f819c18f71e34db56e6a09f7728aab12b13b415911b808a6b678d59b24ac9c9c

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

935ba720513a9fb67f581ff6751ad04f.exe
Size

168KB
MD5

935ba720513a9fb67f581ff6751ad04f
SHA1

60709df6385ae632c8783f61defb49b267d9cba3
SHA256

f819c18f71e34db56e6a09f7728aab12b13b415911b808a6b678d59b24ac9c9c
SHA512

2ea06fb7966f429f26b15c301c2d7b0b7086974baa99db1facaf89a147de419dbfcbfc7c27d64e793021f7c749cf56e850529f70f83f2f143f6206d563f41deb
SSDEEP

1536:1EGh0ojlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ojlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41E02FA3-9052-48c6-91C7-BF5D03F7304D}	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ADA09F3-7AF1-4047-A33D-2506E038101D}	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}\stubpath = "C:\\Windows\\{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe"	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C310A619-7CEA-46ab-83F0-51D871BAA946}	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}\stubpath = "C:\\Windows\\{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe"	935ba720513a9fb67f581ff6751ad04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E28E9EA1-3B48-4509-819B-0C17537F8DE5}	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6868D642-9D8F-4ef6-8331-7716E81D5BC1}	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C310A619-7CEA-46ab-83F0-51D871BAA946}\stubpath = "C:\\Windows\\{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe"	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D38BAD-9CEF-492f-9B69-37D9A12F929D}	{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7131740-0161-4e00-8A1B-F868C915FFA0}\stubpath = "C:\\Windows\\{A7131740-0161-4e00-8A1B-F868C915FFA0}.exe"	{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41E02FA3-9052-48c6-91C7-BF5D03F7304D}\stubpath = "C:\\Windows\\{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe"	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ADA09F3-7AF1-4047-A33D-2506E038101D}\stubpath = "C:\\Windows\\{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe"	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}	935ba720513a9fb67f581ff6751ad04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6868D642-9D8F-4ef6-8331-7716E81D5BC1}\stubpath = "C:\\Windows\\{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe"	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}\stubpath = "C:\\Windows\\{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe"	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D38BAD-9CEF-492f-9B69-37D9A12F929D}\stubpath = "C:\\Windows\\{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe"	{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7131740-0161-4e00-8A1B-F868C915FFA0}	{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}\stubpath = "C:\\Windows\\{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe"	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E28E9EA1-3B48-4509-819B-0C17537F8DE5}\stubpath = "C:\\Windows\\{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe"	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}\stubpath = "C:\\Windows\\{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe"	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe

Executes dropped EXE 12 IoCs

pid	Process
224	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe
4476	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe
4732	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe
3548	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe
4652	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe
2624	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe
936	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe
3520	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe
4628	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe
4172	{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe
936	{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe
3020	{A7131740-0161-4e00-8A1B-F868C915FFA0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe
File created	C:\Windows\{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe
File created	C:\Windows\{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe
File created	C:\Windows\{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe
File created	C:\Windows\{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe	935ba720513a9fb67f581ff6751ad04f.exe
File created	C:\Windows\{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe
File created	C:\Windows\{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe
File created	C:\Windows\{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe
File created	C:\Windows\{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe
File created	C:\Windows\{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe
File created	C:\Windows\{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe	{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe
File created	C:\Windows\{A7131740-0161-4e00-8A1B-F868C915FFA0}.exe	{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4144	935ba720513a9fb67f581ff6751ad04f.exe
Token: SeIncBasePriorityPrivilege	224	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe
Token: SeIncBasePriorityPrivilege	4476	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe
Token: SeIncBasePriorityPrivilege	4732	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe
Token: SeIncBasePriorityPrivilege	3548	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe
Token: SeIncBasePriorityPrivilege	4652	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe
Token: SeIncBasePriorityPrivilege	2624	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe
Token: SeIncBasePriorityPrivilege	936	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe
Token: SeIncBasePriorityPrivilege	3520	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe
Token: SeIncBasePriorityPrivilege	4628	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe
Token: SeIncBasePriorityPrivilege	4172	{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe
Token: SeIncBasePriorityPrivilege	936	{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 224	4144	935ba720513a9fb67f581ff6751ad04f.exe	97
PID 4144 wrote to memory of 224	4144	935ba720513a9fb67f581ff6751ad04f.exe	97
PID 4144 wrote to memory of 224	4144	935ba720513a9fb67f581ff6751ad04f.exe	97
PID 4144 wrote to memory of 2584	4144	935ba720513a9fb67f581ff6751ad04f.exe	98
PID 4144 wrote to memory of 2584	4144	935ba720513a9fb67f581ff6751ad04f.exe	98
PID 4144 wrote to memory of 2584	4144	935ba720513a9fb67f581ff6751ad04f.exe	98
PID 224 wrote to memory of 4476	224	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe	100
PID 224 wrote to memory of 4476	224	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe	100
PID 224 wrote to memory of 4476	224	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe	100
PID 224 wrote to memory of 5056	224	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe	101
PID 224 wrote to memory of 5056	224	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe	101
PID 224 wrote to memory of 5056	224	{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe	101
PID 4476 wrote to memory of 4732	4476	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe	108
PID 4476 wrote to memory of 4732	4476	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe	108
PID 4476 wrote to memory of 4732	4476	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe	108
PID 4476 wrote to memory of 2104	4476	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe	109
PID 4476 wrote to memory of 2104	4476	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe	109
PID 4476 wrote to memory of 2104	4476	{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe	109
PID 4732 wrote to memory of 3548	4732	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe	114
PID 4732 wrote to memory of 3548	4732	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe	114
PID 4732 wrote to memory of 3548	4732	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe	114
PID 4732 wrote to memory of 2828	4732	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe	115
PID 4732 wrote to memory of 2828	4732	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe	115
PID 4732 wrote to memory of 2828	4732	{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe	115
PID 3548 wrote to memory of 4652	3548	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe	116
PID 3548 wrote to memory of 4652	3548	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe	116
PID 3548 wrote to memory of 4652	3548	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe	116
PID 3548 wrote to memory of 3296	3548	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe	117
PID 3548 wrote to memory of 3296	3548	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe	117
PID 3548 wrote to memory of 3296	3548	{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe	117
PID 4652 wrote to memory of 2624	4652	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe	118
PID 4652 wrote to memory of 2624	4652	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe	118
PID 4652 wrote to memory of 2624	4652	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe	118
PID 4652 wrote to memory of 2612	4652	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe	119
PID 4652 wrote to memory of 2612	4652	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe	119
PID 4652 wrote to memory of 2612	4652	{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe	119
PID 2624 wrote to memory of 936	2624	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe	121
PID 2624 wrote to memory of 936	2624	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe	121
PID 2624 wrote to memory of 936	2624	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe	121
PID 2624 wrote to memory of 3660	2624	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe	122
PID 2624 wrote to memory of 3660	2624	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe	122
PID 2624 wrote to memory of 3660	2624	{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe	122
PID 936 wrote to memory of 3520	936	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe	123
PID 936 wrote to memory of 3520	936	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe	123
PID 936 wrote to memory of 3520	936	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe	123
PID 936 wrote to memory of 3216	936	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe	124
PID 936 wrote to memory of 3216	936	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe	124
PID 936 wrote to memory of 3216	936	{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe	124
PID 3520 wrote to memory of 4628	3520	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe	125
PID 3520 wrote to memory of 4628	3520	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe	125
PID 3520 wrote to memory of 4628	3520	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe	125
PID 3520 wrote to memory of 3680	3520	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe	126
PID 3520 wrote to memory of 3680	3520	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe	126
PID 3520 wrote to memory of 3680	3520	{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe	126
PID 4628 wrote to memory of 4172	4628	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe	127
PID 4628 wrote to memory of 4172	4628	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe	127
PID 4628 wrote to memory of 4172	4628	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe	127
PID 4628 wrote to memory of 1600	4628	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe	128
PID 4628 wrote to memory of 1600	4628	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe	128
PID 4628 wrote to memory of 1600	4628	{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe	128
PID 4172 wrote to memory of 936	4172	{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe	129
PID 4172 wrote to memory of 936	4172	{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe	129
PID 4172 wrote to memory of 936	4172	{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe	129
PID 4172 wrote to memory of 1168	4172	{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe	130

C:\Users\Admin\AppData\Local\Temp\935ba720513a9fb67f581ff6751ad04f.exe
"C:\Users\Admin\AppData\Local\Temp\935ba720513a9fb67f581ff6751ad04f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe
  C:\Windows\{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe
    C:\Windows\{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe
      C:\Windows\{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe
        
        C:\Windows\{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe
        
        C:\Windows\{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe
        
        C:\Windows\{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe
        
        C:\Windows\{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe
        
        C:\Windows\{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe
        
        C:\Windows\{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe
        
        C:\Windows\{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe
        
        C:\Windows\{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\{A7131740-0161-4e00-8A1B-F868C915FFA0}.exe
        
        C:\Windows\{A7131740-0161-4e00-8A1B-F868C915FFA0}.exe
        13⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01D38~1.EXE > nul
        13⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C310A~1.EXE > nul
        12⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16E4F~1.EXE > nul
        11⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ADA0~1.EXE > nul
        10⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41E02~1.EXE > nul
        9⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEC8C~1.EXE > nul
        8⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6868D~1.EXE > nul
        7⤵
        
        PID:2612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89DB8~1.EXE > nul
        6⤵
        
        PID:3296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E28E9~1.EXE > nul
        5⤵
        
        PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2DADD~1.EXE > nul
      4⤵
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C5AC2~1.EXE > nul
    3⤵
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\935BA7~1.EXE > nul
  2⤵
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01D38BAD-9CEF-492f-9B69-37D9A12F929D}.exe

Filesize
168KB

MD5
8f0a581290447ba700780fa043d1648a

SHA1
37abd561f6543788c47e4e8413c3c48737806b88

SHA256
0e40fb28641fd8c3865873fde01baa4b2b156fda725c51a888f4bd57319aa9d8

SHA512
a55e3b6aeff9fcc7239dc6a8e5786420f77ab5c1e61c6b646775f276989b8c9f2824a41dd9145f01cc761b3101ed53aedb4b12168d9594a530f25878660e4637

Download Submit
C:\Windows\{16E4FC6C-2BD5-4d60-881E-FC7585C8EA4E}.exe

Filesize
168KB

MD5
4da8ce49135d2ed8713666a6fe951dc1

SHA1
7d78a55bc6aa7bc27cd7e3bcac4aaf35b8c62bcf

SHA256
64ff4dbe48948c2853f440ca3f71528645f5456c4d08c5a25d8c61eaf6699b19

SHA512
602a670dc91b8a99ec28c61e3e49760bb18eaae1e84c7814be60dfbc10416371625998b56d3c57cdc174be9e14121719d86c341023e9240433ceebaa0121f8ae

Download Submit
C:\Windows\{2DADD887-FACD-4007-9015-ED0C5AAF4ABE}.exe

Filesize
168KB

MD5
3cc6a373e05f01b8a66c7627605ec86d

SHA1
3dab6556af2b9c6b508589f98f80851e537b52ba

SHA256
e44d1dae4632e155e01a5c45c4632f2d45d9ab306dc2a1aee5d0d55dd0d2a6bd

SHA512
7289644c852bd731bd2b1c4657b4455bca600f3a8dd3947c6e452cd166bef389446d5f00e34d2f1590e483f8c044cab8e6365133184a08dc92ec7cbf48c7a0ce

Download Submit
C:\Windows\{41E02FA3-9052-48c6-91C7-BF5D03F7304D}.exe

Filesize
168KB

MD5
a3695f6e00e8e5f1815bf9d54b4dc32d

SHA1
1d740daebbc9d420a869da3dd4d6a1de7b8d59e9

SHA256
31e2988e333894e3b1d2c6d8ad80dffdd1d753cb7f780ec7045c9bd3abbaf6a9

SHA512
9ecd8c29e8527c5cd5f322f86ee041678ca6ffada9e4162451c709c4eaf561ca09b4e6255978d6a3317a76116dba69e985675df7f08538007629882f3477cb05

Download Submit
C:\Windows\{6868D642-9D8F-4ef6-8331-7716E81D5BC1}.exe

Filesize
168KB

MD5
eeb3024efb10b7e595f951a55567ed88

SHA1
c4b46ba5ce334997a7b7efae3d126126a7f0af21

SHA256
4ee29e906cce3a48679e3d1b0c6f37ea6f26b07c5bc0c09a3471d6df22aac6eb

SHA512
0ca58595ed7ce0015b9342385b8f95a08c6ce878d54529820266de01994a68188a06f0985b1fc7ac97cae22dcae8796e0cf02f6dfce2fe5cf431e7b9d7aced36

Download Submit
C:\Windows\{7ADA09F3-7AF1-4047-A33D-2506E038101D}.exe

Filesize
168KB

MD5
eb4fa2f60a384cd53e168c1f4366c4b3

SHA1
1379bedc7b1d3334a31a9c21c7476801daf6574b

SHA256
d8e9d304453c8e45210f7f2cd74242adbec96236da24521b9a0e1be2b0d4cb54

SHA512
74f138141479efa5438273076d726acbd09b94a9f8938dee22d216d2f30ca02f30396d66a317843cb478f2c44f0d6aedc36f02e295d306f396579733c1b89eb6

Download Submit
C:\Windows\{89DB80DB-0398-4d88-ABD2-777BA23FF8E1}.exe

Filesize
168KB

MD5
c682481c5e01d5c219665c6f92cbdb8b

SHA1
cebca8d4ef192406b6fdad490198909e8dcb3c04

SHA256
913bbc4dae60b0d843f65a55ab169f7daafe0540050250a2258fa5b102973cc9

SHA512
f7809b6253ca4981d2155e46b126d982d2378a05686dc674f6817032798fd5441c0e2df4161fbb71bdcf015e741ea64f38b865485885cefae3babbeb1c0ae270

Download Submit
C:\Windows\{A7131740-0161-4e00-8A1B-F868C915FFA0}.exe

Filesize
168KB

MD5
da23b3774a57945be3d9948f0a18b7e0

SHA1
5ddf134dfd59c272e0ddd167caa3166cc7348edf

SHA256
cf9d47aa199195c7a80bc0481eca3551c523fc96a1d0a0dffdcbe89f81fc4600

SHA512
1fb4a92155b1293cf9d901aa3e101f93727cee83aa64f4d6305599d57c3be04f4db4ba756c836a6f29b299c432547dae8d1b56af34ba08990b8eb4d7cff3e25a

Download Submit
C:\Windows\{BEC8C403-3B1F-46dc-854B-EA201B9DDCBB}.exe

Filesize
168KB

MD5
760720bfe1412f1e56ad268c2d69587f

SHA1
997046fd5809cece71ca778de770112b0c77ca40

SHA256
311476eacc682cf1642e390635ba918bb4d92a19cc1ffca2520709fb50c2cb32

SHA512
d773aa5269a3aac8bb695f6209840e238d10312b157a4a77d47217e3d0a22c18f8784e6270f87e0c93ffaf81223256465a2904e4fb0efa4d1f91c1524fffdde4

Download Submit
C:\Windows\{C310A619-7CEA-46ab-83F0-51D871BAA946}.exe

Filesize
168KB

MD5
6923e53fc9d1069de41a1c3574edc106

SHA1
9d06a039856b03694e0d84d61435d45809ca201b

SHA256
6a0d8548117005858c0179ac769b2a8de38c28747b792b181918a3692a108476

SHA512
169511d8a8b73e068917f97321de895da8c06b1a56114afff080fb337a3e284aa81d06eabe2d10327173d8f2dc362af7f99760ea745770e94dce7984f678b632

Download Submit
C:\Windows\{C5AC2597-4ECE-43c3-86D9-E2C8755AC2F7}.exe

Filesize
168KB

MD5
3d6ca7b2903b5611260f6e0ac99ec44e

SHA1
205c76f4b21563929aec78fe271b6e6819fa2652

SHA256
8cc5c9df57d6046c6672bf9b11fe82111236a3405a91d9e632b15e52ab3bab52

SHA512
a565a5f2da25ee11eff9c588339035ddb61a216b1c4465e344dd02001f59e90595cd06141e73848fc8aa0f75e83a375e2480ee390ee8b75c8aefe02f148ad599

Download Submit
C:\Windows\{E28E9EA1-3B48-4509-819B-0C17537F8DE5}.exe

Filesize
168KB

MD5
817791256e08daebf986638def617bee

SHA1
c71ecaae8fbaf0154a57125230ceec51a2f0a99a

SHA256
1ea1b0a512e16ff2af5ee48663a337a41fe5fe9f2a403b1cc93b06eb9acee6ee

SHA512
435ec259b24975bc0265d3168b56272552e5feddccaf3159f9295761f22b61f7e1863e341dacf6398111e8d132360183e361b356fb0e4af13aa071915b60a1b3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads