a0ce0e2e462397dd4fb9ec8ed3514888de87ac7307de040a4376f6d6c6a14fcf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f51868b4244dd15e4c3f848d856c24d.exe
Size

197KB
MD5

3f51868b4244dd15e4c3f848d856c24d
SHA1

6b4941a85468926a2803b2fcb91ccf6b32c72389
SHA256

a0ce0e2e462397dd4fb9ec8ed3514888de87ac7307de040a4376f6d6c6a14fcf
SHA512

0ba5725f21b5be724ac52767eaf356f3b3d8fc5bf4cb04b14273a8a824c35d8fe6d5942dfd9864715fef74a043bc98c6046c5c363b34fd605c8d309351bb5c65
SSDEEP

3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGplEeKcAEca

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBA43404-0C95-43e9-849A-322A12D5E5B3}\stubpath = "C:\\Windows\\{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe"	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71C2E3B-ECCB-4208-A134-4C4257F96A55}\stubpath = "C:\\Windows\\{F71C2E3B-ECCB-4208-A134-4C4257F96A55}.exe"	{028C44F6-BAC0-4885-B66A-34589C782140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}\stubpath = "C:\\Windows\\{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe"	3f51868b4244dd15e4c3f848d856c24d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48B060BC-0415-46bd-9D99-44048A1DE4FA}	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}\stubpath = "C:\\Windows\\{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe"	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}\stubpath = "C:\\Windows\\{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe"	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}\stubpath = "C:\\Windows\\{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe"	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{028C44F6-BAC0-4885-B66A-34589C782140}	{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71C2E3B-ECCB-4208-A134-4C4257F96A55}	{028C44F6-BAC0-4885-B66A-34589C782140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48B060BC-0415-46bd-9D99-44048A1DE4FA}\stubpath = "C:\\Windows\\{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe"	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7260FEC5-7978-4795-A80B-FDBD7C074917}	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7260FEC5-7978-4795-A80B-FDBD7C074917}\stubpath = "C:\\Windows\\{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe"	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}\stubpath = "C:\\Windows\\{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe"	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBA43404-0C95-43e9-849A-322A12D5E5B3}	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CF49BEB-C143-48e1-B123-F0581689BF7F}	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CF49BEB-C143-48e1-B123-F0581689BF7F}\stubpath = "C:\\Windows\\{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe"	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}	3f51868b4244dd15e4c3f848d856c24d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}\stubpath = "C:\\Windows\\{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe"	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{028C44F6-BAC0-4885-B66A-34589C782140}\stubpath = "C:\\Windows\\{028C44F6-BAC0-4885-B66A-34589C782140}.exe"	{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe

Deletes itself 1 IoCs

pid	Process
4944	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
876	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe
4756	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe
2872	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe
4744	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe
1836	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe
4436	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe
5100	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe
4684	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe
1696	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe
4844	{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe
3384	{028C44F6-BAC0-4885-B66A-34589C782140}.exe
4108	{F71C2E3B-ECCB-4208-A134-4C4257F96A55}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe
File created	C:\Windows\{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe
File created	C:\Windows\{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe
File created	C:\Windows\{028C44F6-BAC0-4885-B66A-34589C782140}.exe	{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe
File created	C:\Windows\{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe	3f51868b4244dd15e4c3f848d856c24d.exe
File created	C:\Windows\{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe
File created	C:\Windows\{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe
File created	C:\Windows\{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe
File created	C:\Windows\{F71C2E3B-ECCB-4208-A134-4C4257F96A55}.exe	{028C44F6-BAC0-4885-B66A-34589C782140}.exe
File created	C:\Windows\{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe
File created	C:\Windows\{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe
File created	C:\Windows\{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3012	3f51868b4244dd15e4c3f848d856c24d.exe
Token: SeIncBasePriorityPrivilege	876	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe
Token: SeIncBasePriorityPrivilege	4756	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe
Token: SeIncBasePriorityPrivilege	2872	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe
Token: SeIncBasePriorityPrivilege	4744	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe
Token: SeIncBasePriorityPrivilege	1836	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe
Token: SeIncBasePriorityPrivilege	4436	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe
Token: SeIncBasePriorityPrivilege	5100	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe
Token: SeIncBasePriorityPrivilege	4684	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe
Token: SeIncBasePriorityPrivilege	1696	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe
Token: SeIncBasePriorityPrivilege	4844	{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe
Token: SeIncBasePriorityPrivilege	3384	{028C44F6-BAC0-4885-B66A-34589C782140}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 876	3012	3f51868b4244dd15e4c3f848d856c24d.exe	89
PID 3012 wrote to memory of 876	3012	3f51868b4244dd15e4c3f848d856c24d.exe	89
PID 3012 wrote to memory of 876	3012	3f51868b4244dd15e4c3f848d856c24d.exe	89
PID 3012 wrote to memory of 4944	3012	3f51868b4244dd15e4c3f848d856c24d.exe	90
PID 3012 wrote to memory of 4944	3012	3f51868b4244dd15e4c3f848d856c24d.exe	90
PID 3012 wrote to memory of 4944	3012	3f51868b4244dd15e4c3f848d856c24d.exe	90
PID 876 wrote to memory of 4756	876	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe	93
PID 876 wrote to memory of 4756	876	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe	93
PID 876 wrote to memory of 4756	876	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe	93
PID 876 wrote to memory of 4832	876	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe	94
PID 876 wrote to memory of 4832	876	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe	94
PID 876 wrote to memory of 4832	876	{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe	94
PID 4756 wrote to memory of 2872	4756	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe	97
PID 4756 wrote to memory of 2872	4756	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe	97
PID 4756 wrote to memory of 2872	4756	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe	97
PID 4756 wrote to memory of 2284	4756	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe	96
PID 4756 wrote to memory of 2284	4756	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe	96
PID 4756 wrote to memory of 2284	4756	{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe	96
PID 2872 wrote to memory of 4744	2872	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe	98
PID 2872 wrote to memory of 4744	2872	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe	98
PID 2872 wrote to memory of 4744	2872	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe	98
PID 2872 wrote to memory of 1780	2872	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe	99
PID 2872 wrote to memory of 1780	2872	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe	99
PID 2872 wrote to memory of 1780	2872	{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe	99
PID 4744 wrote to memory of 1836	4744	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe	100
PID 4744 wrote to memory of 1836	4744	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe	100
PID 4744 wrote to memory of 1836	4744	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe	100
PID 4744 wrote to memory of 1216	4744	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe	101
PID 4744 wrote to memory of 1216	4744	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe	101
PID 4744 wrote to memory of 1216	4744	{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe	101
PID 1836 wrote to memory of 4436	1836	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe	102
PID 1836 wrote to memory of 4436	1836	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe	102
PID 1836 wrote to memory of 4436	1836	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe	102
PID 1836 wrote to memory of 408	1836	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe	103
PID 1836 wrote to memory of 408	1836	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe	103
PID 1836 wrote to memory of 408	1836	{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe	103
PID 4436 wrote to memory of 5100	4436	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe	104
PID 4436 wrote to memory of 5100	4436	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe	104
PID 4436 wrote to memory of 5100	4436	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe	104
PID 4436 wrote to memory of 716	4436	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe	105
PID 4436 wrote to memory of 716	4436	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe	105
PID 4436 wrote to memory of 716	4436	{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe	105
PID 5100 wrote to memory of 4684	5100	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe	106
PID 5100 wrote to memory of 4684	5100	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe	106
PID 5100 wrote to memory of 4684	5100	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe	106
PID 5100 wrote to memory of 4268	5100	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe	107
PID 5100 wrote to memory of 4268	5100	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe	107
PID 5100 wrote to memory of 4268	5100	{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe	107
PID 4684 wrote to memory of 1696	4684	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe	108
PID 4684 wrote to memory of 1696	4684	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe	108
PID 4684 wrote to memory of 1696	4684	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe	108
PID 4684 wrote to memory of 3220	4684	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe	109
PID 4684 wrote to memory of 3220	4684	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe	109
PID 4684 wrote to memory of 3220	4684	{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe	109
PID 1696 wrote to memory of 4844	1696	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe	110
PID 1696 wrote to memory of 4844	1696	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe	110
PID 1696 wrote to memory of 4844	1696	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe	110
PID 1696 wrote to memory of 2524	1696	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe	111
PID 1696 wrote to memory of 2524	1696	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe	111
PID 1696 wrote to memory of 2524	1696	{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe	111
PID 4844 wrote to memory of 3384	4844	{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe	112
PID 4844 wrote to memory of 3384	4844	{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe	112
PID 4844 wrote to memory of 3384	4844	{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe	112
PID 4844 wrote to memory of 564	4844	{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe	113

C:\Users\Admin\AppData\Local\Temp\3f51868b4244dd15e4c3f848d856c24d.exe
"C:\Users\Admin\AppData\Local\Temp\3f51868b4244dd15e4c3f848d856c24d.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe
  C:\Windows\{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe
    C:\Windows\{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{48B06~1.EXE > nul
      4⤵
      PID:2284
  - - C:\Windows\{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe
      C:\Windows\{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe
        
        C:\Windows\{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe
        
        C:\Windows\{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe
        
        C:\Windows\{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe
        
        C:\Windows\{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe
        
        C:\Windows\{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe
        
        C:\Windows\{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe
        
        C:\Windows\{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{028C44F6-BAC0-4885-B66A-34589C782140}.exe
        
        C:\Windows\{028C44F6-BAC0-4885-B66A-34589C782140}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Windows\{F71C2E3B-ECCB-4208-A134-4C4257F96A55}.exe
        
        C:\Windows\{F71C2E3B-ECCB-4208-A134-4C4257F96A55}.exe
        13⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{028C4~1.EXE > nul
        13⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CF49~1.EXE > nul
        12⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBA43~1.EXE > nul
        11⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC93~1.EXE > nul
        10⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8C5A~1.EXE > nul
        9⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E9EA~1.EXE > nul
        8⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3977~1.EXE > nul
        7⤵
        
        PID:408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7260F~1.EXE > nul
        6⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{435D5~1.EXE > nul
        5⤵
        
        PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1F00~1.EXE > nul
    3⤵
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3F5186~1.EXE > nul
  2⤵
  - Deletes itself
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{028C44F6-BAC0-4885-B66A-34589C782140}.exe

Filesize
197KB

MD5
3c1f619361b23380747f9031674b0108

SHA1
4b910ca67528d6166bf344a6affddc2eb512223a

SHA256
fce6407f779623bbbac2b7ec44c89410a0fce4adcdc65c99fdae042a72685d39

SHA512
309d690d483322da0f0c41722d14bd3c5ae36ed6f494d49fc5dd495db9bffc72a3aab88072c5fa6373d3490cb531594e69812131f93b0ebc0c3f6c11b20e0f1d

Download Submit
C:\Windows\{1E9EA13E-5FE4-4c48-9782-E3CD9C9E28C6}.exe

Filesize
197KB

MD5
8cd0d19dd813103f667b87f6e0d66857

SHA1
ed7650c8e654cd02ff4197c7f6a3e9ef645eeffc

SHA256
e318a8bd9be3d4ea54db9aecae3d3cf6675e01e49939b363e055093e1b86be9f

SHA512
cda5e6b41a3138e9f2303aec4385e779169e223fda23bc2da1e6ff688c38003b4106294f6df3033a04ff754d8f85936be39a60eb4c521f15c02ede0ea22c425e

Download Submit
C:\Windows\{435D59FB-7F83-4bdd-93D7-1EEA634A0EDE}.exe

Filesize
197KB

MD5
ad9e2e0457b30cb3ddaceccee92146ef

SHA1
8602b73f96cc6241d405bab89d1d871a1235effd

SHA256
7185a568432b2916f065962bf146392026e30ebd074af96ace708f18ecceed90

SHA512
9f21dfb7a5524639c20d43745a71a364675bd95d0fb5da6c13dcb52c2d4c1fa57cb8b39c98c4586b35d36097b35c2d67d7635f4e26f91838e061ae20c6cdd79e

Download Submit
C:\Windows\{48B060BC-0415-46bd-9D99-44048A1DE4FA}.exe

Filesize
197KB

MD5
bd5617b087369980bb9479cd0246fc90

SHA1
c11eb52289d3902f4567f37a882707faf5b3f771

SHA256
269b83ada66ad0b2e16cfa5dbd8bf15d6b480c31b7233e1594d4b124e972f69f

SHA512
9430d35af7b61b0c033aba4239fdb398a5eab85442194cef1d2dd93b1f1d1b83255c8495e8eb51e443599fac95c87fb83891fa4e024d1c317be3d0e00ce0b36d

Download Submit
C:\Windows\{6CF49BEB-C143-48e1-B123-F0581689BF7F}.exe

Filesize
197KB

MD5
1b1d9adfcac9e2564082b806015801d9

SHA1
f8933c23507260f08accee3d4b09388b4b0c8f7e

SHA256
db69eee7040663e488c9b6c7b3717c04454658d473a191f2dc0268e553ad705a

SHA512
52cdc071f947aea1d7fa74778b9992e6ad440eecd11481e854a872eaa84c935dcd016cfc4a7612d9a4df9dba91ca8712ff79379fc426c4f3ebbba2a655f035af

Download Submit
C:\Windows\{7260FEC5-7978-4795-A80B-FDBD7C074917}.exe

Filesize
197KB

MD5
55acb6d9528c149f91834907ab8a2707

SHA1
51e56809b36d6c89cbc4bfe7f3e7edb27fb648f7

SHA256
8aca803ed0b62ee3c9b5d8755acfba7b3ce20c6104476e6bdf370969b5c4775f

SHA512
677f6de1df5761dffc78c9e2ca8f984939565d44c5cc4702112d32884549c8c0c95c39838476964bf4447c740447929a562e4a6c91ed776e6f96986b39dcef16

Download Submit
C:\Windows\{C8C5A7B2-F38B-4397-A61A-D01F50C1D47B}.exe

Filesize
197KB

MD5
61361b1fbe28fbffcefc80c00f4f610c

SHA1
f7b1a5b965ec28465c4837e18247a511b05b8eb0

SHA256
1967281b9f14bdb7597933f4c67cb8fe8b13368a4e6c8bfed2364a2e57a1e94b

SHA512
176e3c3c0fd82ba0f413dc3b515432be06e5daead53159f80518308d0b6effccee910ad60b9dd1a668a4bb82f78a0bcd978c337ce1f3fe58cdc70b663082b14f

Download Submit
C:\Windows\{D1F00B48-EF0A-4e18-958E-E21D47FF3B3D}.exe

Filesize
197KB

MD5
39d7f5e0c796080d312db8ab85cbfea8

SHA1
9fb9972dc20b744c1b6a4fc03912a7757215d312

SHA256
d1fa5a6e1e3979686b230bde963690a238afcca5a802ccd906a840893957a731

SHA512
7e9a48ba72951bf185ee6fc0cab216fa40eaed0514f0d28a2b3f69971c2f5daf586d4f75a7edfdaf5ad1efa85d1752aaea8d8eda7f42365d03ce885a06d57bcf

Download Submit
C:\Windows\{EBA43404-0C95-43e9-849A-322A12D5E5B3}.exe

Filesize
197KB

MD5
89caccfbd7fbbe1d8f16975b29daa528

SHA1
6b6be33f46e9b2ee21a99c266050873b54e8138f

SHA256
36aa36d2a34ed53d8dadd05b5c2747cad6af21daa8b537756cdadb76de6bbe7a

SHA512
8292d9a135c0b1ee6fa466d0ddbf5fdc63894643ad317fedc56d6f7eb301ee7b49df25a6ee841f41ebabb4709443358e61497b59f74e8f2855117728c758c380

Download Submit
C:\Windows\{EEC93004-0ECC-4faa-9EA7-212F9C46EA76}.exe

Filesize
197KB

MD5
8e3e9e44a7917237e28aa45f32c8d280

SHA1
4234215de200d1e015abab16267c73d75f95ce94

SHA256
d15c89e9771097ed8d1d3e932b3d08efd69b7abf5e99700dbde7c3eead3692fd

SHA512
4143cf6b94c9e1c2274e6b43d79d24f7171a132671706f722bb3d17eba380f7d67c15333fbd3c6103000cedea7dba21830e68bfa3dfe7ace96210180699d55e1

Download Submit
C:\Windows\{F3977EFA-C99B-452e-9CF9-F65F46AFD2F7}.exe

Filesize
197KB

MD5
e68fab098b46c40f75a58b7c98d6a3e8

SHA1
84478a6da23b8effa22d0be534575f9ac2ed1bf2

SHA256
95ab1bb31f07ddee88db61545140deed1f98f25f6fa286e77d9bd900a7029d10

SHA512
ee72c2459edd3afe1ca8dcef86776b0166d91e7c4e7d567389cd4c4eec936fb6d0f5bfbffff9a5b318a04c3e964896f3839df4fffc9f458afd1a50497886cefa

Download Submit
C:\Windows\{F71C2E3B-ECCB-4208-A134-4C4257F96A55}.exe

Filesize
197KB

MD5
5b3530f3dbab913edb81449944e76c32

SHA1
822df4d8225c904bba885ec03973aa4c9d585d9e

SHA256
0d81ca23482a299fbc75e38191bb79d4d1e10ad21d081fc7cb82fa537ce63b19

SHA512
ac6b36df872bc90d3e7bf9223b3ecc69699d016190b4e2d16f041d07186009b547b4f9a379a7f6f713203b8ef06db37aac7032303f2631c2c49c2981ae95505b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads