88814c8b8dd2adb27dc732fbb6aed30464738c5cbc028fe0ba32c06ca7cad868

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c06d57218ad65d7cb759b1cc663e5260_exe32.exe
Size

103KB
MD5

c06d57218ad65d7cb759b1cc663e5260
SHA1

fa7fa0bb896ef65c4308678913a5b2f1e78848e6
SHA256

88814c8b8dd2adb27dc732fbb6aed30464738c5cbc028fe0ba32c06ca7cad868
SHA512

a13ef86ba56952ecfc90c7ce0f4a20039434304cd20f7723580ebf3c695db09d5162916bf631c8822e7d09c0fee864ad11bbebe6d1cd62dedfeac5b7e7977fa3
SSDEEP

768:Qvw9816vhKQLroF4/wQRNrfrunMxVFA3b7glwRjMlfwGxEIU:YEGh0oFl2unMxVS3Hgdor

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}\stubpath = "C:\\Windows\\{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe"	c06d57218ad65d7cb759b1cc663e5260_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5512E279-A784-4e50-9437-99E497B8ACE3}	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98BE973C-2D2E-42b8-908F-407A15318226}	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1E56D1D-05DD-4cf5-8716-133013FE9451}\stubpath = "C:\\Windows\\{A1E56D1D-05DD-4cf5-8716-133013FE9451}.exe"	{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA7E5F26-1908-4402-BDD8-938A11A641E1}\stubpath = "C:\\Windows\\{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe"	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5512E279-A784-4e50-9437-99E497B8ACE3}\stubpath = "C:\\Windows\\{5512E279-A784-4e50-9437-99E497B8ACE3}.exe"	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98BE973C-2D2E-42b8-908F-407A15318226}\stubpath = "C:\\Windows\\{98BE973C-2D2E-42b8-908F-407A15318226}.exe"	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}	{98BE973C-2D2E-42b8-908F-407A15318226}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}\stubpath = "C:\\Windows\\{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe"	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1E56D1D-05DD-4cf5-8716-133013FE9451}	{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}	c06d57218ad65d7cb759b1cc663e5260_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA7E5F26-1908-4402-BDD8-938A11A641E1}	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC14BAE4-8170-4214-9B09-65B802675F25}	{24261635-FBA7-4a79-A324-003EB742D70B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC14BAE4-8170-4214-9B09-65B802675F25}\stubpath = "C:\\Windows\\{AC14BAE4-8170-4214-9B09-65B802675F25}.exe"	{24261635-FBA7-4a79-A324-003EB742D70B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8563E492-8F78-432c-ACE3-FFFDF4A331AC}	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC835F25-06F7-4df7-8513-C09E6A2740FB}	{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24261635-FBA7-4a79-A324-003EB742D70B}	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24261635-FBA7-4a79-A324-003EB742D70B}\stubpath = "C:\\Windows\\{24261635-FBA7-4a79-A324-003EB742D70B}.exe"	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}\stubpath = "C:\\Windows\\{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe"	{98BE973C-2D2E-42b8-908F-407A15318226}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8563E492-8F78-432c-ACE3-FFFDF4A331AC}\stubpath = "C:\\Windows\\{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe"	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}\stubpath = "C:\\Windows\\{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe"	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC835F25-06F7-4df7-8513-C09E6A2740FB}\stubpath = "C:\\Windows\\{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe"	{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe

Executes dropped EXE 12 IoCs

pid	Process
5032	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe
1068	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe
2812	{24261635-FBA7-4a79-A324-003EB742D70B}.exe
2244	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe
3356	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe
3952	{98BE973C-2D2E-42b8-908F-407A15318226}.exe
1660	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe
3416	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe
1200	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe
3512	{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe
964	{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe
620	{A1E56D1D-05DD-4cf5-8716-133013FE9451}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe
File created	C:\Windows\{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe
File created	C:\Windows\{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe	{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe
File created	C:\Windows\{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe
File created	C:\Windows\{24261635-FBA7-4a79-A324-003EB742D70B}.exe	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe
File created	C:\Windows\{5512E279-A784-4e50-9437-99E497B8ACE3}.exe	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe
File created	C:\Windows\{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe	{98BE973C-2D2E-42b8-908F-407A15318226}.exe
File created	C:\Windows\{A1E56D1D-05DD-4cf5-8716-133013FE9451}.exe	{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe
File created	C:\Windows\{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe	c06d57218ad65d7cb759b1cc663e5260_exe32.exe
File created	C:\Windows\{AC14BAE4-8170-4214-9B09-65B802675F25}.exe	{24261635-FBA7-4a79-A324-003EB742D70B}.exe
File created	C:\Windows\{98BE973C-2D2E-42b8-908F-407A15318226}.exe	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe
File created	C:\Windows\{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3800	c06d57218ad65d7cb759b1cc663e5260_exe32.exe
Token: SeIncBasePriorityPrivilege	5032	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe
Token: SeIncBasePriorityPrivilege	1068	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe
Token: SeIncBasePriorityPrivilege	2812	{24261635-FBA7-4a79-A324-003EB742D70B}.exe
Token: SeIncBasePriorityPrivilege	2244	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe
Token: SeIncBasePriorityPrivilege	3356	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe
Token: SeIncBasePriorityPrivilege	3952	{98BE973C-2D2E-42b8-908F-407A15318226}.exe
Token: SeIncBasePriorityPrivilege	1660	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe
Token: SeIncBasePriorityPrivilege	3416	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe
Token: SeIncBasePriorityPrivilege	1200	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe
Token: SeIncBasePriorityPrivilege	3512	{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe
Token: SeIncBasePriorityPrivilege	964	{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 5032	3800	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	87
PID 3800 wrote to memory of 5032	3800	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	87
PID 3800 wrote to memory of 5032	3800	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	87
PID 3800 wrote to memory of 2380	3800	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	88
PID 3800 wrote to memory of 2380	3800	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	88
PID 3800 wrote to memory of 2380	3800	c06d57218ad65d7cb759b1cc663e5260_exe32.exe	88
PID 5032 wrote to memory of 1068	5032	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe	92
PID 5032 wrote to memory of 1068	5032	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe	92
PID 5032 wrote to memory of 1068	5032	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe	92
PID 5032 wrote to memory of 2192	5032	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe	93
PID 5032 wrote to memory of 2192	5032	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe	93
PID 5032 wrote to memory of 2192	5032	{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe	93
PID 1068 wrote to memory of 2812	1068	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe	95
PID 1068 wrote to memory of 2812	1068	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe	95
PID 1068 wrote to memory of 2812	1068	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe	95
PID 1068 wrote to memory of 4920	1068	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe	96
PID 1068 wrote to memory of 4920	1068	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe	96
PID 1068 wrote to memory of 4920	1068	{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe	96
PID 2812 wrote to memory of 2244	2812	{24261635-FBA7-4a79-A324-003EB742D70B}.exe	104
PID 2812 wrote to memory of 2244	2812	{24261635-FBA7-4a79-A324-003EB742D70B}.exe	104
PID 2812 wrote to memory of 2244	2812	{24261635-FBA7-4a79-A324-003EB742D70B}.exe	104
PID 2812 wrote to memory of 3436	2812	{24261635-FBA7-4a79-A324-003EB742D70B}.exe	105
PID 2812 wrote to memory of 3436	2812	{24261635-FBA7-4a79-A324-003EB742D70B}.exe	105
PID 2812 wrote to memory of 3436	2812	{24261635-FBA7-4a79-A324-003EB742D70B}.exe	105
PID 2244 wrote to memory of 3356	2244	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe	106
PID 2244 wrote to memory of 3356	2244	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe	106
PID 2244 wrote to memory of 3356	2244	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe	106
PID 2244 wrote to memory of 4896	2244	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe	107
PID 2244 wrote to memory of 4896	2244	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe	107
PID 2244 wrote to memory of 4896	2244	{AC14BAE4-8170-4214-9B09-65B802675F25}.exe	107
PID 3356 wrote to memory of 3952	3356	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe	108
PID 3356 wrote to memory of 3952	3356	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe	108
PID 3356 wrote to memory of 3952	3356	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe	108
PID 3356 wrote to memory of 4960	3356	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe	109
PID 3356 wrote to memory of 4960	3356	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe	109
PID 3356 wrote to memory of 4960	3356	{5512E279-A784-4e50-9437-99E497B8ACE3}.exe	109
PID 3952 wrote to memory of 1660	3952	{98BE973C-2D2E-42b8-908F-407A15318226}.exe	111
PID 3952 wrote to memory of 1660	3952	{98BE973C-2D2E-42b8-908F-407A15318226}.exe	111
PID 3952 wrote to memory of 1660	3952	{98BE973C-2D2E-42b8-908F-407A15318226}.exe	111
PID 3952 wrote to memory of 3352	3952	{98BE973C-2D2E-42b8-908F-407A15318226}.exe	112
PID 3952 wrote to memory of 3352	3952	{98BE973C-2D2E-42b8-908F-407A15318226}.exe	112
PID 3952 wrote to memory of 3352	3952	{98BE973C-2D2E-42b8-908F-407A15318226}.exe	112
PID 1660 wrote to memory of 3416	1660	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe	113
PID 1660 wrote to memory of 3416	1660	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe	113
PID 1660 wrote to memory of 3416	1660	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe	113
PID 1660 wrote to memory of 952	1660	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe	114
PID 1660 wrote to memory of 952	1660	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe	114
PID 1660 wrote to memory of 952	1660	{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe	114
PID 3416 wrote to memory of 1200	3416	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe	115
PID 3416 wrote to memory of 1200	3416	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe	115
PID 3416 wrote to memory of 1200	3416	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe	115
PID 3416 wrote to memory of 3864	3416	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe	116
PID 3416 wrote to memory of 3864	3416	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe	116
PID 3416 wrote to memory of 3864	3416	{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe	116
PID 1200 wrote to memory of 3512	1200	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe	117
PID 1200 wrote to memory of 3512	1200	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe	117
PID 1200 wrote to memory of 3512	1200	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe	117
PID 1200 wrote to memory of 2524	1200	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe	118
PID 1200 wrote to memory of 2524	1200	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe	118
PID 1200 wrote to memory of 2524	1200	{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe	118
PID 3512 wrote to memory of 964	3512	{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe	119
PID 3512 wrote to memory of 964	3512	{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe	119
PID 3512 wrote to memory of 964	3512	{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe	119
PID 3512 wrote to memory of 3984	3512	{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe	120

C:\Users\Admin\AppData\Local\Temp\c06d57218ad65d7cb759b1cc663e5260_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\c06d57218ad65d7cb759b1cc663e5260_exe32.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe
  C:\Windows\{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe
    C:\Windows\{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\{24261635-FBA7-4a79-A324-003EB742D70B}.exe
      C:\Windows\{24261635-FBA7-4a79-A324-003EB742D70B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{AC14BAE4-8170-4214-9B09-65B802675F25}.exe
        
        C:\Windows\{AC14BAE4-8170-4214-9B09-65B802675F25}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\{5512E279-A784-4e50-9437-99E497B8ACE3}.exe
        
        C:\Windows\{5512E279-A784-4e50-9437-99E497B8ACE3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\{98BE973C-2D2E-42b8-908F-407A15318226}.exe
        
        C:\Windows\{98BE973C-2D2E-42b8-908F-407A15318226}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe
        
        C:\Windows\{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe
        
        C:\Windows\{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe
        
        C:\Windows\{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe
        
        C:\Windows\{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe
        
        C:\Windows\{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC835~1.EXE > nul
        13⤵
        
        PID:4464
        
        C:\Windows\{A1E56D1D-05DD-4cf5-8716-133013FE9451}.exe
        
        C:\Windows\{A1E56D1D-05DD-4cf5-8716-133013FE9451}.exe
        13⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF697~1.EXE > nul
        12⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FFC6~1.EXE > nul
        11⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8563E~1.EXE > nul
        10⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FCF2~1.EXE > nul
        9⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98BE9~1.EXE > nul
        8⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5512E~1.EXE > nul
        7⤵
        
        PID:4960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC14B~1.EXE > nul
        6⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24261~1.EXE > nul
        5⤵
        
        PID:3436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BA7E5~1.EXE > nul
      4⤵
      PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C712D~1.EXE > nul
    3⤵
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C06D57~1.EXE > nul
  2⤵
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe

Filesize
103KB

MD5
1449a839f38da02de6c2d6f1b93557ba

SHA1
05090836d02cc0c95596e9718808e761b824a9a1

SHA256
082cbe2bdcb96acbe4e4cacb20d9a30fdc6590744f5dd06ca01d52103154090d

SHA512
ce811af0797ab787558b143e461b1301d053c229c000a73a17cb83a56c2cfdbd5886efd0ee3e4328976eb13c1ee4ab304ee00471edd348802665dec652f8c17a

Download Submit
C:\Windows\{1FCF2A5E-ED03-4dd7-B884-8CA5FA08C337}.exe

Filesize
103KB

MD5
1449a839f38da02de6c2d6f1b93557ba

SHA1
05090836d02cc0c95596e9718808e761b824a9a1

SHA256
082cbe2bdcb96acbe4e4cacb20d9a30fdc6590744f5dd06ca01d52103154090d

SHA512
ce811af0797ab787558b143e461b1301d053c229c000a73a17cb83a56c2cfdbd5886efd0ee3e4328976eb13c1ee4ab304ee00471edd348802665dec652f8c17a

Download Submit
C:\Windows\{24261635-FBA7-4a79-A324-003EB742D70B}.exe

Filesize
103KB

MD5
82462334e38b5113cd455b1ccd75824a

SHA1
cc1f64d4949f90a1afdb09d65a274a7bef6abc04

SHA256
0f164ff0be2d2c8c84622c1ae90ce1cb0ecdf267bb586f1c3bc56e5955ba7071

SHA512
caecd29be12cf83953f09da5198d7789610517ec30bca4abbbd1b0fedcbea206f1a015afac32e4524f9b326970305ab1c6373721efd417dd4a3e5a659cea0dcb

Download Submit
C:\Windows\{24261635-FBA7-4a79-A324-003EB742D70B}.exe

Filesize
103KB

MD5
82462334e38b5113cd455b1ccd75824a

SHA1
cc1f64d4949f90a1afdb09d65a274a7bef6abc04

SHA256
0f164ff0be2d2c8c84622c1ae90ce1cb0ecdf267bb586f1c3bc56e5955ba7071

SHA512
caecd29be12cf83953f09da5198d7789610517ec30bca4abbbd1b0fedcbea206f1a015afac32e4524f9b326970305ab1c6373721efd417dd4a3e5a659cea0dcb

Download Submit
C:\Windows\{24261635-FBA7-4a79-A324-003EB742D70B}.exe

Filesize
103KB

MD5
82462334e38b5113cd455b1ccd75824a

SHA1
cc1f64d4949f90a1afdb09d65a274a7bef6abc04

SHA256
0f164ff0be2d2c8c84622c1ae90ce1cb0ecdf267bb586f1c3bc56e5955ba7071

SHA512
caecd29be12cf83953f09da5198d7789610517ec30bca4abbbd1b0fedcbea206f1a015afac32e4524f9b326970305ab1c6373721efd417dd4a3e5a659cea0dcb

Download Submit
C:\Windows\{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe

Filesize
103KB

MD5
5cfc790b9711889e23839a65da309c15

SHA1
4307d69ac6d74af18f2c95a37bc69b19cc6a8d88

SHA256
654b4e8082d9e0fd46f1e152cb6ab1c15a31dd5be9237801acaf54c38155eb42

SHA512
59abe11446702190a5bc04c7d1445d459abc402f3d9738ebc8b17708172ea66691b4b89feffb8524a5f9cef850c4b138947d53b59942d807f86015e9cf0d52d5

Download Submit
C:\Windows\{4FFC66F7-ACB4-4f57-8746-6FB6BE3C2D9A}.exe

Filesize
103KB

MD5
5cfc790b9711889e23839a65da309c15

SHA1
4307d69ac6d74af18f2c95a37bc69b19cc6a8d88

SHA256
654b4e8082d9e0fd46f1e152cb6ab1c15a31dd5be9237801acaf54c38155eb42

SHA512
59abe11446702190a5bc04c7d1445d459abc402f3d9738ebc8b17708172ea66691b4b89feffb8524a5f9cef850c4b138947d53b59942d807f86015e9cf0d52d5

Download Submit
C:\Windows\{5512E279-A784-4e50-9437-99E497B8ACE3}.exe

Filesize
103KB

MD5
5083f4ee147d9225653a5db0259ee952

SHA1
3d691de24e3e34b91560d8183b35103f8d15b2ca

SHA256
790e19357d8d1d899277ce61301bf337bf46cce0d4057ae8787ff136796fa481

SHA512
9f23a1b8e156e074da58b201e6abcfd144becdf5b68f60741baf8a5aad1f19598f648c65331f491603502ee2e6ef54a815cff109175167947bafa816d8493b66

Download Submit
C:\Windows\{5512E279-A784-4e50-9437-99E497B8ACE3}.exe

Filesize
103KB

MD5
5083f4ee147d9225653a5db0259ee952

SHA1
3d691de24e3e34b91560d8183b35103f8d15b2ca

SHA256
790e19357d8d1d899277ce61301bf337bf46cce0d4057ae8787ff136796fa481

SHA512
9f23a1b8e156e074da58b201e6abcfd144becdf5b68f60741baf8a5aad1f19598f648c65331f491603502ee2e6ef54a815cff109175167947bafa816d8493b66

Download Submit
C:\Windows\{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe

Filesize
103KB

MD5
0ee2ffd1e76d1d174d543896d928c127

SHA1
5c2a87b3a84be9527adc2f753baf71799be632c0

SHA256
46cd03b52fa061712b9ab72a0ec4ee95a0eaf9fcabc3db80f3596421212bb99b

SHA512
6d5f84bd17d2e4dda99e8384ffa8e35d32e86c0c514c400ae8c1d6998f1b2c813fe92010d9e6081dbb8a785aa243e7f7ee67873596c4d5ef74fd94fcf74f4149

Download Submit
C:\Windows\{8563E492-8F78-432c-ACE3-FFFDF4A331AC}.exe

Filesize
103KB

MD5
0ee2ffd1e76d1d174d543896d928c127

SHA1
5c2a87b3a84be9527adc2f753baf71799be632c0

SHA256
46cd03b52fa061712b9ab72a0ec4ee95a0eaf9fcabc3db80f3596421212bb99b

SHA512
6d5f84bd17d2e4dda99e8384ffa8e35d32e86c0c514c400ae8c1d6998f1b2c813fe92010d9e6081dbb8a785aa243e7f7ee67873596c4d5ef74fd94fcf74f4149

Download Submit
C:\Windows\{98BE973C-2D2E-42b8-908F-407A15318226}.exe

Filesize
103KB

MD5
b2e35a7ac5c0a82fb8831ada7a458427

SHA1
873e4a6e2fc0cc7bb5ce365bd6522274975ca514

SHA256
2f21b78cade518dc31a46aeb3bb54bf812416375bd591a57b60f95b8b354d696

SHA512
c6dcbf539ac6e72c50b14ac2674d1aba378fd44fedb90a1834607b45ff6015748ea455e3036c17bacfd4cfdfcd361ab22c8773f27477517930ef06859381359b

Download Submit
C:\Windows\{98BE973C-2D2E-42b8-908F-407A15318226}.exe

Filesize
103KB

MD5
b2e35a7ac5c0a82fb8831ada7a458427

SHA1
873e4a6e2fc0cc7bb5ce365bd6522274975ca514

SHA256
2f21b78cade518dc31a46aeb3bb54bf812416375bd591a57b60f95b8b354d696

SHA512
c6dcbf539ac6e72c50b14ac2674d1aba378fd44fedb90a1834607b45ff6015748ea455e3036c17bacfd4cfdfcd361ab22c8773f27477517930ef06859381359b

Download Submit
C:\Windows\{A1E56D1D-05DD-4cf5-8716-133013FE9451}.exe

Filesize
103KB

MD5
79f126ee80f9317b960b28ae9e6b3005

SHA1
33ef765cc4cc46ac059dd162c921335e96278a04

SHA256
2589066feaee55003e45e92f93210b087c30a7f1bd86f4862d85aec612e7d913

SHA512
578cbe9c7d263228960ef201f52178628b395545a1f80db988bd54c12f8ae61c462e0981039a5ed9460c37448617a0f6dceb8c8b75e5395a6dde478929b964c1

Download Submit
C:\Windows\{A1E56D1D-05DD-4cf5-8716-133013FE9451}.exe

Filesize
103KB

MD5
79f126ee80f9317b960b28ae9e6b3005

SHA1
33ef765cc4cc46ac059dd162c921335e96278a04

SHA256
2589066feaee55003e45e92f93210b087c30a7f1bd86f4862d85aec612e7d913

SHA512
578cbe9c7d263228960ef201f52178628b395545a1f80db988bd54c12f8ae61c462e0981039a5ed9460c37448617a0f6dceb8c8b75e5395a6dde478929b964c1

Download Submit
C:\Windows\{AC14BAE4-8170-4214-9B09-65B802675F25}.exe

Filesize
103KB

MD5
19d3cd97f693be94eb5279d8cf325514

SHA1
2f7266d44e857030b295365538b31142336aef29

SHA256
73eb321caab4ed3f7f75b5ef6e53a9fd9fbc8301430b4d5dcfae71808f59dc11

SHA512
8f185cfe5b16407ef2224e4368e6f448e42f81c068834e8738064d61251723034d7d96e88e8fb17ff9bca86a72ac143ac560ab8bb3c86ccecf493ae61cb5d6fb

Download Submit
C:\Windows\{AC14BAE4-8170-4214-9B09-65B802675F25}.exe

Filesize
103KB

MD5
19d3cd97f693be94eb5279d8cf325514

SHA1
2f7266d44e857030b295365538b31142336aef29

SHA256
73eb321caab4ed3f7f75b5ef6e53a9fd9fbc8301430b4d5dcfae71808f59dc11

SHA512
8f185cfe5b16407ef2224e4368e6f448e42f81c068834e8738064d61251723034d7d96e88e8fb17ff9bca86a72ac143ac560ab8bb3c86ccecf493ae61cb5d6fb

Download Submit
C:\Windows\{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe

Filesize
103KB

MD5
d31dad251ad70a719152d790c7a88e42

SHA1
e641dc90095b2e9fae8482daff0ebbbc78aa089e

SHA256
4249dcb96586b920672ef479a3f372f6ed4c43941c805a3b850e812077acf255

SHA512
af158ee7d8a35fc2063dfe7cfa20ba5d802704923e9178e6932fc4754271bf98a3b8ae7ec716ac4eff7cd9a3a5865d7d938733533472c1a99a62224bca17aabd

Download Submit
C:\Windows\{AF6971E8-B1D9-4c8a-868E-C94A6F93A4DA}.exe

Filesize
103KB

MD5
d31dad251ad70a719152d790c7a88e42

SHA1
e641dc90095b2e9fae8482daff0ebbbc78aa089e

SHA256
4249dcb96586b920672ef479a3f372f6ed4c43941c805a3b850e812077acf255

SHA512
af158ee7d8a35fc2063dfe7cfa20ba5d802704923e9178e6932fc4754271bf98a3b8ae7ec716ac4eff7cd9a3a5865d7d938733533472c1a99a62224bca17aabd

Download Submit
C:\Windows\{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe

Filesize
103KB

MD5
1bffaa13c7735af426cd45af0b00be74

SHA1
cd021c3c7ff52aaf534d4573890c3d1e60daf552

SHA256
9da3974ab3915b7d7cf2dc96b3dc382b8fc8abc689b42b3abeadbd6a8b150412

SHA512
d429feecc29cdc12f63477ae2a606ceaeebe440f4051992e322ccbdec6b0e892dab9ed0945db76e0ce14c3a5b5f57662ce012a50b724bbb2a85cf8096c4e7435

Download Submit
C:\Windows\{BA7E5F26-1908-4402-BDD8-938A11A641E1}.exe

Filesize
103KB

MD5
1bffaa13c7735af426cd45af0b00be74

SHA1
cd021c3c7ff52aaf534d4573890c3d1e60daf552

SHA256
9da3974ab3915b7d7cf2dc96b3dc382b8fc8abc689b42b3abeadbd6a8b150412

SHA512
d429feecc29cdc12f63477ae2a606ceaeebe440f4051992e322ccbdec6b0e892dab9ed0945db76e0ce14c3a5b5f57662ce012a50b724bbb2a85cf8096c4e7435

Download Submit
C:\Windows\{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe

Filesize
103KB

MD5
37a7695a1938b7d8ab6a924034305df9

SHA1
751a45f985fe39a308a07d12a076f3bd56e75f0d

SHA256
554a366f5c908baea5718a5d8157fe8d32158b42ee9786feef5328101016dbe7

SHA512
9415ab6195f092fb18fa51230e57ab3981d90c146015d1bba2af4a31caccab1e7c5f4d73fd27a70942c316cbd567c0fca8cb6b1353cd1c1dea962279ae326b74

Download Submit
C:\Windows\{C712D7F8-9250-4081-93D4-F7D17AF2C1A7}.exe

Filesize
103KB

MD5
37a7695a1938b7d8ab6a924034305df9

SHA1
751a45f985fe39a308a07d12a076f3bd56e75f0d

SHA256
554a366f5c908baea5718a5d8157fe8d32158b42ee9786feef5328101016dbe7

SHA512
9415ab6195f092fb18fa51230e57ab3981d90c146015d1bba2af4a31caccab1e7c5f4d73fd27a70942c316cbd567c0fca8cb6b1353cd1c1dea962279ae326b74

Download Submit
C:\Windows\{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe

Filesize
103KB

MD5
40798bb0be37c04d34b6f5dfc780dd87

SHA1
05f828049b49f5f00ddbe63558f46a8dd8da93ea

SHA256
da0f9b31169199b6c1c4f42ee83128748d8baa99b8aefc57a09519d520447e16

SHA512
bb7c41ef44f375982a32021abd4b68bf7865482ac83a1c36c5586fa7f3a057a08510d63ea94de74b084ffe6aa94c180067d8aa093ce95bca9a7c61673907f214

Download Submit
C:\Windows\{FC835F25-06F7-4df7-8513-C09E6A2740FB}.exe

Filesize
103KB

MD5
40798bb0be37c04d34b6f5dfc780dd87

SHA1
05f828049b49f5f00ddbe63558f46a8dd8da93ea

SHA256
da0f9b31169199b6c1c4f42ee83128748d8baa99b8aefc57a09519d520447e16

SHA512
bb7c41ef44f375982a32021abd4b68bf7865482ac83a1c36c5586fa7f3a057a08510d63ea94de74b084ffe6aa94c180067d8aa093ce95bca9a7c61673907f214

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads