8075bc7969c5ff467a85a622b99d3de003f0eb53a0f908212334b43a5ae14f5d

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b547df592dd1ac75036533c1a67630a7.exe
Size

180KB
MD5

b547df592dd1ac75036533c1a67630a7
SHA1

44c0ad9b10087cdec8a667c583a8e319a39607d0
SHA256

8075bc7969c5ff467a85a622b99d3de003f0eb53a0f908212334b43a5ae14f5d
SHA512

b9db3bb97ceadd254e69688e7fef2a4449d56db2e6d95b010c2b6bd8452bb771b6a394a2e7623e9218562d4b3eed27644aed37887908e67822877a49802228a9
SSDEEP

3072:jEGh0oolfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B14CBF-E110-4e62-99C6-B41439D95E93}\stubpath = "C:\\Windows\\{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe"	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B86417BA-57F2-43da-9C0C-5BA2A81439AA}\stubpath = "C:\\Windows\\{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe"	b547df592dd1ac75036533c1a67630a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{317A3C42-99C6-4cca-B5CE-A34140C55F53}	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}\stubpath = "C:\\Windows\\{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe"	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}	{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24B98267-3ACD-4cf2-8498-2871C4A0C020}\stubpath = "C:\\Windows\\{24B98267-3ACD-4cf2-8498-2871C4A0C020}.exe"	{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{317A3C42-99C6-4cca-B5CE-A34140C55F53}\stubpath = "C:\\Windows\\{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe"	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B14CBF-E110-4e62-99C6-B41439D95E93}	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}\stubpath = "C:\\Windows\\{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe"	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}\stubpath = "C:\\Windows\\{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe"	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}\stubpath = "C:\\Windows\\{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe"	{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24B98267-3ACD-4cf2-8498-2871C4A0C020}	{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B86417BA-57F2-43da-9C0C-5BA2A81439AA}	b547df592dd1ac75036533c1a67630a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}\stubpath = "C:\\Windows\\{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe"	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}\stubpath = "C:\\Windows\\{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe"	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}\stubpath = "C:\\Windows\\{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe"	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}\stubpath = "C:\\Windows\\{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe"	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe

Executes dropped EXE 12 IoCs

pid	Process
4680	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe
860	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe
1680	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe
1572	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe
3896	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe
3712	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe
4668	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe
2024	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe
4432	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe
4996	{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe
1524	{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe
4416	{24B98267-3ACD-4cf2-8498-2871C4A0C020}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe
File created	C:\Windows\{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe
File created	C:\Windows\{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe
File created	C:\Windows\{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe	{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe
File created	C:\Windows\{24B98267-3ACD-4cf2-8498-2871C4A0C020}.exe	{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe
File created	C:\Windows\{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe	b547df592dd1ac75036533c1a67630a7.exe
File created	C:\Windows\{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe
File created	C:\Windows\{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe
File created	C:\Windows\{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe
File created	C:\Windows\{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe
File created	C:\Windows\{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe
File created	C:\Windows\{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4848	b547df592dd1ac75036533c1a67630a7.exe
Token: SeIncBasePriorityPrivilege	4680	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe
Token: SeIncBasePriorityPrivilege	860	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe
Token: SeIncBasePriorityPrivilege	1680	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe
Token: SeIncBasePriorityPrivilege	1572	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe
Token: SeIncBasePriorityPrivilege	3896	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe
Token: SeIncBasePriorityPrivilege	3712	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe
Token: SeIncBasePriorityPrivilege	4668	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe
Token: SeIncBasePriorityPrivilege	2024	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe
Token: SeIncBasePriorityPrivilege	4432	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe
Token: SeIncBasePriorityPrivilege	4996	{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe
Token: SeIncBasePriorityPrivilege	1524	{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4680	4848	b547df592dd1ac75036533c1a67630a7.exe	89
PID 4848 wrote to memory of 4680	4848	b547df592dd1ac75036533c1a67630a7.exe	89
PID 4848 wrote to memory of 4680	4848	b547df592dd1ac75036533c1a67630a7.exe	89
PID 4848 wrote to memory of 3976	4848	b547df592dd1ac75036533c1a67630a7.exe	90
PID 4848 wrote to memory of 3976	4848	b547df592dd1ac75036533c1a67630a7.exe	90
PID 4848 wrote to memory of 3976	4848	b547df592dd1ac75036533c1a67630a7.exe	90
PID 4680 wrote to memory of 860	4680	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe	93
PID 4680 wrote to memory of 860	4680	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe	93
PID 4680 wrote to memory of 860	4680	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe	93
PID 4680 wrote to memory of 2068	4680	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe	94
PID 4680 wrote to memory of 2068	4680	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe	94
PID 4680 wrote to memory of 2068	4680	{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe	94
PID 860 wrote to memory of 1680	860	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe	97
PID 860 wrote to memory of 1680	860	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe	97
PID 860 wrote to memory of 1680	860	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe	97
PID 860 wrote to memory of 2324	860	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe	96
PID 860 wrote to memory of 2324	860	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe	96
PID 860 wrote to memory of 2324	860	{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe	96
PID 1680 wrote to memory of 1572	1680	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe	98
PID 1680 wrote to memory of 1572	1680	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe	98
PID 1680 wrote to memory of 1572	1680	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe	98
PID 1680 wrote to memory of 1140	1680	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe	99
PID 1680 wrote to memory of 1140	1680	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe	99
PID 1680 wrote to memory of 1140	1680	{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe	99
PID 1572 wrote to memory of 3896	1572	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe	100
PID 1572 wrote to memory of 3896	1572	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe	100
PID 1572 wrote to memory of 3896	1572	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe	100
PID 1572 wrote to memory of 800	1572	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe	101
PID 1572 wrote to memory of 800	1572	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe	101
PID 1572 wrote to memory of 800	1572	{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe	101
PID 3896 wrote to memory of 3712	3896	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe	102
PID 3896 wrote to memory of 3712	3896	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe	102
PID 3896 wrote to memory of 3712	3896	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe	102
PID 3896 wrote to memory of 4344	3896	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe	103
PID 3896 wrote to memory of 4344	3896	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe	103
PID 3896 wrote to memory of 4344	3896	{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe	103
PID 3712 wrote to memory of 4668	3712	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe	104
PID 3712 wrote to memory of 4668	3712	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe	104
PID 3712 wrote to memory of 4668	3712	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe	104
PID 3712 wrote to memory of 2444	3712	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe	105
PID 3712 wrote to memory of 2444	3712	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe	105
PID 3712 wrote to memory of 2444	3712	{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe	105
PID 4668 wrote to memory of 2024	4668	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe	106
PID 4668 wrote to memory of 2024	4668	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe	106
PID 4668 wrote to memory of 2024	4668	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe	106
PID 4668 wrote to memory of 4576	4668	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe	107
PID 4668 wrote to memory of 4576	4668	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe	107
PID 4668 wrote to memory of 4576	4668	{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe	107
PID 2024 wrote to memory of 4432	2024	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe	108
PID 2024 wrote to memory of 4432	2024	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe	108
PID 2024 wrote to memory of 4432	2024	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe	108
PID 2024 wrote to memory of 4420	2024	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe	109
PID 2024 wrote to memory of 4420	2024	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe	109
PID 2024 wrote to memory of 4420	2024	{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe	109
PID 4432 wrote to memory of 4996	4432	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe	110
PID 4432 wrote to memory of 4996	4432	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe	110
PID 4432 wrote to memory of 4996	4432	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe	110
PID 4432 wrote to memory of 4080	4432	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe	111
PID 4432 wrote to memory of 4080	4432	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe	111
PID 4432 wrote to memory of 4080	4432	{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe	111
PID 4996 wrote to memory of 1524	4996	{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe	112
PID 4996 wrote to memory of 1524	4996	{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe	112
PID 4996 wrote to memory of 1524	4996	{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe	112
PID 4996 wrote to memory of 5088	4996	{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe	113

C:\Users\Admin\AppData\Local\Temp\b547df592dd1ac75036533c1a67630a7.exe
"C:\Users\Admin\AppData\Local\Temp\b547df592dd1ac75036533c1a67630a7.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe
  C:\Windows\{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe
    C:\Windows\{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{317A3~1.EXE > nul
      4⤵
      PID:2324
  - - C:\Windows\{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe
      C:\Windows\{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe
        
        C:\Windows\{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe
        
        C:\Windows\{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe
        
        C:\Windows\{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe
        
        C:\Windows\{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe
        
        C:\Windows\{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe
        
        C:\Windows\{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe
        
        C:\Windows\{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe
        
        C:\Windows\{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{24B98267-3ACD-4cf2-8498-2871C4A0C020}.exe
        
        C:\Windows\{24B98267-3ACD-4cf2-8498-2871C4A0C020}.exe
        13⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DF44~1.EXE > nul
        13⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79F3B~1.EXE > nul
        12⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ADD8~1.EXE > nul
        11⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBA24~1.EXE > nul
        10⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76B14~1.EXE > nul
        9⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E28C~1.EXE > nul
        8⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BFC1~1.EXE > nul
        7⤵
        
        PID:4344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68E88~1.EXE > nul
        6⤵
        
        PID:800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{691B0~1.EXE > nul
        5⤵
        
        PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B8641~1.EXE > nul
    3⤵
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B547DF~1.EXE > nul
  2⤵
  PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24B98267-3ACD-4cf2-8498-2871C4A0C020}.exe

Filesize
180KB

MD5
787d9d6ed22ab5c98aa650d324b106ed

SHA1
db25e3a230e356e1b5310bc345fe66c6b7009033

SHA256
13622b2671aae6ab6a4fe630a1dee01a8641e45f7d659ca74ffd551d43f56d6a

SHA512
0403df5eeb52eed4438f3443d327492c5ae967807a3e6fb31893059bbe415fc98f913df6c68280a3c54b50e20db7fb8eb44f3af71340e1c070e7282f1c37c351

Download Submit
C:\Windows\{2E28C13B-7D5F-4800-8C76-B0038DC13DC5}.exe

Filesize
180KB

MD5
bb77fd98f1ca90b2ad2dd760094d5213

SHA1
0af6f52d4d2d034e6df9222591053af05f10e635

SHA256
f61e271940b95e0b728eedce5716f74514e65c0e7549a7a7d51f4457fd44b8c4

SHA512
c75b24bbc2c6f3e58d64d4de83388dad7a94d145239590b595dd0f2653e8010b84d5ef4290a9be8c1e3abe3dc3c5393205c7baf0df0f8456583ced1e831fe40b

Download Submit
C:\Windows\{317A3C42-99C6-4cca-B5CE-A34140C55F53}.exe

Filesize
180KB

MD5
3e203a4a593c9eef72b4abaad9b296ed

SHA1
a0bf2cfe817946e1b4d4b2abef52c48ff98d864e

SHA256
534748509c8f73d8d2ec53ea27af91f0122eb070a72724b1915cc3e5f60cecfc

SHA512
d8dc491de7fe23db0fba5c8aed03316629a5c7807912a27d255c3cbb5c552642bcb240c4b10d03c3f5091c0edeffba95ffae60522646764b59f1273b1cfd4ec1

Download Submit
C:\Windows\{3ADD8EC1-F230-489e-B005-14A1FC9E1C96}.exe

Filesize
180KB

MD5
993b86b5c75cfb06f829a3b9bdfc88a6

SHA1
154afb8a21abaabd6e9d3eee9336f84570fbc6c4

SHA256
276360a4d796c27ee0ab451a6c6bebfe66ae110717479430d66b8730907147b0

SHA512
9079ea948cdd683e0e21e19b2043f91bdef43bd42545f11bd916ebbadbf3e3829f30bc0e10f382809ab71fce331f8649804c0ba78d5dfc1f7923ffe58e4bee40

Download Submit
C:\Windows\{68E88D4E-D409-4f96-8BD1-D48D2361F1E8}.exe

Filesize
180KB

MD5
370e7d36cd6923c63accf7cf172ef672

SHA1
35b58de86cc7bae4d0a3bf54d294cf557183d471

SHA256
ed733a73ea72edb62694adf915bdda2a0dc083ad67d491fd89b10fdfafde67a8

SHA512
3b52917b6eb10534d399518b544fa18925bbc34be0e997e615750cc2a2ac045811d134302df90ab08e30079d761153b55801a993df7e1307de1fac406491bb69

Download Submit
C:\Windows\{691B0D7B-E307-41f4-AAEC-FA7AE6437DB5}.exe

Filesize
180KB

MD5
5e5c8266ebaa65dd4b9ad668982e15b7

SHA1
ad042c4504bc2b9b68d13b882ca074181e760d8c

SHA256
d70b50d5f2625e880f2229987b2f02ca3a2504135986161ae58bde26598ddde9

SHA512
45790594805adb025c44a9e6fd3a8fc51f3b721098c05f5f68010a61107c36365ad3d7d51b88243ee1011b14fc213864599290b74ca5829cd2dde1dc94f0ff1c

Download Submit
C:\Windows\{76B14CBF-E110-4e62-99C6-B41439D95E93}.exe

Filesize
180KB

MD5
c148bc57797f78031226e2da61d9aa0e

SHA1
e4a28e197dc99bb3964cd342873b66371ee82b78

SHA256
c5650d7172878b7eeeb760ff94e625b8aa207089f9a60eb3b17bfe0fc7159a1a

SHA512
4b99569ebcb6c6cdb43776dd9382ecbc939c5873a76b57f5713226d33202e2041882adc5ab9174a7d92a5bf494ece8072a03cc48070b4ffdb19a8caa177a80e0

Download Submit
C:\Windows\{79F3B3A0-4259-4e44-ABCB-3CDD87FC9E84}.exe

Filesize
180KB

MD5
047da269dff3a4a233bc22498695569a

SHA1
765d1d0408510881319d7b585baf8f46281132dd

SHA256
2ce659bfc95ab2fbc586a4221d1f6333d1508d5138a354c01c2222ddb0300a72

SHA512
ca5bd5da0c49b4a7c249f88ddf8c8a55e0ab3ca54288b5297aafd16a490fd8d6959ba8ca99b58518649b45124e22d50b33c595e51314e39da0267a731fd5dc02

Download Submit
C:\Windows\{7BFC1D34-68C8-4f17-B20C-A666ED29AC4B}.exe

Filesize
180KB

MD5
29f5575d24e6b95cc328e137661806b5

SHA1
434862d884c0493c3974ad50a62aeef64878852e

SHA256
24ae453c88c8cee7767989ed6dc641bf4bf85f07f83314e2b0ee57274519e0da

SHA512
ffe25cd376e28e69a6658d765a8b09c2e9a6c9d5896d0edf5e36130a2f882f3cbff3b552eb86f110aefe5804c8f95359ae42357cdaf9d69c48e045dfa0fbf147

Download Submit
C:\Windows\{8DF44CC2-D116-48d1-82D2-4FFCADD42FC0}.exe

Filesize
180KB

MD5
6c4b93390cbdb9e2277a8a36c07d5ec6

SHA1
abb926fdb234f60687b988c0a63ee34b016ae6d1

SHA256
816ee6f07177059daf399afaed53a6116ca1cf18b8f9101a50f1a3a616b2849b

SHA512
ee1e365a95be9ac829decb16226807438fb7fa41b063809e5333c19c5cc4aa21b6e36669b14d4c2e1e61a78afc85d0306e418bedf264b3f76e7f82250df86e5e

Download Submit
C:\Windows\{B86417BA-57F2-43da-9C0C-5BA2A81439AA}.exe

Filesize
180KB

MD5
b52485f03c56e5ce607b2b286d8d94b5

SHA1
7368168591315d7c16a1a8e03ee404e406673532

SHA256
692d44919a8c06407f0357345bee98a9d58ba840146a11ff135fbed489388977

SHA512
c46a756db421287d5431919492ad042e8a01b71e9e79de482922ba799d4ede1d41d624c3a997d52d873d2e41370e94dea8e87b7b558472b158296f202618076b

Download Submit
C:\Windows\{EBA24EFF-1E33-4179-ABA4-FE32EA13B881}.exe

Filesize
180KB

MD5
526799c8fbdcba6f95f5080644431e20

SHA1
29e4933134b8461913387b558d4aa392de1e1d00

SHA256
22bbfd08d973cd456d982c930343492037e194027450363464078df90fbb37e0

SHA512
e7b9be6511816b891e79d2e0ecb740a90ba1ea62b1ada453902ec03c8d177d94a3c91c9d7582d8ca9949d644c7c76fbf3698111b1599ff1d9385e66e630e72f5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads