95
PID 2628 wrote to memory of 4168	2628	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe	97
PID 2628 wrote to memory of 4168	2628	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe	97
PID 2628 wrote to memory of 4168	2628	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe	97
PID 2628 wrote to memory of 2760	2628	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe	98
PID 2628 wrote to memory of 2760	2628	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe	98
PID 2628 wrote to memory of 2760	2628	{C95150BF-7161-441c-8366-CCCF51BF9393}.exe	98
PID 4168 wrote to memory of 3556	4168	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe	99
PID 4168 wrote to memory of 3556	4168	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe	99
PID 4168 wrote to memory of 3556	4168	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe	99
PID 4168 wrote to memory of 1820	4168	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe	100
PID 4168 wrote to memory of 1820	4168	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe	100
PID 4168 wrote to memory of 1820	4168	{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe	100
PID 3556 wrote to memory of 5064	3556	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe	102
PID 3556 wrote to memory of 5064	3556	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe	102
PID 3556 wrote to memory of 5064	3556	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe	102
PID 3556 wrote to memory of 4424	3556	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe	101
PID 3556 wrote to memory of 4424	3556	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe	101
PID 3556 wrote to memory of 4424	3556	{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe	101
PID 5064 wrote to memory of 3104	5064	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe	103
PID 5064 wrote to memory of 3104	5064	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe	103
PID 5064 wrote to memory of 3104	5064	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe	103
PID 5064 wrote to memory of 3512	5064	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe	104
PID 5064 wrote to memory of 3512	5064	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe	104
PID 5064 wrote to memory of 3512	5064	{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe	104
PID 3104 wrote to memory of 2692	3104	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe	105
PID 3104 wrote to memory of 2692	3104	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe	105
PID 3104 wrote to memory of 2692	3104	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe	105
PID 3104 wrote to memory of 2356	3104	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe	106
PID 3104 wrote to memory of 2356	3104	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe	106
PID 3104 wrote to memory of 2356	3104	{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe	106
PID 2692 wrote to memory of 3888	2692	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe	107
PID 2692 wrote to memory of 3888	2692	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe	107
PID 2692 wrote to memory of 3888	2692	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe	107
PID 2692 wrote to memory of 3860	2692	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe	108
PID 2692 wrote to memory of 3860	2692	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe	108
PID 2692 wrote to memory of 3860	2692	{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe	108
PID 3888 wrote to memory of 2376	3888	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe	109
PID 3888 wrote to memory of 2376	3888	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe	109
PID 3888 wrote to memory of 2376	3888	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe	109
PID 3888 wrote to memory of 2096	3888	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe	110
PID 3888 wrote to memory of 2096	3888	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe	110
PID 3888 wrote to memory of 2096	3888	{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe	110
PID 2376 wrote to memory of 1980	2376	{B68E653D-D1F1-450a-884D-76FC39543963}.exe	111
PID 2376 wrote to memory of 1980	2376	{B68E653D-D1F1-450a-884D-76FC39543963}.exe	111
PID 2376 wrote to memory of 1980	2376	{B68E653D-D1F1-450a-884D-76FC39543963}.exe	111
PID 2376 wrote to memory of 648	2376	{B68E653D-D1F1-450a-884D-76FC39543963}.exe	112
PID 2376 wrote to memory of 648	2376	{B68E653D-D1F1-450a-884D-76FC39543963}.exe	112
PID 2376 wrote to memory of 648	2376	{B68E653D-D1F1-450a-884D-76FC39543963}.exe	112
PID 1980 wrote to memory of 3392	1980	{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe	113
PID 1980 wrote to memory of 3392	1980	{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe	113
PID 1980 wrote to memory of 3392	1980	{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe	113
PID 1980 wrote to memory of 552	1980	{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe	114

C:\Users\Admin\AppData\Local\Temp\400bb9c62735a23a3d4fa824e949cc30_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\400bb9c62735a23a3d4fa824e949cc30_exe32.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe
  C:\Windows\{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{C95150BF-7161-441c-8366-CCCF51BF9393}.exe
    C:\Windows\{C95150BF-7161-441c-8366-CCCF51BF9393}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe
      C:\Windows\{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4168
    - - C:\Windows\{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe
        
        C:\Windows\{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B62FB~1.EXE > nul
        6⤵
        
        PID:4424
      - C:\Windows\{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe
        
        C:\Windows\{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe
        
        C:\Windows\{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe
        
        C:\Windows\{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe
        
        C:\Windows\{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\{B68E653D-D1F1-450a-884D-76FC39543963}.exe
        
        C:\Windows\{B68E653D-D1F1-450a-884D-76FC39543963}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe
        
        C:\Windows\{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe
        
        C:\Windows\{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B82F~1.EXE > nul
        13⤵
        
        PID:2972
        
        C:\Windows\{C38EBA19-BC13-41b9-B467-D9A254FFF30E}.exe
        
        C:\Windows\{C38EBA19-BC13-41b9-B467-D9A254FFF30E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74DE3~1.EXE > nul
        12⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B68E6~1.EXE > nul
        11⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FFD5~1.EXE > nul
        10⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93A0D~1.EXE > nul
        9⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72A46~1.EXE > nul
        8⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96ACA~1.EXE > nul
        7⤵
        
        PID:3512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F5B~1.EXE > nul
        5⤵
        
        PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C9515~1.EXE > nul
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF8AD~1.EXE > nul
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\400BB9~1.EXE > nul
  2⤵
  PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe

Filesize
168KB

MD5
d24361c25e5723bad0b9d5553d8ebf96

SHA1
17532f5395f99f819943793f72d70de15f86d106

SHA256
1670394ef84687e036c19e248f694d1e0a8a36cfc799f6e2e9a254eb200ed02f

SHA512
730bf20664cde0445fb99b08ffa67a9e3851bacfaa9d38782b24d6c88400f35d6dfba0f18798507d6f9658ac1a59e1f7d9b4ccc1556e946c3b0e49f9ec3c8055

Download Submit
C:\Windows\{72A4621B-0487-4737-B889-7ED09A1F53BF}.exe

Filesize
168KB

MD5
d24361c25e5723bad0b9d5553d8ebf96

SHA1
17532f5395f99f819943793f72d70de15f86d106

SHA256
1670394ef84687e036c19e248f694d1e0a8a36cfc799f6e2e9a254eb200ed02f

SHA512
730bf20664cde0445fb99b08ffa67a9e3851bacfaa9d38782b24d6c88400f35d6dfba0f18798507d6f9658ac1a59e1f7d9b4ccc1556e946c3b0e49f9ec3c8055

Download Submit
C:\Windows\{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe

Filesize
168KB

MD5
2efbf1793052fc200895ed2ee609d45b

SHA1
b9ba5d2b59817d31387d677a14e82e100a2fd00e

SHA256
0efcedc5d389e649694449b8939ee00d22a5123bf61b17c2a72e365935f2a46e

SHA512
9dddd0763256926cb7c86bc7c09d83b75e05ad250b72fc37013a4cd0a50f6a5833c748c4a0ffb7bc510aeb28e8f6412a0a404ba7424d80eb56aa262a91fb0958

Download Submit
C:\Windows\{74DE33A1-FAD5-41f1-8B68-F926FCB8CD5D}.exe

Filesize
168KB

MD5
2efbf1793052fc200895ed2ee609d45b

SHA1
b9ba5d2b59817d31387d677a14e82e100a2fd00e

SHA256
0efcedc5d389e649694449b8939ee00d22a5123bf61b17c2a72e365935f2a46e

SHA512
9dddd0763256926cb7c86bc7c09d83b75e05ad250b72fc37013a4cd0a50f6a5833c748c4a0ffb7bc510aeb28e8f6412a0a404ba7424d80eb56aa262a91fb0958

Download Submit
C:\Windows\{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe

Filesize
168KB

MD5
b0e7940bbb185d12452ffb0a7e04bd55

SHA1
30d75ce8605242c9a7858044027133a813521d33

SHA256
ea8b979166dc6f9bc6a326aa14f2c3aa1c909e048a0e81d448dbfe1744b11af3

SHA512
9e41d7fc8cfe7b17e0396a075f9c5f275a87323e730bd506c9494050603d9495ad22c26df0eb0001c7c2c0905a891977fcc59a5fa9e336df1e2f0fce20b33599

Download Submit
C:\Windows\{8FFD53A1-8B17-4046-A562-D0BC13BDA5BB}.exe

Filesize
168KB

MD5
b0e7940bbb185d12452ffb0a7e04bd55

SHA1
30d75ce8605242c9a7858044027133a813521d33

SHA256
ea8b979166dc6f9bc6a326aa14f2c3aa1c909e048a0e81d448dbfe1744b11af3

SHA512
9e41d7fc8cfe7b17e0396a075f9c5f275a87323e730bd506c9494050603d9495ad22c26df0eb0001c7c2c0905a891977fcc59a5fa9e336df1e2f0fce20b33599

Download Submit
C:\Windows\{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe

Filesize
168KB

MD5
42b816fdc218954055583e8a06cff59e

SHA1
bdba770bf65f6d52997b49ab3a017891b737f963

SHA256
8ea2dfeda671537d61e70c80ff65ec6c40b1a16e9e68b460ce61d7d803a3e04b

SHA512
b47e879d7cbb91dc9e0b525ec1cad9f608dbc16a3bb1126d9fefd28dfcfd563ad00b2649940b2b8f34b3ca4f9cb3ba6920d6029d65fce3f500a1bd1917a71b9d

Download Submit
C:\Windows\{93A0D58A-1EFB-456f-B187-4A854B19C1A1}.exe

Filesize
168KB

MD5
42b816fdc218954055583e8a06cff59e

SHA1
bdba770bf65f6d52997b49ab3a017891b737f963

SHA256
8ea2dfeda671537d61e70c80ff65ec6c40b1a16e9e68b460ce61d7d803a3e04b

SHA512
b47e879d7cbb91dc9e0b525ec1cad9f608dbc16a3bb1126d9fefd28dfcfd563ad00b2649940b2b8f34b3ca4f9cb3ba6920d6029d65fce3f500a1bd1917a71b9d

Download Submit
C:\Windows\{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe

Filesize
168KB

MD5
f145d919624843020cf806a5ed677d09

SHA1
bf01b08d82c85e7999a2e9ff886f414fc2f993c5

SHA256
c902d2421d3f33c04daa112c34b5f819f4955134be39b04999f66fa2d6e543ff

SHA512
3f1b42e4d1e5794d252a128b39d1dc09fef8e8f666a0154e1f4db33720030c18d33aad9af5881fdaf16b5f011a8100ef084aaeac32b99795e482f80200ec2ca9

Download Submit
C:\Windows\{96ACA221-CB1C-4e2e-BD97-C1D887A63530}.exe

Filesize
168KB

MD5
f145d919624843020cf806a5ed677d09

SHA1
bf01b08d82c85e7999a2e9ff886f414fc2f993c5

SHA256
c902d2421d3f33c04daa112c34b5f819f4955134be39b04999f66fa2d6e543ff

SHA512
3f1b42e4d1e5794d252a128b39d1dc09fef8e8f666a0154e1f4db33720030c18d33aad9af5881fdaf16b5f011a8100ef084aaeac32b99795e482f80200ec2ca9

Download Submit
C:\Windows\{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe

Filesize
168KB

MD5
968e53a61e1fae7b61587c770312b364

SHA1
b0c9071410a49f3923d0447097e808e18a65cd85

SHA256
df76b17046bee1f2d512d3df83e9b9e86447e978e85f89a9448b3f9e76238ace

SHA512
31b2014906a7768ae77faee2e8be96376b117c7c55eec2dfeb0594a16cd49a9476836255d29d3b5492c10ee2814d8633e8d7060d6600ae3a7a7d57ed16689fce

Download Submit
C:\Windows\{9B82F00A-3960-4135-ACE3-F57A196CB9FD}.exe

Filesize
168KB

MD5
968e53a61e1fae7b61587c770312b364

SHA1
b0c9071410a49f3923d0447097e808e18a65cd85

SHA256
df76b17046bee1f2d512d3df83e9b9e86447e978e85f89a9448b3f9e76238ace

SHA512
31b2014906a7768ae77faee2e8be96376b117c7c55eec2dfeb0594a16cd49a9476836255d29d3b5492c10ee2814d8633e8d7060d6600ae3a7a7d57ed16689fce

Download Submit
C:\Windows\{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe

Filesize
168KB

MD5
a35264ec1f67c5869471bb50ded4d8f8

SHA1
c22a216abdf8042de5887201bbfbcbf403797dc8

SHA256
79496ce42692dd32346aa5f998b9ca661884877ebb653e667d6fedfbff3cf0ef

SHA512
9453e096cb0c2c657a31502533bcceedd62101f8cd8b0cc4baf5d05bd552822e9088cae1243647e290a9d70e3e09a07efb274d70c743a417ca5500b76a9d5e5a

Download Submit
C:\Windows\{B62FB9CE-7ED9-4b34-97A9-A106B6E176F4}.exe

Filesize
168KB

MD5
a35264ec1f67c5869471bb50ded4d8f8

SHA1
c22a216abdf8042de5887201bbfbcbf403797dc8

SHA256
79496ce42692dd32346aa5f998b9ca661884877ebb653e667d6fedfbff3cf0ef

SHA512
9453e096cb0c2c657a31502533bcceedd62101f8cd8b0cc4baf5d05bd552822e9088cae1243647e290a9d70e3e09a07efb274d70c743a417ca5500b76a9d5e5a

Download Submit
C:\Windows\{B68E653D-D1F1-450a-884D-76FC39543963}.exe

Filesize
168KB

MD5
000d253467f4681aa054313f8b098990

SHA1
c1d2bcc3a3a53342773fa996840a2e43f7e9b16e

SHA256
76cd85540a2ca17cb2355dc7a8b6d70c1e31d0f053980112bde93b86b2c5b9c2

SHA512
e4754a538e2ce67810a5f52a9af7c13581664619c806b744a915117421022b970ef1966d4d34b6fc0d9348c74c690aeeb5aa13104ba9ab63c2273cc99bde5b25

Download Submit
C:\Windows\{B68E653D-D1F1-450a-884D-76FC39543963}.exe

Filesize
168KB

MD5
000d253467f4681aa054313f8b098990

SHA1
c1d2bcc3a3a53342773fa996840a2e43f7e9b16e

SHA256
76cd85540a2ca17cb2355dc7a8b6d70c1e31d0f053980112bde93b86b2c5b9c2

SHA512
e4754a538e2ce67810a5f52a9af7c13581664619c806b744a915117421022b970ef1966d4d34b6fc0d9348c74c690aeeb5aa13104ba9ab63c2273cc99bde5b25

Download Submit
C:\Windows\{C38EBA19-BC13-41b9-B467-D9A254FFF30E}.exe

Filesize
168KB

MD5
e4d916f2f5f0dd473fd19ac0f736fbc5

SHA1
85fee5684a3ec564c595da4ec240a9eae8fbc425

SHA256
10f5ed07cbb3cf3cb25fa9974332c6116665f0ded9672728d44c35fbaf812c25

SHA512
c6f415ad0118011c067b897f36c4d1583ff0cc2a0812af9db55f7f285eaf6ebb27db015803610494cff78f1c07b2b532121ba8f0ccff1c6fef5d177b32f0e2fb

Download Submit
C:\Windows\{C38EBA19-BC13-41b9-B467-D9A254FFF30E}.exe

Filesize
168KB

MD5
e4d916f2f5f0dd473fd19ac0f736fbc5

SHA1
85fee5684a3ec564c595da4ec240a9eae8fbc425

SHA256
10f5ed07cbb3cf3cb25fa9974332c6116665f0ded9672728d44c35fbaf812c25

SHA512
c6f415ad0118011c067b897f36c4d1583ff0cc2a0812af9db55f7f285eaf6ebb27db015803610494cff78f1c07b2b532121ba8f0ccff1c6fef5d177b32f0e2fb

Download Submit
C:\Windows\{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe

Filesize
168KB

MD5
6340d0ce95aefa05509da07bd4b949d0

SHA1
ef92e25127ee71aee4aab453a231440fc31c31e5

SHA256
285a68a508ad01e49ab88e01d410bd39c623c44a2b16e8860cefb6346377437d

SHA512
99bef62c680bb23f4c732020aa63832378dd2e9fca9fcfc9a067b32fdc7989682713449d30da5b7226007cf4082d3dd8671740492555185526f5f00a7d192302

Download Submit
C:\Windows\{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe

Filesize
168KB

MD5
6340d0ce95aefa05509da07bd4b949d0

SHA1
ef92e25127ee71aee4aab453a231440fc31c31e5

SHA256
285a68a508ad01e49ab88e01d410bd39c623c44a2b16e8860cefb6346377437d

SHA512
99bef62c680bb23f4c732020aa63832378dd2e9fca9fcfc9a067b32fdc7989682713449d30da5b7226007cf4082d3dd8671740492555185526f5f00a7d192302

Download Submit
C:\Windows\{C3F5B1AF-1A6B-4fd1-9713-DEFAE755E36D}.exe

Filesize
168KB

MD5
6340d0ce95aefa05509da07bd4b949d0

SHA1
ef92e25127ee71aee4aab453a231440fc31c31e5

SHA256
285a68a508ad01e49ab88e01d410bd39c623c44a2b16e8860cefb6346377437d

SHA512
99bef62c680bb23f4c732020aa63832378dd2e9fca9fcfc9a067b32fdc7989682713449d30da5b7226007cf4082d3dd8671740492555185526f5f00a7d192302

Download Submit
C:\Windows\{C95150BF-7161-441c-8366-CCCF51BF9393}.exe

Filesize
168KB

MD5
b009e6e9a6cebb0a1f7f171bce5a41b2

SHA1
556ef7686e614572b7f2c185a8946e1ccd333e0b

SHA256
1ae0609ce3e6f021b87892f1f20319e772935ea2764d4ad496189b823792ddd3

SHA512
ecf7a4ecdace012f47148baf32143eacb53ea0cdb1be65893cb5c3d2b5e3c343ef49ec2917a8b18a22141a0be4ac1e9d5b4bcd92c2ade7af525b9398caa988af

Download Submit
C:\Windows\{C95150BF-7161-441c-8366-CCCF51BF9393}.exe

Filesize
168KB

MD5
b009e6e9a6cebb0a1f7f171bce5a41b2

SHA1
556ef7686e614572b7f2c185a8946e1ccd333e0b

SHA256
1ae0609ce3e6f021b87892f1f20319e772935ea2764d4ad496189b823792ddd3

SHA512
ecf7a4ecdace012f47148baf32143eacb53ea0cdb1be65893cb5c3d2b5e3c343ef49ec2917a8b18a22141a0be4ac1e9d5b4bcd92c2ade7af525b9398caa988af

Download Submit
C:\Windows\{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe

Filesize
168KB

MD5
6ee838fe5e66d48f0594c730f3369375

SHA1
099b004e86ff3889641c4f8f84273c9d758e0e9f

SHA256
1e914403178aca5cfb63c1a410854a9a2ac439a50becd9fe24b9702c97129d9a

SHA512
bedd8424286c05123244c38cfd7e6bacde536803162cd99da55ef5a4ee14e7184da988b9e66fc635ba56469af0cfce13f0947fb5c1a951a8070e95eb85ca2733

Download Submit
C:\Windows\{DF8AD6CF-9EC1-40df-96BD-DD3D2669FA53}.exe

Filesize
168KB

MD5
6ee838fe5e66d48f0594c730f3369375

SHA1
099b004e86ff3889641c4f8f84273c9d758e0e9f

SHA256
1e914403178aca5cfb63c1a410854a9a2ac439a50becd9fe24b9702c97129d9a

SHA512
bedd8424286c05123244c38cfd7e6bacde536803162cd99da55ef5a4ee14e7184da988b9e66fc635ba56469af0cfce13f0947fb5c1a951a8070e95eb85ca2733

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads