fb64703364185579f6c811de7c4886240675ac2a71adf12fb76988ebae28fafd

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
Size

76KB
MD5

c82d2a5fd41b7e9d876267bc76b69550
SHA1

09bbdbed216b8853e74552614367024adc3ee94c
SHA256

fb64703364185579f6c811de7c4886240675ac2a71adf12fb76988ebae28fafd
SHA512

6cdd6a2f01040a7e8aa85d2184106a601832ddde2efab28fdc30e75946570de0d8b6c1169a71ebff7bb44e18422dc20773ee4a070f877e278bfca2af552a08b4
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroVL4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLroVL4/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{945B41B0-8E2F-4937-A40D-03DB837EEC65}	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{945B41B0-8E2F-4937-A40D-03DB837EEC65}\stubpath = "C:\\Windows\\{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe"	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B468871-4789-45fa-A738-40D29FBAFCAE}\stubpath = "C:\\Windows\\{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe"	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F724D450-042A-4eba-8B64-8E6C3340438E}	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F724D450-042A-4eba-8B64-8E6C3340438E}\stubpath = "C:\\Windows\\{F724D450-042A-4eba-8B64-8E6C3340438E}.exe"	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51097DAB-C118-41fd-A269-FB8F40AD46F8}	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{780BFED4-857B-448d-AF13-3E66915F3481}	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}	{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51097DAB-C118-41fd-A269-FB8F40AD46F8}\stubpath = "C:\\Windows\\{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe"	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}\stubpath = "C:\\Windows\\{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe"	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08AB6BFD-E73E-4c76-A430-D956A103E275}	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{780BFED4-857B-448d-AF13-3E66915F3481}\stubpath = "C:\\Windows\\{780BFED4-857B-448d-AF13-3E66915F3481}.exe"	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C633AC5-0FC3-4771-91CF-58198148C2B7}\stubpath = "C:\\Windows\\{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe"	{780BFED4-857B-448d-AF13-3E66915F3481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}\stubpath = "C:\\Windows\\{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe"	{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7CD2194-DB31-429b-9855-C8C93585FCF6}\stubpath = "C:\\Windows\\{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe"	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}\stubpath = "C:\\Windows\\{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe"	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B468871-4789-45fa-A738-40D29FBAFCAE}	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C633AC5-0FC3-4771-91CF-58198148C2B7}	{780BFED4-857B-448d-AF13-3E66915F3481}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7CD2194-DB31-429b-9855-C8C93585FCF6}	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08AB6BFD-E73E-4c76-A430-D956A103E275}\stubpath = "C:\\Windows\\{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe"	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAD777CA-6383-472e-ACFF-E39C47B55F99}	{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAD777CA-6383-472e-ACFF-E39C47B55F99}\stubpath = "C:\\Windows\\{BAD777CA-6383-472e-ACFF-E39C47B55F99}.exe"	{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe

Executes dropped EXE 12 IoCs

pid	Process
1944	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe
3972	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe
4160	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe
764	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe
3388	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe
1268	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe
4892	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe
2600	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe
3368	{780BFED4-857B-448d-AF13-3E66915F3481}.exe
4812	{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe
4504	{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe
5044	{BAD777CA-6383-472e-ACFF-E39C47B55F99}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
File created	C:\Windows\{F724D450-042A-4eba-8B64-8E6C3340438E}.exe	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe
File created	C:\Windows\{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe
File created	C:\Windows\{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe
File created	C:\Windows\{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe	{780BFED4-857B-448d-AF13-3E66915F3481}.exe
File created	C:\Windows\{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe	{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe
File created	C:\Windows\{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe
File created	C:\Windows\{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe
File created	C:\Windows\{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe
File created	C:\Windows\{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe
File created	C:\Windows\{780BFED4-857B-448d-AF13-3E66915F3481}.exe	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe
File created	C:\Windows\{BAD777CA-6383-472e-ACFF-E39C47B55F99}.exe	{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4864	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
Token: SeIncBasePriorityPrivilege	1944	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe
Token: SeIncBasePriorityPrivilege	3972	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe
Token: SeIncBasePriorityPrivilege	4160	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe
Token: SeIncBasePriorityPrivilege	764	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe
Token: SeIncBasePriorityPrivilege	3388	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe
Token: SeIncBasePriorityPrivilege	1268	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe
Token: SeIncBasePriorityPrivilege	4892	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe
Token: SeIncBasePriorityPrivilege	2600	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe
Token: SeIncBasePriorityPrivilege	3368	{780BFED4-857B-448d-AF13-3E66915F3481}.exe
Token: SeIncBasePriorityPrivilege	4812	{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe
Token: SeIncBasePriorityPrivilege	4504	{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 1944	4864	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	90
PID 4864 wrote to memory of 1944	4864	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	90
PID 4864 wrote to memory of 1944	4864	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	90
PID 4864 wrote to memory of 496	4864	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	91
PID 4864 wrote to memory of 496	4864	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	91
PID 4864 wrote to memory of 496	4864	c82d2a5fd41b7e9d876267bc76b69550_exe32.exe	91
PID 1944 wrote to memory of 3972	1944	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe	93
PID 1944 wrote to memory of 3972	1944	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe	93
PID 1944 wrote to memory of 3972	1944	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe	93
PID 1944 wrote to memory of 1776	1944	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe	94
PID 1944 wrote to memory of 1776	1944	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe	94
PID 1944 wrote to memory of 1776	1944	{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe	94
PID 3972 wrote to memory of 4160	3972	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe	97
PID 3972 wrote to memory of 4160	3972	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe	97
PID 3972 wrote to memory of 4160	3972	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe	97
PID 3972 wrote to memory of 3244	3972	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe	96
PID 3972 wrote to memory of 3244	3972	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe	96
PID 3972 wrote to memory of 3244	3972	{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe	96
PID 4160 wrote to memory of 764	4160	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe	98
PID 4160 wrote to memory of 764	4160	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe	98
PID 4160 wrote to memory of 764	4160	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe	98
PID 4160 wrote to memory of 1004	4160	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe	99
PID 4160 wrote to memory of 1004	4160	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe	99
PID 4160 wrote to memory of 1004	4160	{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe	99
PID 764 wrote to memory of 3388	764	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe	100
PID 764 wrote to memory of 3388	764	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe	100
PID 764 wrote to memory of 3388	764	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe	100
PID 764 wrote to memory of 4888	764	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe	101
PID 764 wrote to memory of 4888	764	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe	101
PID 764 wrote to memory of 4888	764	{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe	101
PID 3388 wrote to memory of 1268	3388	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe	102
PID 3388 wrote to memory of 1268	3388	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe	102
PID 3388 wrote to memory of 1268	3388	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe	102
PID 3388 wrote to memory of 1980	3388	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe	103
PID 3388 wrote to memory of 1980	3388	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe	103
PID 3388 wrote to memory of 1980	3388	{F724D450-042A-4eba-8B64-8E6C3340438E}.exe	103
PID 1268 wrote to memory of 4892	1268	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe	104
PID 1268 wrote to memory of 4892	1268	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe	104
PID 1268 wrote to memory of 4892	1268	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe	104
PID 1268 wrote to memory of 3344	1268	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe	105
PID 1268 wrote to memory of 3344	1268	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe	105
PID 1268 wrote to memory of 3344	1268	{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe	105
PID 4892 wrote to memory of 2600	4892	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe	106
PID 4892 wrote to memory of 2600	4892	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe	106
PID 4892 wrote to memory of 2600	4892	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe	106
PID 4892 wrote to memory of 5032	4892	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe	107
PID 4892 wrote to memory of 5032	4892	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe	107
PID 4892 wrote to memory of 5032	4892	{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe	107
PID 2600 wrote to memory of 3368	2600	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe	108
PID 2600 wrote to memory of 3368	2600	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe	108
PID 2600 wrote to memory of 3368	2600	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe	108
PID 2600 wrote to memory of 1684	2600	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe	109
PID 2600 wrote to memory of 1684	2600	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe	109
PID 2600 wrote to memory of 1684	2600	{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe	109
PID 3368 wrote to memory of 4812	3368	{780BFED4-857B-448d-AF13-3E66915F3481}.exe	110
PID 3368 wrote to memory of 4812	3368	{780BFED4-857B-448d-AF13-3E66915F3481}.exe	110
PID 3368 wrote to memory of 4812	3368	{780BFED4-857B-448d-AF13-3E66915F3481}.exe	110
PID 3368 wrote to memory of 4208	3368	{780BFED4-857B-448d-AF13-3E66915F3481}.exe	111
PID 3368 wrote to memory of 4208	3368	{780BFED4-857B-448d-AF13-3E66915F3481}.exe	111
PID 3368 wrote to memory of 4208	3368	{780BFED4-857B-448d-AF13-3E66915F3481}.exe	111
PID 4812 wrote to memory of 4504	4812	{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe	112
PID 4812 wrote to memory of 4504	4812	{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe	112
PID 4812 wrote to memory of 4504	4812	{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe	112
PID 4812 wrote to memory of 3748	4812	{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe	113

C:\Users\Admin\AppData\Local\Temp\c82d2a5fd41b7e9d876267bc76b69550_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\c82d2a5fd41b7e9d876267bc76b69550_exe32.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe
  C:\Windows\{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe
    C:\Windows\{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B7CD2~1.EXE > nul
      4⤵
      PID:3244
  - - C:\Windows\{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe
      C:\Windows\{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe
        
        C:\Windows\{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\{F724D450-042A-4eba-8B64-8E6C3340438E}.exe
        
        C:\Windows\{F724D450-042A-4eba-8B64-8E6C3340438E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe
        
        C:\Windows\{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe
        
        C:\Windows\{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe
        
        C:\Windows\{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{780BFED4-857B-448d-AF13-3E66915F3481}.exe
        
        C:\Windows\{780BFED4-857B-448d-AF13-3E66915F3481}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe
        
        C:\Windows\{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe
        
        C:\Windows\{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\{BAD777CA-6383-472e-ACFF-E39C47B55F99}.exe
        
        C:\Windows\{BAD777CA-6383-472e-ACFF-E39C47B55F99}.exe
        13⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09818~1.EXE > nul
        13⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C633~1.EXE > nul
        12⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{780BF~1.EXE > nul
        11⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08AB6~1.EXE > nul
        10⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF10E~1.EXE > nul
        9⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51097~1.EXE > nul
        8⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F724D~1.EXE > nul
        7⤵
        
        PID:1980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B468~1.EXE > nul
        6⤵
        
        PID:4888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BD16~1.EXE > nul
        5⤵
        
        PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{945B4~1.EXE > nul
    3⤵
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C82D2A~1.EXE > nul
  2⤵
  PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe

Filesize
76KB

MD5
358d0cfa2c4164ac5ce9e1f3a0ee0c6a

SHA1
4c50677b300a440f3c8b7a658bd88ae64d59c4ab

SHA256
8c5e8a8aab2f34a7626b041772037bfa8201631591593f14137efffecc3c832b

SHA512
69d3a3e1d8d7326d0c00639cb47c26bc46a9dddf3dee07d8466511d207e7a9d6f50ff701e7adc9de607924cb6d1ed65fc899969049cff7701759e009afb8ac15

Download Submit
C:\Windows\{08AB6BFD-E73E-4c76-A430-D956A103E275}.exe

Filesize
76KB

MD5
358d0cfa2c4164ac5ce9e1f3a0ee0c6a

SHA1
4c50677b300a440f3c8b7a658bd88ae64d59c4ab

SHA256
8c5e8a8aab2f34a7626b041772037bfa8201631591593f14137efffecc3c832b

SHA512
69d3a3e1d8d7326d0c00639cb47c26bc46a9dddf3dee07d8466511d207e7a9d6f50ff701e7adc9de607924cb6d1ed65fc899969049cff7701759e009afb8ac15

Download Submit
C:\Windows\{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe

Filesize
76KB

MD5
ec11609d7559318be610c717e5fdecc9

SHA1
33f02490684f024c71d96347edb249466cec1efa

SHA256
1b90ae178f12c684e506224e9021f548ebd1cb2a3e1da718db89e4b043bdd982

SHA512
f2ed7082e8148bdedb19d90feae30239645881bf976281668830d499ef75076b22ec8f4a6567215c9d8b266ca7a669bffd17a7a971d94897c61e5ee02cc8b64a

Download Submit
C:\Windows\{0981874B-5E9D-41fb-A608-02ABC2C5D3B2}.exe

Filesize
76KB

MD5
ec11609d7559318be610c717e5fdecc9

SHA1
33f02490684f024c71d96347edb249466cec1efa

SHA256
1b90ae178f12c684e506224e9021f548ebd1cb2a3e1da718db89e4b043bdd982

SHA512
f2ed7082e8148bdedb19d90feae30239645881bf976281668830d499ef75076b22ec8f4a6567215c9d8b266ca7a669bffd17a7a971d94897c61e5ee02cc8b64a

Download Submit
C:\Windows\{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe

Filesize
76KB

MD5
7d5acc44a75dfecd9c3f5fab40454d4f

SHA1
49014eeea62f6835a5cfdc2d209e4c4871470e80

SHA256
3218a91144910a4ebfa4a03c01648a72baa95e28b7e07538247b5a9fb24b7880

SHA512
aeccde9e2bc539500b9599e789192d616d376ed5283e501cf0e37c78f13b74b5ebeed90b2edc8c9141d38b40608f5eaddf3025d26118db34e8f9f7e33ec02245

Download Submit
C:\Windows\{1C633AC5-0FC3-4771-91CF-58198148C2B7}.exe

Filesize
76KB

MD5
7d5acc44a75dfecd9c3f5fab40454d4f

SHA1
49014eeea62f6835a5cfdc2d209e4c4871470e80

SHA256
3218a91144910a4ebfa4a03c01648a72baa95e28b7e07538247b5a9fb24b7880

SHA512
aeccde9e2bc539500b9599e789192d616d376ed5283e501cf0e37c78f13b74b5ebeed90b2edc8c9141d38b40608f5eaddf3025d26118db34e8f9f7e33ec02245

Download Submit
C:\Windows\{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe

Filesize
76KB

MD5
b9ad58ed2263b6c0d5a42547110b4322

SHA1
668998472e855cd7d5ab698da3506d20e4fc3687

SHA256
a7ab3df2bda2f97e189b05c7fa7d27ae130b347ea44064672ce7214f35fa1dd3

SHA512
0c09bce645a50a124e523299803abe76f29766d3f01cd3aa388ebb910e1d79546fca9c5c80764b9321739c5536aa55cd258a8202e6552e11459cc0bfb2f03e7d

Download Submit
C:\Windows\{51097DAB-C118-41fd-A269-FB8F40AD46F8}.exe

Filesize
76KB

MD5
b9ad58ed2263b6c0d5a42547110b4322

SHA1
668998472e855cd7d5ab698da3506d20e4fc3687

SHA256
a7ab3df2bda2f97e189b05c7fa7d27ae130b347ea44064672ce7214f35fa1dd3

SHA512
0c09bce645a50a124e523299803abe76f29766d3f01cd3aa388ebb910e1d79546fca9c5c80764b9321739c5536aa55cd258a8202e6552e11459cc0bfb2f03e7d

Download Submit
C:\Windows\{780BFED4-857B-448d-AF13-3E66915F3481}.exe

Filesize
76KB

MD5
aecd54aa479754919896a1d1cfac2160

SHA1
2c5c8cfe77392a61f99ae532f3e3a009709e106b

SHA256
0cb96f6f68b9ec934dabe52f462d9ebafef0caa1c289b64834b1c4b421802034

SHA512
692f91a27fb2319eb9795bb0ab665ea91fe7727a088ee00a4c681e8a1dc1be5c47a73e755d6ba77ca5b294e678fbf034ada7575f10f2aca14e8bb745160429df

Download Submit
C:\Windows\{780BFED4-857B-448d-AF13-3E66915F3481}.exe

Filesize
76KB

MD5
aecd54aa479754919896a1d1cfac2160

SHA1
2c5c8cfe77392a61f99ae532f3e3a009709e106b

SHA256
0cb96f6f68b9ec934dabe52f462d9ebafef0caa1c289b64834b1c4b421802034

SHA512
692f91a27fb2319eb9795bb0ab665ea91fe7727a088ee00a4c681e8a1dc1be5c47a73e755d6ba77ca5b294e678fbf034ada7575f10f2aca14e8bb745160429df

Download Submit
C:\Windows\{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe

Filesize
76KB

MD5
9a1ac918c3f1f83927d46ede0721b255

SHA1
70745d625dc074250038b9a1b80894a9fa532c35

SHA256
60091fff505fa8cb1e160cf66648ac08cf536429cd61f7814b2954f4e7fc00e2

SHA512
bf3a48da749a4a3b21807dce9a198124a8c26056cf5d4c83f57c73312946270caae13c4f3b620643ca074b33c2c0e35283055182638d091e18526976c03eb640

Download Submit
C:\Windows\{7B468871-4789-45fa-A738-40D29FBAFCAE}.exe

Filesize
76KB

MD5
9a1ac918c3f1f83927d46ede0721b255

SHA1
70745d625dc074250038b9a1b80894a9fa532c35

SHA256
60091fff505fa8cb1e160cf66648ac08cf536429cd61f7814b2954f4e7fc00e2

SHA512
bf3a48da749a4a3b21807dce9a198124a8c26056cf5d4c83f57c73312946270caae13c4f3b620643ca074b33c2c0e35283055182638d091e18526976c03eb640

Download Submit
C:\Windows\{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe

Filesize
76KB

MD5
3cc0c458ce503be75dd71a2c46c49986

SHA1
e2b7251752f81aecd39c92052c93a71b560ad726

SHA256
71915c5072f6889dace60fdb1f55c3431b2580ecd5adffb05f4cfd76d8739420

SHA512
6a56b5e6d49bee1f0faa32dd203ac41a65a8d357bea6c36ce48e94ff7d08dd0b6b4578e576daac47e5b195c1631d3a44d1f34ff32bf30f1e3db5fb262c865718

Download Submit
C:\Windows\{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe

Filesize
76KB

MD5
3cc0c458ce503be75dd71a2c46c49986

SHA1
e2b7251752f81aecd39c92052c93a71b560ad726

SHA256
71915c5072f6889dace60fdb1f55c3431b2580ecd5adffb05f4cfd76d8739420

SHA512
6a56b5e6d49bee1f0faa32dd203ac41a65a8d357bea6c36ce48e94ff7d08dd0b6b4578e576daac47e5b195c1631d3a44d1f34ff32bf30f1e3db5fb262c865718

Download Submit
C:\Windows\{7BD166CD-37EE-410d-AFCF-59BB437ABE7B}.exe

Filesize
76KB

MD5
3cc0c458ce503be75dd71a2c46c49986

SHA1
e2b7251752f81aecd39c92052c93a71b560ad726

SHA256
71915c5072f6889dace60fdb1f55c3431b2580ecd5adffb05f4cfd76d8739420

SHA512
6a56b5e6d49bee1f0faa32dd203ac41a65a8d357bea6c36ce48e94ff7d08dd0b6b4578e576daac47e5b195c1631d3a44d1f34ff32bf30f1e3db5fb262c865718

Download Submit
C:\Windows\{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe

Filesize
76KB

MD5
27066f5a8d56827ea70a9b4c30e84523

SHA1
69684c3980222c0705fda8994ad048b597938f44

SHA256
8dd3e5ad562cf2392484c18f9649cc3981760f7b604c76d95a8741f916b35e85

SHA512
5f4513a3bfa95b0c4ad2a5ec382b4ff88e754790cfbc92918314d56d7d2363dcb3c6a48e90d48e9b213799514be307957edfec6cc062e49d15632346336ef660

Download Submit
C:\Windows\{945B41B0-8E2F-4937-A40D-03DB837EEC65}.exe

Filesize
76KB

MD5
27066f5a8d56827ea70a9b4c30e84523

SHA1
69684c3980222c0705fda8994ad048b597938f44

SHA256
8dd3e5ad562cf2392484c18f9649cc3981760f7b604c76d95a8741f916b35e85

SHA512
5f4513a3bfa95b0c4ad2a5ec382b4ff88e754790cfbc92918314d56d7d2363dcb3c6a48e90d48e9b213799514be307957edfec6cc062e49d15632346336ef660

Download Submit
C:\Windows\{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe

Filesize
76KB

MD5
da5298ce537c7252fdcc854350564d66

SHA1
2c25dd35d12b4a572dda159b4495af06fa6f0f02

SHA256
4e34dfc5d385448b4d7e78b948b4fd0a48ce3d5da867fb3beb685ba0089026ed

SHA512
5bf6918b548a1389d06b4daf50507e4b6fdc58a423edcaf050be1fa7e86a630e9ee2b7017b62c6766b7e4c9089b7bb6c10905bc8018ff7c7dab339bdfeafbe38

Download Submit
C:\Windows\{AF10E1E6-B216-48f9-9141-CB0AFB2B03D7}.exe

Filesize
76KB

MD5
da5298ce537c7252fdcc854350564d66

SHA1
2c25dd35d12b4a572dda159b4495af06fa6f0f02

SHA256
4e34dfc5d385448b4d7e78b948b4fd0a48ce3d5da867fb3beb685ba0089026ed

SHA512
5bf6918b548a1389d06b4daf50507e4b6fdc58a423edcaf050be1fa7e86a630e9ee2b7017b62c6766b7e4c9089b7bb6c10905bc8018ff7c7dab339bdfeafbe38

Download Submit
C:\Windows\{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe

Filesize
76KB

MD5
7e646126de6370961edc0ee3e5f22004

SHA1
72881f3b1268937acf79c38c3c670172ae1cc34e

SHA256
1455f8e0eb772c921fc36ff652ae8d8816edf2a3520810725a4dc127e1dd008f

SHA512
d6992481e8a304e428d968edeebae2b5dcc370bf69b1cc022ea8843871bcaa4b1860ad254e6b6f87626e4cf4ccf1a487e525f29489dc5aba8a47e030a5708c01

Download Submit
C:\Windows\{B7CD2194-DB31-429b-9855-C8C93585FCF6}.exe

Filesize
76KB

MD5
7e646126de6370961edc0ee3e5f22004

SHA1
72881f3b1268937acf79c38c3c670172ae1cc34e

SHA256
1455f8e0eb772c921fc36ff652ae8d8816edf2a3520810725a4dc127e1dd008f

SHA512
d6992481e8a304e428d968edeebae2b5dcc370bf69b1cc022ea8843871bcaa4b1860ad254e6b6f87626e4cf4ccf1a487e525f29489dc5aba8a47e030a5708c01

Download Submit
C:\Windows\{BAD777CA-6383-472e-ACFF-E39C47B55F99}.exe

Filesize
76KB

MD5
18e9059174c535352189414f424ddd57

SHA1
10c683d48275d1cee3feadfca8e1c6d381db8cbc

SHA256
0512adf627df30ce503697fdeb2c119826256353f2bc3bc9b36d5e227545925c

SHA512
f7a30e0a73963d8a13a4b5a94a22a245eeb74d84ca5f8461f6ab6cdb504096bba6a5d687dfc359af190ddb821756e4a555d03eb97f419a6e817ec8e4a2649acb

Download Submit
C:\Windows\{BAD777CA-6383-472e-ACFF-E39C47B55F99}.exe

Filesize
76KB

MD5
18e9059174c535352189414f424ddd57

SHA1
10c683d48275d1cee3feadfca8e1c6d381db8cbc

SHA256
0512adf627df30ce503697fdeb2c119826256353f2bc3bc9b36d5e227545925c

SHA512
f7a30e0a73963d8a13a4b5a94a22a245eeb74d84ca5f8461f6ab6cdb504096bba6a5d687dfc359af190ddb821756e4a555d03eb97f419a6e817ec8e4a2649acb

Download Submit
C:\Windows\{F724D450-042A-4eba-8B64-8E6C3340438E}.exe

Filesize
76KB

MD5
bdc6cb89e406688326f7ef5701baf2b4

SHA1
e035c2c6982dcde08ccbd39b73d2d1eb47841a09

SHA256
ddfd756ab9aeb69be0ee3f4cda86a1efad533adf3d7bcd02bc3cb57d7d489ed2

SHA512
a8462b14e788f4e75977b462e5d14f833a0933a061b5ed86c7d856faaaa5e972ccdbf5da2aba5dce1bc0b31e4b2efeff0bf04903c4a57f893a61710d236fced8

Download Submit
C:\Windows\{F724D450-042A-4eba-8B64-8E6C3340438E}.exe

Filesize
76KB

MD5
bdc6cb89e406688326f7ef5701baf2b4

SHA1
e035c2c6982dcde08ccbd39b73d2d1eb47841a09

SHA256
ddfd756ab9aeb69be0ee3f4cda86a1efad533adf3d7bcd02bc3cb57d7d489ed2

SHA512
a8462b14e788f4e75977b462e5d14f833a0933a061b5ed86c7d856faaaa5e972ccdbf5da2aba5dce1bc0b31e4b2efeff0bf04903c4a57f893a61710d236fced8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads