af60ad077d96107a6c4db82188ff7ea8047fc2758bd40264a411ffa40e682845

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0263a4dc63dc96d9a6c5d4e1f6d1381.exe
Size

197KB
MD5

b0263a4dc63dc96d9a6c5d4e1f6d1381
SHA1

3f1872eb8843c3ef0ea40c8d69d3c86062926b94
SHA256

af60ad077d96107a6c4db82188ff7ea8047fc2758bd40264a411ffa40e682845
SHA512

b791da1b50fdfbab7eb51859c03952c02fa8c5262b9dcf4885b4923320f1b4cb0717d512e3019e6c3b2fde798457d55eeced664db202160f439e02ab296aa424
SSDEEP

3072:jEGh0o0l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGOlEeKcAEca

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA19D0D-3E02-47bc-9339-7744DFF5BDA8}\stubpath = "C:\\Windows\\{9EA19D0D-3E02-47bc-9339-7744DFF5BDA8}.exe"	{1A720D83-1929-450b-8E32-BFA3194345F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01FE52A-271D-453f-858B-5D5E85A0BBFC}\stubpath = "C:\\Windows\\{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe"	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3F9252D-99F3-451f-B512-489F2088A4C7}\stubpath = "C:\\Windows\\{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe"	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE230723-3B93-4193-821F-33E99C49597C}	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE230723-3B93-4193-821F-33E99C49597C}\stubpath = "C:\\Windows\\{CE230723-3B93-4193-821F-33E99C49597C}.exe"	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6736FE48-B95D-4610-B82B-C19036CA3FA3}	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6736FE48-B95D-4610-B82B-C19036CA3FA3}\stubpath = "C:\\Windows\\{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe"	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A720D83-1929-450b-8E32-BFA3194345F6}\stubpath = "C:\\Windows\\{1A720D83-1929-450b-8E32-BFA3194345F6}.exe"	{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{069EEA0A-B774-4e4b-A37D-B952B2611E19}	{26D44E77-F063-4194-A551-47D164F33547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{069EEA0A-B774-4e4b-A37D-B952B2611E19}\stubpath = "C:\\Windows\\{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe"	{26D44E77-F063-4194-A551-47D164F33547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01FE52A-271D-453f-858B-5D5E85A0BBFC}	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3F9252D-99F3-451f-B512-489F2088A4C7}	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA19D0D-3E02-47bc-9339-7744DFF5BDA8}	{1A720D83-1929-450b-8E32-BFA3194345F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69040D27-23B2-4714-91DB-40B1025A6CCA}	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69040D27-23B2-4714-91DB-40B1025A6CCA}\stubpath = "C:\\Windows\\{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe"	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA53455B-90BF-49ff-8A71-F50997FA8081}	{CE230723-3B93-4193-821F-33E99C49597C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA53455B-90BF-49ff-8A71-F50997FA8081}\stubpath = "C:\\Windows\\{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe"	{CE230723-3B93-4193-821F-33E99C49597C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}\stubpath = "C:\\Windows\\{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe"	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A720D83-1929-450b-8E32-BFA3194345F6}	{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D44E77-F063-4194-A551-47D164F33547}	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D44E77-F063-4194-A551-47D164F33547}\stubpath = "C:\\Windows\\{26D44E77-F063-4194-A551-47D164F33547}.exe"	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}\stubpath = "C:\\Windows\\{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe"	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe

Executes dropped EXE 12 IoCs

pid	Process
2396	{26D44E77-F063-4194-A551-47D164F33547}.exe
1312	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe
2632	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe
2232	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe
4948	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe
4132	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe
4024	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe
4360	{CE230723-3B93-4193-821F-33E99C49597C}.exe
1600	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe
2712	{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe
2216	{1A720D83-1929-450b-8E32-BFA3194345F6}.exe
2528	{9EA19D0D-3E02-47bc-9339-7744DFF5BDA8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{26D44E77-F063-4194-A551-47D164F33547}.exe	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe
File created	C:\Windows\{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe
File created	C:\Windows\{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe
File created	C:\Windows\{CE230723-3B93-4193-821F-33E99C49597C}.exe	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe
File created	C:\Windows\{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe	{CE230723-3B93-4193-821F-33E99C49597C}.exe
File created	C:\Windows\{1A720D83-1929-450b-8E32-BFA3194345F6}.exe	{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe
File created	C:\Windows\{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe	{26D44E77-F063-4194-A551-47D164F33547}.exe
File created	C:\Windows\{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe
File created	C:\Windows\{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe
File created	C:\Windows\{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe
File created	C:\Windows\{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe
File created	C:\Windows\{9EA19D0D-3E02-47bc-9339-7744DFF5BDA8}.exe	{1A720D83-1929-450b-8E32-BFA3194345F6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3068	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe
Token: SeIncBasePriorityPrivilege	2396	{26D44E77-F063-4194-A551-47D164F33547}.exe
Token: SeIncBasePriorityPrivilege	1312	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe
Token: SeIncBasePriorityPrivilege	2632	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe
Token: SeIncBasePriorityPrivilege	2232	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe
Token: SeIncBasePriorityPrivilege	4948	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe
Token: SeIncBasePriorityPrivilege	4132	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe
Token: SeIncBasePriorityPrivilege	4024	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe
Token: SeIncBasePriorityPrivilege	4360	{CE230723-3B93-4193-821F-33E99C49597C}.exe
Token: SeIncBasePriorityPrivilege	1600	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe
Token: SeIncBasePriorityPrivilege	2712	{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe
Token: SeIncBasePriorityPrivilege	2216	{1A720D83-1929-450b-8E32-BFA3194345F6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2396	3068	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe	89
PID 3068 wrote to memory of 2396	3068	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe	89
PID 3068 wrote to memory of 2396	3068	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe	89
PID 3068 wrote to memory of 1668	3068	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe	90
PID 3068 wrote to memory of 1668	3068	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe	90
PID 3068 wrote to memory of 1668	3068	b0263a4dc63dc96d9a6c5d4e1f6d1381.exe	90
PID 2396 wrote to memory of 1312	2396	{26D44E77-F063-4194-A551-47D164F33547}.exe	94
PID 2396 wrote to memory of 1312	2396	{26D44E77-F063-4194-A551-47D164F33547}.exe	94
PID 2396 wrote to memory of 1312	2396	{26D44E77-F063-4194-A551-47D164F33547}.exe	94
PID 2396 wrote to memory of 1200	2396	{26D44E77-F063-4194-A551-47D164F33547}.exe	95
PID 2396 wrote to memory of 1200	2396	{26D44E77-F063-4194-A551-47D164F33547}.exe	95
PID 2396 wrote to memory of 1200	2396	{26D44E77-F063-4194-A551-47D164F33547}.exe	95
PID 1312 wrote to memory of 2632	1312	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe	97
PID 1312 wrote to memory of 2632	1312	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe	97
PID 1312 wrote to memory of 2632	1312	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe	97
PID 1312 wrote to memory of 1564	1312	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe	98
PID 1312 wrote to memory of 1564	1312	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe	98
PID 1312 wrote to memory of 1564	1312	{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe	98
PID 2632 wrote to memory of 2232	2632	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe	99
PID 2632 wrote to memory of 2232	2632	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe	99
PID 2632 wrote to memory of 2232	2632	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe	99
PID 2632 wrote to memory of 3468	2632	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe	100
PID 2632 wrote to memory of 3468	2632	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe	100
PID 2632 wrote to memory of 3468	2632	{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe	100
PID 2232 wrote to memory of 4948	2232	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe	101
PID 2232 wrote to memory of 4948	2232	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe	101
PID 2232 wrote to memory of 4948	2232	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe	101
PID 2232 wrote to memory of 868	2232	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe	102
PID 2232 wrote to memory of 868	2232	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe	102
PID 2232 wrote to memory of 868	2232	{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe	102
PID 4948 wrote to memory of 4132	4948	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe	103
PID 4948 wrote to memory of 4132	4948	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe	103
PID 4948 wrote to memory of 4132	4948	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe	103
PID 4948 wrote to memory of 3960	4948	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe	104
PID 4948 wrote to memory of 3960	4948	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe	104
PID 4948 wrote to memory of 3960	4948	{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe	104
PID 4132 wrote to memory of 4024	4132	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe	105
PID 4132 wrote to memory of 4024	4132	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe	105
PID 4132 wrote to memory of 4024	4132	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe	105
PID 4132 wrote to memory of 1504	4132	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe	106
PID 4132 wrote to memory of 1504	4132	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe	106
PID 4132 wrote to memory of 1504	4132	{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe	106
PID 4024 wrote to memory of 4360	4024	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe	107
PID 4024 wrote to memory of 4360	4024	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe	107
PID 4024 wrote to memory of 4360	4024	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe	107
PID 4024 wrote to memory of 2896	4024	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe	108
PID 4024 wrote to memory of 2896	4024	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe	108
PID 4024 wrote to memory of 2896	4024	{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe	108
PID 4360 wrote to memory of 1600	4360	{CE230723-3B93-4193-821F-33E99C49597C}.exe	109
PID 4360 wrote to memory of 1600	4360	{CE230723-3B93-4193-821F-33E99C49597C}.exe	109
PID 4360 wrote to memory of 1600	4360	{CE230723-3B93-4193-821F-33E99C49597C}.exe	109
PID 4360 wrote to memory of 4588	4360	{CE230723-3B93-4193-821F-33E99C49597C}.exe	110
PID 4360 wrote to memory of 4588	4360	{CE230723-3B93-4193-821F-33E99C49597C}.exe	110
PID 4360 wrote to memory of 4588	4360	{CE230723-3B93-4193-821F-33E99C49597C}.exe	110
PID 1600 wrote to memory of 2712	1600	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe	111
PID 1600 wrote to memory of 2712	1600	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe	111
PID 1600 wrote to memory of 2712	1600	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe	111
PID 1600 wrote to memory of 3736	1600	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe	112
PID 1600 wrote to memory of 3736	1600	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe	112
PID 1600 wrote to memory of 3736	1600	{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe	112
PID 2712 wrote to memory of 2216	2712	{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe	113
PID 2712 wrote to memory of 2216	2712	{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe	113
PID 2712 wrote to memory of 2216	2712	{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe	113
PID 2712 wrote to memory of 4372	2712	{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe	114

C:\Users\Admin\AppData\Local\Temp\b0263a4dc63dc96d9a6c5d4e1f6d1381.exe
"C:\Users\Admin\AppData\Local\Temp\b0263a4dc63dc96d9a6c5d4e1f6d1381.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\{26D44E77-F063-4194-A551-47D164F33547}.exe
  C:\Windows\{26D44E77-F063-4194-A551-47D164F33547}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe
    C:\Windows\{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe
      C:\Windows\{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe
        
        C:\Windows\{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe
        
        C:\Windows\{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe
        
        C:\Windows\{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe
        
        C:\Windows\{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\{CE230723-3B93-4193-821F-33E99C49597C}.exe
        
        C:\Windows\{CE230723-3B93-4193-821F-33E99C49597C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe
        
        C:\Windows\{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe
        
        C:\Windows\{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{1A720D83-1929-450b-8E32-BFA3194345F6}.exe
        
        C:\Windows\{1A720D83-1929-450b-8E32-BFA3194345F6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{9EA19D0D-3E02-47bc-9339-7744DFF5BDA8}.exe
        
        C:\Windows\{9EA19D0D-3E02-47bc-9339-7744DFF5BDA8}.exe
        13⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A720~1.EXE > nul
        13⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD6EC~1.EXE > nul
        12⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA534~1.EXE > nul
        11⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE230~1.EXE > nul
        10⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6736F~1.EXE > nul
        9⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3F92~1.EXE > nul
        8⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69040~1.EXE > nul
        7⤵
        
        PID:3960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C01FE~1.EXE > nul
        6⤵
        
        PID:868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18DF3~1.EXE > nul
        5⤵
        
        PID:3468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{069EE~1.EXE > nul
      4⤵
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26D44~1.EXE > nul
    3⤵
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B0263A~1.EXE > nul
  2⤵
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{069EEA0A-B774-4e4b-A37D-B952B2611E19}.exe

Filesize
197KB

MD5
a34ccb4a006a9f2a3130282d95f0eac5

SHA1
037aa28a7ae5640f66ad5460dc33d8e1fe22f847

SHA256
e68818968303579ba94cba6379514527d7d833f0d37e7ae756ee38ee2d788d80

SHA512
ecd7ba9cfa972ce070d60582283e380cd4da65968f0c23b9acbd998cb20bfc37b874bba79d418985086968aebfed96a02ccd2b790fa1a989975c573e014133c3

Download Submit
C:\Windows\{18DF3C9E-E763-484c-B501-E0E8C5BE25BC}.exe

Filesize
197KB

MD5
8829c92d3fe1c3443509efba2acc09cc

SHA1
e43516dcdaeff14994b7f290694d15b90515c1c3

SHA256
79fc84198504962f8c8d9fdc1ffe2849c29f54850d7bbc1bd03800c5a50b87bf

SHA512
6b1a6e10eec97306f54eade9cff5bb215d5afdab845e769994030a5d91fe827ae6f15ab11b261c8d837e66707663689349822d1e4d76b66d84536de2d8be6250

Download Submit
C:\Windows\{1A720D83-1929-450b-8E32-BFA3194345F6}.exe

Filesize
197KB

MD5
eedbbbc527ae560f3e512cbf55eebe02

SHA1
15d19c82a9c0e89402cbb07d0331cab7de4be384

SHA256
99d100012224e3a54b13661b5fa3f35140d3c57320ab167c9f2364c5b23fc7fd

SHA512
4bea2cd24412c04eb801c14a86a03b769bbbaf1a67814b98d65e1d5ba2f632f383ad79e1b184850fe63e6d1e45bc2eac542eecb99b39f09e693c40170a7a7901

Download Submit
C:\Windows\{26D44E77-F063-4194-A551-47D164F33547}.exe

Filesize
197KB

MD5
d748b62e3a804d7e0a28ac487183614c

SHA1
18837bf6a5f78bee14d39fa3c2df7589277be041

SHA256
dcbc96d04462231e5476d0f2b352ae3df7676e2b3f54039364eb1d04d0ebaacd

SHA512
713a8372d2640cde0c1cbcafe47388439d1cc1a7c43a89848124d3341262994ea745aa28e050a9f084a52c8d274b3ace2170c7d4e9d50006b0290ee0441914c6

Download Submit
C:\Windows\{6736FE48-B95D-4610-B82B-C19036CA3FA3}.exe

Filesize
197KB

MD5
44daabe546ebec2539dfb9cce50e44d0

SHA1
a69010a78f351ffc460728775ac4a370dad324e2

SHA256
e0dbac751e34fd1801fe6b2da61fca1573ab055243b4c1dd402defc19581a502

SHA512
80c645949ef4926961d0e3835b365a5bf2106ac046c5af0c0b92754ed22918766c8a9242b4424bb967709399b6cd4323bccdac9c1563971d13023b262a5eeeb3

Download Submit
C:\Windows\{69040D27-23B2-4714-91DB-40B1025A6CCA}.exe

Filesize
197KB

MD5
b68bb17afc27459791fad9d8a5e02783

SHA1
69980875332220ed36efe6b334d4bfd01e054af4

SHA256
82f38a35a95d687f0b9737d60c1de17063fdc1489d97a330da2e904e716dfea7

SHA512
19b0146e55e591fb10099eae0b400054010f66c102a039417b6a3a620041c4019d3d72ef91a80a8b82110c32784d13b74ff6de020b95cf02d20d9eb3b94ae79a

Download Submit
C:\Windows\{9EA19D0D-3E02-47bc-9339-7744DFF5BDA8}.exe

Filesize
197KB

MD5
7592079f6248b55c216ca6986ccef4fa

SHA1
b3131e9d59202125a28467cf88bcc10864131491

SHA256
bcc48f891f261a8953ca8744b8841811992abb5a5aac6c847ae9cf025b0054b3

SHA512
ecc45fd0fdf4cb5c9960908613278ce4a25c728adc40f44e6c96887c84744be65cc6f105ca436de8c4ce1a92660ff7e47c990728ac37f2d736f1903944b70118

Download Submit
C:\Windows\{C01FE52A-271D-453f-858B-5D5E85A0BBFC}.exe

Filesize
197KB

MD5
2ccee9af4b0edc92fb68b9b835522481

SHA1
cae9d790d9baddf47635149e27eb3a9fc2f5ff14

SHA256
df4408b402ee7edf1fc6ecb3e06dfa629c271c3ddb5b346a65639630bd56d12b

SHA512
c527a501676ff9301681631aef2b2e2c7643569076bdcada4856d7f7a35b9c59486b7dab5253ae0811f8681bc5914b1fa7b9df1e119c32c31431b53f6ae5b0f9

Download Submit
C:\Windows\{CA53455B-90BF-49ff-8A71-F50997FA8081}.exe

Filesize
197KB

MD5
7009728ae5a4bb17fedadc0ce7f41252

SHA1
f494537e714e55ce541d5ad11d88ecbdb6633b84

SHA256
e417c1bba57531010a729a3b6f7fb52d50c6cac08f34b2080f0a4f929395e8e7

SHA512
70d699a6ca5571696b89fce089bb09da24302929a1d81b335ed91a5df6c74fdc9bd0ce6c54744262782f5c54d82179a6d47302e962d063b03cd533ff7874c2b7

Download Submit
C:\Windows\{CD6ECD86-C25D-4fcc-BF2C-A0F3C58EB8BF}.exe

Filesize
197KB

MD5
a1891c0e69fe7054659f5e209cecfb07

SHA1
7f2d151eff59ce0b2eddb6021f2e54ac6c17b0df

SHA256
dbbd0780f5f7887b707659bd2d17d94e0df9d71f25acc84ccf479939eafed9a8

SHA512
3834676bca0dd6f66b728aa5e0a38697edfa472594b36dad6f43fdfe94dc7cb0fceee55ec70ecfac233bfd11e9f8a5e68e44bb9b22e0b8cbadf5501c0a79257b

Download Submit
C:\Windows\{CE230723-3B93-4193-821F-33E99C49597C}.exe

Filesize
197KB

MD5
83276d8cc684e3385660aeaea2615931

SHA1
a2da024fb8149a936cc6c41696e16350f9c2df60

SHA256
0197f642cae7ce52d9dd32b5f8fe4523923aceefd5551caf9bd4ff53810131c5

SHA512
3948b265a47cad9c8a26bef23b6960ad9068ac00e5bd4e93c9b5049d83335277ce719aff21f43fd39a72d095f25dc1a1918c82626f2f9b1e5221a08e26773552

Download Submit
C:\Windows\{F3F9252D-99F3-451f-B512-489F2088A4C7}.exe

Filesize
197KB

MD5
f3dbd0a83933b041ea8f08b51613464a

SHA1
75ece77660b326222f7f5915f1c3c02107aff495

SHA256
7fbc3f616ba5df1d7ed95bef70840e4ad047a000055d921c8de8c4d95cdfbe9e

SHA512
8415cb8711579f77ce23f83297b89cc119e9d673c01603080be45748c5ddbe55e9b343522503af44b4c02b32358dfe88686e092d73be9ec951542e6262b7b206

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads