e097498c867f1baf28d47c6780fc8d778b7daffa0ded12375f077cc5d4bdd024

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa0ab72f936509efe89bcda02ce7f680_exe32.exe
Size

204KB
MD5

aa0ab72f936509efe89bcda02ce7f680
SHA1

e219e947f1867c48043a5fc699dcc61c7c280148
SHA256

e097498c867f1baf28d47c6780fc8d778b7daffa0ded12375f077cc5d4bdd024
SHA512

7003c4f95b7e782a81e79f5ca17583f813dde37106bad66142c09b8f9b9308db96b17e1599492a6b9502ca2950e1d8bd5f54310631ccad45662086a64f7a829b
SSDEEP

1536:1EGh0oIl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oIl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B9F4275-0E09-4b70-B479-763EB471F59F}	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}\stubpath = "C:\\Windows\\{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe"	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6A53552-65A1-4470-B6A9-5375095BEAD5}	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C5E8B3-9525-4aaf-B40B-120302A46253}\stubpath = "C:\\Windows\\{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe"	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DB340F0-79A3-406a-BCCF-AEE8463D7773}	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}\stubpath = "C:\\Windows\\{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe"	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}\stubpath = "C:\\Windows\\{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe"	{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F2900B4-F490-492a-8912-35E287A3D891}	{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6A53552-65A1-4470-B6A9-5375095BEAD5}\stubpath = "C:\\Windows\\{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe"	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}\stubpath = "C:\\Windows\\{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe"	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DB340F0-79A3-406a-BCCF-AEE8463D7773}\stubpath = "C:\\Windows\\{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe"	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B9F4275-0E09-4b70-B479-763EB471F59F}\stubpath = "C:\\Windows\\{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe"	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B7E61C3-11B9-403d-91EF-242555EDF3B4}\stubpath = "C:\\Windows\\{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe"	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49FABB7-8A43-4111-86E1-77508B4E0ABF}	aa0ab72f936509efe89bcda02ce7f680_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49FABB7-8A43-4111-86E1-77508B4E0ABF}\stubpath = "C:\\Windows\\{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe"	aa0ab72f936509efe89bcda02ce7f680_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B7E61C3-11B9-403d-91EF-242555EDF3B4}	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F2900B4-F490-492a-8912-35E287A3D891}\stubpath = "C:\\Windows\\{1F2900B4-F490-492a-8912-35E287A3D891}.exe"	{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}	{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C5E8B3-9525-4aaf-B40B-120302A46253}	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}\stubpath = "C:\\Windows\\{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe"	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4420	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe
3536	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe
5116	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe
4436	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe
1800	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe
2588	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe
1044	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe
1060	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe
3824	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe
1568	{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe
628	{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe
2432	{1F2900B4-F490-492a-8912-35E287A3D891}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe
File created	C:\Windows\{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe	aa0ab72f936509efe89bcda02ce7f680_exe32.exe
File created	C:\Windows\{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe
File created	C:\Windows\{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe
File created	C:\Windows\{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe
File created	C:\Windows\{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe
File created	C:\Windows\{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe	{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe
File created	C:\Windows\{1F2900B4-F490-492a-8912-35E287A3D891}.exe	{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe
File created	C:\Windows\{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe
File created	C:\Windows\{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe
File created	C:\Windows\{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe
File created	C:\Windows\{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1220	aa0ab72f936509efe89bcda02ce7f680_exe32.exe
Token: SeIncBasePriorityPrivilege	4420	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe
Token: SeIncBasePriorityPrivilege	3536	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe
Token: SeIncBasePriorityPrivilege	5116	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe
Token: SeIncBasePriorityPrivilege	4436	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe
Token: SeIncBasePriorityPrivilege	1800	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe
Token: SeIncBasePriorityPrivilege	2588	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe
Token: SeIncBasePriorityPrivilege	1044	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe
Token: SeIncBasePriorityPrivilege	1060	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe
Token: SeIncBasePriorityPrivilege	3824	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe
Token: SeIncBasePriorityPrivilege	1568	{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe
Token: SeIncBasePriorityPrivilege	628	{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 4420	1220	aa0ab72f936509efe89bcda02ce7f680_exe32.exe	87
PID 1220 wrote to memory of 4420	1220	aa0ab72f936509efe89bcda02ce7f680_exe32.exe	87
PID 1220 wrote to memory of 4420	1220	aa0ab72f936509efe89bcda02ce7f680_exe32.exe	87
PID 1220 wrote to memory of 4844	1220	aa0ab72f936509efe89bcda02ce7f680_exe32.exe	88
PID 1220 wrote to memory of 4844	1220	aa0ab72f936509efe89bcda02ce7f680_exe32.exe	88
PID 1220 wrote to memory of 4844	1220	aa0ab72f936509efe89bcda02ce7f680_exe32.exe	88
PID 4420 wrote to memory of 3536	4420	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe	92
PID 4420 wrote to memory of 3536	4420	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe	92
PID 4420 wrote to memory of 3536	4420	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe	92
PID 4420 wrote to memory of 2704	4420	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe	93
PID 4420 wrote to memory of 2704	4420	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe	93
PID 4420 wrote to memory of 2704	4420	{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe	93
PID 3536 wrote to memory of 5116	3536	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe	96
PID 3536 wrote to memory of 5116	3536	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe	96
PID 3536 wrote to memory of 5116	3536	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe	96
PID 3536 wrote to memory of 4208	3536	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe	95
PID 3536 wrote to memory of 4208	3536	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe	95
PID 3536 wrote to memory of 4208	3536	{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe	95
PID 5116 wrote to memory of 4436	5116	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe	105
PID 5116 wrote to memory of 4436	5116	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe	105
PID 5116 wrote to memory of 4436	5116	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe	105
PID 5116 wrote to memory of 1112	5116	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe	106
PID 5116 wrote to memory of 1112	5116	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe	106
PID 5116 wrote to memory of 1112	5116	{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe	106
PID 4436 wrote to memory of 1800	4436	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe	107
PID 4436 wrote to memory of 1800	4436	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe	107
PID 4436 wrote to memory of 1800	4436	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe	107
PID 4436 wrote to memory of 2248	4436	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe	108
PID 4436 wrote to memory of 2248	4436	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe	108
PID 4436 wrote to memory of 2248	4436	{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe	108
PID 1800 wrote to memory of 2588	1800	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe	109
PID 1800 wrote to memory of 2588	1800	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe	109
PID 1800 wrote to memory of 2588	1800	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe	109
PID 1800 wrote to memory of 2924	1800	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe	110
PID 1800 wrote to memory of 2924	1800	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe	110
PID 1800 wrote to memory of 2924	1800	{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe	110
PID 2588 wrote to memory of 1044	2588	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe	112
PID 2588 wrote to memory of 1044	2588	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe	112
PID 2588 wrote to memory of 1044	2588	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe	112
PID 2588 wrote to memory of 3416	2588	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe	113
PID 2588 wrote to memory of 3416	2588	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe	113
PID 2588 wrote to memory of 3416	2588	{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe	113
PID 1044 wrote to memory of 1060	1044	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe	114
PID 1044 wrote to memory of 1060	1044	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe	114
PID 1044 wrote to memory of 1060	1044	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe	114
PID 1044 wrote to memory of 2876	1044	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe	115
PID 1044 wrote to memory of 2876	1044	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe	115
PID 1044 wrote to memory of 2876	1044	{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe	115
PID 1060 wrote to memory of 3824	1060	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe	116
PID 1060 wrote to memory of 3824	1060	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe	116
PID 1060 wrote to memory of 3824	1060	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe	116
PID 1060 wrote to memory of 1784	1060	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe	117
PID 1060 wrote to memory of 1784	1060	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe	117
PID 1060 wrote to memory of 1784	1060	{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe	117
PID 3824 wrote to memory of 1568	3824	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe	118
PID 3824 wrote to memory of 1568	3824	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe	118
PID 3824 wrote to memory of 1568	3824	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe	118
PID 3824 wrote to memory of 4140	3824	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe	119
PID 3824 wrote to memory of 4140	3824	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe	119
PID 3824 wrote to memory of 4140	3824	{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe	119
PID 1568 wrote to memory of 628	1568	{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe	120
PID 1568 wrote to memory of 628	1568	{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe	120
PID 1568 wrote to memory of 628	1568	{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe	120
PID 1568 wrote to memory of 2888	1568	{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe	121

C:\Users\Admin\AppData\Local\Temp\aa0ab72f936509efe89bcda02ce7f680_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\aa0ab72f936509efe89bcda02ce7f680_exe32.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe
  C:\Windows\{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe
    C:\Windows\{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A6A53~1.EXE > nul
      4⤵
      PID:4208
  - - C:\Windows\{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe
      C:\Windows\{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe
        
        C:\Windows\{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
      - C:\Windows\{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe
        
        C:\Windows\{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe
        
        C:\Windows\{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe
        
        C:\Windows\{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe
        
        C:\Windows\{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe
        
        C:\Windows\{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe
        
        C:\Windows\{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe
        
        C:\Windows\{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\{1F2900B4-F490-492a-8912-35E287A3D891}.exe
        
        C:\Windows\{1F2900B4-F490-492a-8912-35E287A3D891}.exe
        13⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18DB5~1.EXE > nul
        13⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B7E6~1.EXE > nul
        12⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD9E4~1.EXE > nul
        11⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B9F4~1.EXE > nul
        10⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B717C~1.EXE > nul
        9⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DB34~1.EXE > nul
        8⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0A7D~1.EXE > nul
        7⤵
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FD70~1.EXE > nul
        6⤵
        
        PID:2248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88C5E~1.EXE > nul
        5⤵
        
        PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B49FA~1.EXE > nul
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AA0AB7~1.EXE > nul
  2⤵
  PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe

Filesize
204KB

MD5
ef4b37c302c9fd8d6ef3a562c75cfcd7

SHA1
9f79933281db6f29c9575bd94c5de2b7feb68924

SHA256
4918c0b6c979622d35fd860f4424b1ee8f3f8c4c473c07a77942b30219855db0

SHA512
d67aad839427ac29dc827a476ffb563e25a7aca3851982b98274fa3f4b45c2103da839aa6269a5d6b0d7caf20f1f6bb2ec53c340a9f22a3496cd857060777e2a

Download Submit
C:\Windows\{18DB51A6-4E7B-4a10-A3BD-B5882BB86054}.exe

Filesize
204KB

MD5
ef4b37c302c9fd8d6ef3a562c75cfcd7

SHA1
9f79933281db6f29c9575bd94c5de2b7feb68924

SHA256
4918c0b6c979622d35fd860f4424b1ee8f3f8c4c473c07a77942b30219855db0

SHA512
d67aad839427ac29dc827a476ffb563e25a7aca3851982b98274fa3f4b45c2103da839aa6269a5d6b0d7caf20f1f6bb2ec53c340a9f22a3496cd857060777e2a

Download Submit
C:\Windows\{1F2900B4-F490-492a-8912-35E287A3D891}.exe

Filesize
204KB

MD5
b6081023c7410381b178e3204c49ac30

SHA1
942d4893a033fd769cb70bc9b4441253a325cb7c

SHA256
768fafc411a57fa5a58cebde1a74a3ab6036ac48541640c57d7dc9cccffd14bf

SHA512
a49c92cb31d8c970b8d7f1a25dcc9c96c395f1d9bccfd712d93c13dfdd46cd423a4c37aac2d93ccafa08e91bd18dd80c063cb6ab3314870291e723f842f367d4

Download Submit
C:\Windows\{1F2900B4-F490-492a-8912-35E287A3D891}.exe

Filesize
204KB

MD5
b6081023c7410381b178e3204c49ac30

SHA1
942d4893a033fd769cb70bc9b4441253a325cb7c

SHA256
768fafc411a57fa5a58cebde1a74a3ab6036ac48541640c57d7dc9cccffd14bf

SHA512
a49c92cb31d8c970b8d7f1a25dcc9c96c395f1d9bccfd712d93c13dfdd46cd423a4c37aac2d93ccafa08e91bd18dd80c063cb6ab3314870291e723f842f367d4

Download Submit
C:\Windows\{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe

Filesize
204KB

MD5
d9be0dab9cb67e81ee5fc5317d9c48cc

SHA1
bf5193263a25b62b5dd96fd31ab2cfaab13a0339

SHA256
b6f297bd8ae16c525dfb2cfa65f82c3f015a7580f75f7ff03805177e71715665

SHA512
ff01136f09d8afc9b6e3686951b767be73b9f2a5fede28510b16a8b607b45a1aadd3c057681a7760b0996ac653deeaf5e7771c1d774befbf606a20577b64f508

Download Submit
C:\Windows\{2B7E61C3-11B9-403d-91EF-242555EDF3B4}.exe

Filesize
204KB

MD5
d9be0dab9cb67e81ee5fc5317d9c48cc

SHA1
bf5193263a25b62b5dd96fd31ab2cfaab13a0339

SHA256
b6f297bd8ae16c525dfb2cfa65f82c3f015a7580f75f7ff03805177e71715665

SHA512
ff01136f09d8afc9b6e3686951b767be73b9f2a5fede28510b16a8b607b45a1aadd3c057681a7760b0996ac653deeaf5e7771c1d774befbf606a20577b64f508

Download Submit
C:\Windows\{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe

Filesize
204KB

MD5
ac2793501eb5e64425229e51a562acb0

SHA1
c346bfcc1fdf40e83d8af112e48748f71876b528

SHA256
6ebc7c4c978f5ce83b94b67e815177fdf1d950d873293cb68f001997689fad7e

SHA512
47a9e6f07622541d94a6b48cbbc54a97bf83e870de02f504a575c4be8debe6ce5ae80d6e5f6324b5160eeb638ba0ba7b201667e07288bfccebead60aacb2001b

Download Submit
C:\Windows\{4DB340F0-79A3-406a-BCCF-AEE8463D7773}.exe

Filesize
204KB

MD5
ac2793501eb5e64425229e51a562acb0

SHA1
c346bfcc1fdf40e83d8af112e48748f71876b528

SHA256
6ebc7c4c978f5ce83b94b67e815177fdf1d950d873293cb68f001997689fad7e

SHA512
47a9e6f07622541d94a6b48cbbc54a97bf83e870de02f504a575c4be8debe6ce5ae80d6e5f6324b5160eeb638ba0ba7b201667e07288bfccebead60aacb2001b

Download Submit
C:\Windows\{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe

Filesize
204KB

MD5
f23cb3add639bf5c49e70eaddc8d8f36

SHA1
8d906a41d43699fc874f51028f250eace6930a59

SHA256
ffb7663d683f62ced906f10badee9bd531236e335288d92bc19d2097e12615e2

SHA512
87cbe14e6714553116aed0d44bd72e20ae66b4b007b141a5c50f7c2071de81ed850d637517f26edf18967189f79a3325c8c6136a34cb8c6ea65beff2e535f58a

Download Submit
C:\Windows\{4FD70F80-90A3-48f8-BE29-3707DEDAF22A}.exe

Filesize
204KB

MD5
f23cb3add639bf5c49e70eaddc8d8f36

SHA1
8d906a41d43699fc874f51028f250eace6930a59

SHA256
ffb7663d683f62ced906f10badee9bd531236e335288d92bc19d2097e12615e2

SHA512
87cbe14e6714553116aed0d44bd72e20ae66b4b007b141a5c50f7c2071de81ed850d637517f26edf18967189f79a3325c8c6136a34cb8c6ea65beff2e535f58a

Download Submit
C:\Windows\{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe

Filesize
204KB

MD5
11c26f11aa566df0a9254ecc25413262

SHA1
e8445298c50e9ae01d2788809235900c915372de

SHA256
aa60c0bad646ffafa729be10d7e23d4c7b16ce8f71d9e0b7ff72e0d60998c920

SHA512
b851f7eed84a73aab1d98b26a7acaa367c59728bcaa49c06b7bb6995502de8c184acd3a59b137bea328e5a5a0df95b005efc918ebe47d087c7efc9b16556e95c

Download Submit
C:\Windows\{6B9F4275-0E09-4b70-B479-763EB471F59F}.exe

Filesize
204KB

MD5
11c26f11aa566df0a9254ecc25413262

SHA1
e8445298c50e9ae01d2788809235900c915372de

SHA256
aa60c0bad646ffafa729be10d7e23d4c7b16ce8f71d9e0b7ff72e0d60998c920

SHA512
b851f7eed84a73aab1d98b26a7acaa367c59728bcaa49c06b7bb6995502de8c184acd3a59b137bea328e5a5a0df95b005efc918ebe47d087c7efc9b16556e95c

Download Submit
C:\Windows\{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe

Filesize
204KB

MD5
317de058f3658eba78bb85eded83b403

SHA1
32e8b41374c065759f31f0d9a7e6ae7aea9f08cf

SHA256
7c8adeb00fff9b84c85e74ac1a1f1f1e84539b4633acdb09ee52b493e4a83f88

SHA512
1ce3b77bd529307a9ac506397a6bbcfae05a9d682b6db76bd2420c56ff4d488b74239d582ac3232e704a852ddcec1617335fabb6f5bee905b82fd1ffc33dd6f9

Download Submit
C:\Windows\{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe

Filesize
204KB

MD5
317de058f3658eba78bb85eded83b403

SHA1
32e8b41374c065759f31f0d9a7e6ae7aea9f08cf

SHA256
7c8adeb00fff9b84c85e74ac1a1f1f1e84539b4633acdb09ee52b493e4a83f88

SHA512
1ce3b77bd529307a9ac506397a6bbcfae05a9d682b6db76bd2420c56ff4d488b74239d582ac3232e704a852ddcec1617335fabb6f5bee905b82fd1ffc33dd6f9

Download Submit
C:\Windows\{88C5E8B3-9525-4aaf-B40B-120302A46253}.exe

Filesize
204KB

MD5
317de058f3658eba78bb85eded83b403

SHA1
32e8b41374c065759f31f0d9a7e6ae7aea9f08cf

SHA256
7c8adeb00fff9b84c85e74ac1a1f1f1e84539b4633acdb09ee52b493e4a83f88

SHA512
1ce3b77bd529307a9ac506397a6bbcfae05a9d682b6db76bd2420c56ff4d488b74239d582ac3232e704a852ddcec1617335fabb6f5bee905b82fd1ffc33dd6f9

Download Submit
C:\Windows\{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe

Filesize
204KB

MD5
ba6840b76bd90f5ac07a7d97291cff82

SHA1
3094df0d52e6b6c2e6a5618d7048f10530955166

SHA256
c79bd7444e3604d1f483dc61a74b1fdaad4986d42308156df6f2511ebaf4bf5c

SHA512
5edd4b90daff359716a7fb555e118916d3b1615521787088b702de9a20b6a52a87a11a53e65d52d37536f1d7ae9d0914306b6d0149a6ebc4d569124b4f3d04cf

Download Submit
C:\Windows\{A6A53552-65A1-4470-B6A9-5375095BEAD5}.exe

Filesize
204KB

MD5
ba6840b76bd90f5ac07a7d97291cff82

SHA1
3094df0d52e6b6c2e6a5618d7048f10530955166

SHA256
c79bd7444e3604d1f483dc61a74b1fdaad4986d42308156df6f2511ebaf4bf5c

SHA512
5edd4b90daff359716a7fb555e118916d3b1615521787088b702de9a20b6a52a87a11a53e65d52d37536f1d7ae9d0914306b6d0149a6ebc4d569124b4f3d04cf

Download Submit
C:\Windows\{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe

Filesize
204KB

MD5
7dada283f43fd259cb19910d7ef92e6a

SHA1
df2dc2cb6b1c3e0a4cf6ceda2057c87317b1976b

SHA256
25a1147bcc2b14fb09b5ea3106a0bedf86a3db0919227534b983c5ef0394c761

SHA512
55e1947e5749fc3afa5aecbd791a751cf8377dc4357a831f646b1d9b29e115caf0b40debd2bddf7c6b03ea015528d9ef3e298010f94337a84ae93bd395f396b6

Download Submit
C:\Windows\{AD9E41D6-1C6F-44ad-A5C7-A6451251F920}.exe

Filesize
204KB

MD5
7dada283f43fd259cb19910d7ef92e6a

SHA1
df2dc2cb6b1c3e0a4cf6ceda2057c87317b1976b

SHA256
25a1147bcc2b14fb09b5ea3106a0bedf86a3db0919227534b983c5ef0394c761

SHA512
55e1947e5749fc3afa5aecbd791a751cf8377dc4357a831f646b1d9b29e115caf0b40debd2bddf7c6b03ea015528d9ef3e298010f94337a84ae93bd395f396b6

Download Submit
C:\Windows\{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe

Filesize
204KB

MD5
fa486d0d7aa3d02aad0383177b4d3101

SHA1
1463b91ff99a15ddb5e820b479ac790e1ad2ad68

SHA256
dd8fa56bdc35838749f23399e9a30a8134c28cb416605aa5cf0144124b32e722

SHA512
419c37b38f8fdccf3e4414637d30df70966ed410488a53604ef8e8960e03bca28a16b72ed2b40ea5d03fb1315da5396b1f44cb41cc3520e85adc47df975e7f27

Download Submit
C:\Windows\{B49FABB7-8A43-4111-86E1-77508B4E0ABF}.exe

Filesize
204KB

MD5
fa486d0d7aa3d02aad0383177b4d3101

SHA1
1463b91ff99a15ddb5e820b479ac790e1ad2ad68

SHA256
dd8fa56bdc35838749f23399e9a30a8134c28cb416605aa5cf0144124b32e722

SHA512
419c37b38f8fdccf3e4414637d30df70966ed410488a53604ef8e8960e03bca28a16b72ed2b40ea5d03fb1315da5396b1f44cb41cc3520e85adc47df975e7f27

Download Submit
C:\Windows\{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe

Filesize
204KB

MD5
26fa31e806ea24cce2ff7de7d4f6666a

SHA1
009f5a16dbd1ee4a5816c8569a35a1a2d23eea42

SHA256
0e27d8990c082265d8e0d0078dbca2d715d30da15c2b2accc6e01496d2573d04

SHA512
eb74eb2c5fcb7173af3d12f2c603d4a2e8f9c21914625b7ba36cbbbb8150132dc30142691be401b075abecd223072e83baffbf3789c760c6daeed483330600de

Download Submit
C:\Windows\{B717CEE0-ECA3-4a22-B12D-CB85FBA123B0}.exe

Filesize
204KB

MD5
26fa31e806ea24cce2ff7de7d4f6666a

SHA1
009f5a16dbd1ee4a5816c8569a35a1a2d23eea42

SHA256
0e27d8990c082265d8e0d0078dbca2d715d30da15c2b2accc6e01496d2573d04

SHA512
eb74eb2c5fcb7173af3d12f2c603d4a2e8f9c21914625b7ba36cbbbb8150132dc30142691be401b075abecd223072e83baffbf3789c760c6daeed483330600de

Download Submit
C:\Windows\{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe

Filesize
204KB

MD5
214114c8d80ccb5ca7709668b7871cd1

SHA1
b9b02649033f89f85c9dafdcae86c6b86b71af0f

SHA256
4337b0cc9dc3e95c21be6326e42f224dde8d6a2ff6088efe3a2fbaaef0c4914d

SHA512
2bd5e2d7f5e1d03b3b1178f67bdabd6b024b54e4c3ccdb518cd49612b503d3202f6b63da70600775545270dbda588cb283c6b2bd44770710af618c0a2021a520

Download Submit
C:\Windows\{C0A7DDC2-424C-4ccd-B8CB-F976AF0CFCA0}.exe

Filesize
204KB

MD5
214114c8d80ccb5ca7709668b7871cd1

SHA1
b9b02649033f89f85c9dafdcae86c6b86b71af0f

SHA256
4337b0cc9dc3e95c21be6326e42f224dde8d6a2ff6088efe3a2fbaaef0c4914d

SHA512
2bd5e2d7f5e1d03b3b1178f67bdabd6b024b54e4c3ccdb518cd49612b503d3202f6b63da70600775545270dbda588cb283c6b2bd44770710af618c0a2021a520

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads