a2151d3128962dff0d3964fdf064e6ea3b3ad5dad1de0de0825f477f7e0b8710

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb4ec421f949b323260a50947879d361.exe
Size

344KB
MD5

cb4ec421f949b323260a50947879d361
SHA1

47126815a3400d5b3ce96af50cb117b91d176abe
SHA256

a2151d3128962dff0d3964fdf064e6ea3b3ad5dad1de0de0825f477f7e0b8710
SHA512

d6a8f87ccd4b97102946031ea884697eb020778114e9dd08db20adf8e38f03d73c24fb69636c452bec461b3e2a89d9227ea21ca40a6d4419a2da2bcecba9ba3e
SSDEEP

3072:mEGh0oxlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG3lqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CEC9AB6-0589-410e-A72B-8B494A980F78}	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}	{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7031DB6-EFA9-4b32-AE61-C07465901692}	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F197025-C261-4828-BEE9-96A464E96EC6}	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A02A179A-3BBF-4774-B1FA-125B906A2A7D}\stubpath = "C:\\Windows\\{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe"	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665B8988-BF2F-40cb-9ED5-A64241127F35}	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E33479F-68BA-400b-AB55-BCBC8BFBC935}	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B796FE3C-CC40-482c-A101-B53ACF1F7DFD}	{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B796FE3C-CC40-482c-A101-B53ACF1F7DFD}\stubpath = "C:\\Windows\\{B796FE3C-CC40-482c-A101-B53ACF1F7DFD}.exe"	{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9872DC17-65D5-4120-AD05-46F6CB57A3C8}\stubpath = "C:\\Windows\\{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe"	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7031DB6-EFA9-4b32-AE61-C07465901692}\stubpath = "C:\\Windows\\{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe"	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}\stubpath = "C:\\Windows\\{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe"	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F197025-C261-4828-BEE9-96A464E96EC6}\stubpath = "C:\\Windows\\{2F197025-C261-4828-BEE9-96A464E96EC6}.exe"	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A02A179A-3BBF-4774-B1FA-125B906A2A7D}	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CEC9AB6-0589-410e-A72B-8B494A980F78}\stubpath = "C:\\Windows\\{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe"	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665B8988-BF2F-40cb-9ED5-A64241127F35}\stubpath = "C:\\Windows\\{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe"	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E33479F-68BA-400b-AB55-BCBC8BFBC935}\stubpath = "C:\\Windows\\{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe"	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E870C23-1473-4bca-8D3F-9FC7D786ED19}\stubpath = "C:\\Windows\\{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe"	cb4ec421f949b323260a50947879d361.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9872DC17-65D5-4120-AD05-46F6CB57A3C8}	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}\stubpath = "C:\\Windows\\{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe"	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}\stubpath = "C:\\Windows\\{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe"	{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E870C23-1473-4bca-8D3F-9FC7D786ED19}	cb4ec421f949b323260a50947879d361.exe

Executes dropped EXE 12 IoCs

pid	Process
3396	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe
3080	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe
4780	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe
1216	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe
3168	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe
1568	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe
5116	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe
4832	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe
2388	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe
2792	{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe
1840	{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe
400	{B796FE3C-CC40-482c-A101-B53ACF1F7DFD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe
File created	C:\Windows\{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe	{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe
File created	C:\Windows\{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe
File created	C:\Windows\{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe
File created	C:\Windows\{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe
File created	C:\Windows\{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe
File created	C:\Windows\{2F197025-C261-4828-BEE9-96A464E96EC6}.exe	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe
File created	C:\Windows\{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe
File created	C:\Windows\{B796FE3C-CC40-482c-A101-B53ACF1F7DFD}.exe	{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe
File created	C:\Windows\{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe	cb4ec421f949b323260a50947879d361.exe
File created	C:\Windows\{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe
File created	C:\Windows\{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	988	cb4ec421f949b323260a50947879d361.exe
Token: SeIncBasePriorityPrivilege	3396	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe
Token: SeIncBasePriorityPrivilege	3080	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe
Token: SeIncBasePriorityPrivilege	4780	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe
Token: SeIncBasePriorityPrivilege	1216	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe
Token: SeIncBasePriorityPrivilege	3168	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe
Token: SeIncBasePriorityPrivilege	1568	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe
Token: SeIncBasePriorityPrivilege	5116	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe
Token: SeIncBasePriorityPrivilege	4832	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe
Token: SeIncBasePriorityPrivilege	2388	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe
Token: SeIncBasePriorityPrivilege	2792	{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe
Token: SeIncBasePriorityPrivilege	1840	{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 3396	988	cb4ec421f949b323260a50947879d361.exe	94
PID 988 wrote to memory of 3396	988	cb4ec421f949b323260a50947879d361.exe	94
PID 988 wrote to memory of 3396	988	cb4ec421f949b323260a50947879d361.exe	94
PID 988 wrote to memory of 2172	988	cb4ec421f949b323260a50947879d361.exe	95
PID 988 wrote to memory of 2172	988	cb4ec421f949b323260a50947879d361.exe	95
PID 988 wrote to memory of 2172	988	cb4ec421f949b323260a50947879d361.exe	95
PID 3396 wrote to memory of 3080	3396	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe	96
PID 3396 wrote to memory of 3080	3396	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe	96
PID 3396 wrote to memory of 3080	3396	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe	96
PID 3396 wrote to memory of 212	3396	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe	97
PID 3396 wrote to memory of 212	3396	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe	97
PID 3396 wrote to memory of 212	3396	{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe	97
PID 3080 wrote to memory of 4780	3080	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe	99
PID 3080 wrote to memory of 4780	3080	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe	99
PID 3080 wrote to memory of 4780	3080	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe	99
PID 3080 wrote to memory of 1744	3080	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe	100
PID 3080 wrote to memory of 1744	3080	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe	100
PID 3080 wrote to memory of 1744	3080	{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe	100
PID 4780 wrote to memory of 1216	4780	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe	101
PID 4780 wrote to memory of 1216	4780	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe	101
PID 4780 wrote to memory of 1216	4780	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe	101
PID 4780 wrote to memory of 2756	4780	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe	102
PID 4780 wrote to memory of 2756	4780	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe	102
PID 4780 wrote to memory of 2756	4780	{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe	102
PID 1216 wrote to memory of 3168	1216	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe	103
PID 1216 wrote to memory of 3168	1216	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe	103
PID 1216 wrote to memory of 3168	1216	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe	103
PID 1216 wrote to memory of 2864	1216	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe	104
PID 1216 wrote to memory of 2864	1216	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe	104
PID 1216 wrote to memory of 2864	1216	{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe	104
PID 3168 wrote to memory of 1568	3168	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe	105
PID 3168 wrote to memory of 1568	3168	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe	105
PID 3168 wrote to memory of 1568	3168	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe	105
PID 3168 wrote to memory of 756	3168	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe	106
PID 3168 wrote to memory of 756	3168	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe	106
PID 3168 wrote to memory of 756	3168	{2F197025-C261-4828-BEE9-96A464E96EC6}.exe	106
PID 1568 wrote to memory of 5116	1568	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe	107
PID 1568 wrote to memory of 5116	1568	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe	107
PID 1568 wrote to memory of 5116	1568	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe	107
PID 1568 wrote to memory of 4844	1568	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe	108
PID 1568 wrote to memory of 4844	1568	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe	108
PID 1568 wrote to memory of 4844	1568	{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe	108
PID 5116 wrote to memory of 4832	5116	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe	109
PID 5116 wrote to memory of 4832	5116	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe	109
PID 5116 wrote to memory of 4832	5116	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe	109
PID 5116 wrote to memory of 1796	5116	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe	110
PID 5116 wrote to memory of 1796	5116	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe	110
PID 5116 wrote to memory of 1796	5116	{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe	110
PID 4832 wrote to memory of 2388	4832	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe	111
PID 4832 wrote to memory of 2388	4832	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe	111
PID 4832 wrote to memory of 2388	4832	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe	111
PID 4832 wrote to memory of 2548	4832	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe	112
PID 4832 wrote to memory of 2548	4832	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe	112
PID 4832 wrote to memory of 2548	4832	{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe	112
PID 2388 wrote to memory of 2792	2388	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe	113
PID 2388 wrote to memory of 2792	2388	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe	113
PID 2388 wrote to memory of 2792	2388	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe	113
PID 2388 wrote to memory of 1508	2388	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe	114
PID 2388 wrote to memory of 1508	2388	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe	114
PID 2388 wrote to memory of 1508	2388	{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe	114
PID 2792 wrote to memory of 1840	2792	{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe	115
PID 2792 wrote to memory of 1840	2792	{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe	115
PID 2792 wrote to memory of 1840	2792	{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe	115
PID 2792 wrote to memory of 1488	2792	{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe	116

C:\Users\Admin\AppData\Local\Temp\cb4ec421f949b323260a50947879d361.exe
"C:\Users\Admin\AppData\Local\Temp\cb4ec421f949b323260a50947879d361.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe
  C:\Windows\{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe
    C:\Windows\{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe
      C:\Windows\{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe
        
        C:\Windows\{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Windows\{2F197025-C261-4828-BEE9-96A464E96EC6}.exe
        
        C:\Windows\{2F197025-C261-4828-BEE9-96A464E96EC6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe
        
        C:\Windows\{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe
        
        C:\Windows\{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe
        
        C:\Windows\{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe
        
        C:\Windows\{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe
        
        C:\Windows\{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe
        
        C:\Windows\{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\{B796FE3C-CC40-482c-A101-B53ACF1F7DFD}.exe
        
        C:\Windows\{B796FE3C-CC40-482c-A101-B53ACF1F7DFD}.exe
        13⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6DA9~1.EXE > nul
        13⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35DC7~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E334~1.EXE > nul
        11⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{665B8~1.EXE > nul
        10⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CEC9~1.EXE > nul
        9⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A02A1~1.EXE > nul
        8⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F197~1.EXE > nul
        7⤵
        
        PID:756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4F90~1.EXE > nul
        6⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9872D~1.EXE > nul
        5⤵
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C7031~1.EXE > nul
      4⤵
      PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5E870~1.EXE > nul
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CB4EC4~1.EXE > nul
  2⤵
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E33479F-68BA-400b-AB55-BCBC8BFBC935}.exe

Filesize
344KB

MD5
09dcd0a81082b3af8a53ee808ec179d7

SHA1
82d03bf741fff8d0c292d9727579f55d842b5e34

SHA256
dc08e96272786f30ece1de7d6da9a55557f73cc6bf3a9188758cc0896c1f7616

SHA512
783a222f914d3986ecf65a7640c93d1f68e2354387ae44fc69a72e4bec5082e2635c40b6218ce74e5d59d0906d58078057762a0980d32e53a32d083d07808b99

Download Submit
C:\Windows\{2F197025-C261-4828-BEE9-96A464E96EC6}.exe

Filesize
344KB

MD5
ce13127ee994f919a66992ba449e55fc

SHA1
ce83c39949ae44755d289b639c11f0c1b8826664

SHA256
ef5329e9a8be899eb8383c8146c4e0500d8a9acba8e5b4164813f9649ba8ee90

SHA512
6545872bf665260918d8a43af7a7f0aa3c610a0fc1753e3181a6a0486a186fc1c55c22b30eef641e2011b18b4d2073d1ea007a61c10a95c3ec171d43563802a9

Download Submit
C:\Windows\{35DC7246-C769-416c-A1CF-ADFFFFE91AF9}.exe

Filesize
344KB

MD5
25e5d9a3ce98ce64e417faa396357739

SHA1
bc46f52d4665d587e476ccfae14fd2343ab000fd

SHA256
26c2091126ae72a3a24837ae4c1b92276511c3294f3e952958bbbbdf83251bc6

SHA512
8d5f816fe6d77500cb27068d85debd8fd08d6e1b13fe39f40072784011cab08d2bc0c075322ac195009a38af93b25c618754ec362acd689b8bd1bc38d886f940

Download Submit
C:\Windows\{5E870C23-1473-4bca-8D3F-9FC7D786ED19}.exe

Filesize
344KB

MD5
60c664033ba1a19ffea07012368a8fec

SHA1
4e1535f6f87cb6617a5efd4966e6ecacdac1bfb6

SHA256
2b2b705e209df5be654323796f154ddc274bfd2e1d87d5c55dfaec94cf1d0b45

SHA512
f69fdfceb2048364fa4119d594fdf56e1efe1ec525b3b9ad5b4b435c75370d75c060d67c19711b90374edd8105ec7dab91bc32eee1072c5da09f35532afaa7a0

Download Submit
C:\Windows\{665B8988-BF2F-40cb-9ED5-A64241127F35}.exe

Filesize
344KB

MD5
00ddbcd88caae52eb21d1f8a9f82bf9f

SHA1
ce45e96b0a90f5504640d08a0776b1edb8ec7a61

SHA256
a5e5ab473fb0017fbb0aecdec76f2baab16991e2706c012a468cf0f8558f17e8

SHA512
436c56d66cdfa405fba66a32712b1769e5e6dc175c1717e33e7b4caf079cb38b90f0f59a5fa88f72b90be8e2efed1707be9ae522dfd32578f000b72189b7fcaa

Download Submit
C:\Windows\{9872DC17-65D5-4120-AD05-46F6CB57A3C8}.exe

Filesize
344KB

MD5
9929cf0c2fddf73f505e69c7805be5b6

SHA1
4ebc4438c66b0f5ae359fd2a227816c295001622

SHA256
b5d441154e3e777f65e7c5ea6ba42b699ae8cfd8b5b7896605fff5534c1bff9a

SHA512
1fae69abf71cf3b6ad863b4b201f70fee6ca338fa13211a59150846bcb6de3a1787b3edc8374d720b41ae47da8eefb81d67a9dd6ccefcc6741e216909585ada8

Download Submit
C:\Windows\{9CEC9AB6-0589-410e-A72B-8B494A980F78}.exe

Filesize
344KB

MD5
d4fde27dc83046ebf90e50b264ba012d

SHA1
fe76684f530b1652999beb354a6201d040726851

SHA256
492c9e215796998611328f248e07b4b8abe7ccdcaec428bb94112e6d7dcbec95

SHA512
6683f5f01c21b18bfde4e717aede60cae4e8e4d527066a52af3a008416ea2f888cabf742cfeb5978a67aaf38e27352eabd700521f5db7bf4d4702e6d73800cbf

Download Submit
C:\Windows\{A02A179A-3BBF-4774-B1FA-125B906A2A7D}.exe

Filesize
344KB

MD5
473c74de7c828286a68ed71c9cc5db9e

SHA1
7cf2b55374c40b92ed2a5d6beffcfc66294b4333

SHA256
a0b0fd197f00c8e41f0d018a5cfcf19da066fe3597d24ca0d4cab372f4440f72

SHA512
9dcb5ad5a56d887e00540220decc9ba91b52f005b7a782292dbba44f0514f7888eab815af506e53ee0d3d52a30be17995bbb42b43b47fca78765aee08b4d7b54

Download Submit
C:\Windows\{B796FE3C-CC40-482c-A101-B53ACF1F7DFD}.exe

Filesize
344KB

MD5
f8027d4abf9fb0f475d5da076f0ad29f

SHA1
c3cf329f5a291b58cd52fb35a863621a22a74d87

SHA256
da81eb8beaf8b93704314629f395f6c86a6bf2baa40679d201ed0a9c9f68fe53

SHA512
a0d43e6d0569aed4e2bf59d7f878db1b8a778c23ca8f8ff163a785f7118311d1557e25fda003dfd254207636dd9d85cd0854d07612a463fb5883134f8db19377

Download Submit
C:\Windows\{C4F9020B-5ED5-485a-90F3-F3D17F7AD20D}.exe

Filesize
344KB

MD5
1cfbc1c639f6b48b38ce753a2f7966ec

SHA1
9b680f27eefbada64aa71a281868e88ba887c603

SHA256
e6b1bad46cddcef683dc6c772d8426e43a54b238ab84d064d54ff7095ca91514

SHA512
48e1b11c11c010a2aa18a4e88c313c991113e5029bf2d255423791895f4145d46e7bbfe2714d7b3e161db1958a6e5c641aefd01272522bf0703b1352de382e0d

Download Submit
C:\Windows\{C7031DB6-EFA9-4b32-AE61-C07465901692}.exe

Filesize
344KB

MD5
f42e5611aed236d513d19189e9fe7cd2

SHA1
f98034caccc095c0a3567ba23d9208a2cf7feb74

SHA256
7487241cbd93950f44a39b8d36298d755b45bd9b6f960c80b7bd189bf0b16b51

SHA512
9ac48ec137f514506c47301b0981b7281332572c40612bb45a070a94406cf716da872fcbd8a6ff6dc9a34477368198308a8379098bbec319868ac5f31d3e31a0

Download Submit
C:\Windows\{F6DA915B-CAAB-46c7-B1D1-AA58B9B720B9}.exe

Filesize
344KB

MD5
59ffce7180e96a15c4f053b8587be7ee

SHA1
ee7ae0e55a9f6ca8c2d0b56a1b315d9d95f8d138

SHA256
93a080ea814ade1ecddce1aee8536ed8c3399cd43dcc52692ce07cb7bc7e6374

SHA512
8391f28788bbdb00ea3674185ccb9ccef1bb40ba14f3c0e8f38f33233efb5653fef2656da963d7fbf28af0113f6ae88242c3c3c68ac2cce2e5ded32883e85e6d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads