b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
Size

103KB
MD5

289b8b6f1c2be13ed1d637e0e249be3e
SHA1

e5d95f8acd5ea597a012e8e62932536918cd91ba
SHA256

b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b
SHA512

82d333e5af7182b7e7bc78bb12ca063b4e321275a5cb9bbe7aec9d91ccf1eee506f3e721ef833442029e2cbd15ce58b06561b0986fc51323c0cfc79a0249b4c9
SSDEEP

768:Qvw9816vhKQLroa4/wQRNrfrunMxVFA3b7glwRjMlfwGxEIU:YEGh0oal2unMxVS3Hgdor

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1258DFD8-B6A1-4181-929D-48D1EA20F68E}\stubpath = "C:\\Windows\\{1258DFD8-B6A1-4181-929D-48D1EA20F68E}.exe"	{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10D499B1-F55C-4d48-AAE1-A4F9880BA139}\stubpath = "C:\\Windows\\{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe"	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}\stubpath = "C:\\Windows\\{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe"	{08938A70-4678-40ac-BD73-6F70F625330D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802818E4-61CD-4074-80B7-6019046485ED}\stubpath = "C:\\Windows\\{802818E4-61CD-4074-80B7-6019046485ED}.exe"	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}	{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}	{08938A70-4678-40ac-BD73-6F70F625330D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C532D6F2-B248-4e80-9BAA-BB640D738ED4}\stubpath = "C:\\Windows\\{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe"	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}\stubpath = "C:\\Windows\\{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe"	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08938A70-4678-40ac-BD73-6F70F625330D}	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08938A70-4678-40ac-BD73-6F70F625330D}\stubpath = "C:\\Windows\\{08938A70-4678-40ac-BD73-6F70F625330D}.exe"	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}\stubpath = "C:\\Windows\\{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe"	{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1258DFD8-B6A1-4181-929D-48D1EA20F68E}	{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D127D88D-938F-4f81-B863-955AE6481C4B}	{802818E4-61CD-4074-80B7-6019046485ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E7607B7-E836-46dd-9C70-0B963B812E10}	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E7607B7-E836-46dd-9C70-0B963B812E10}\stubpath = "C:\\Windows\\{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe"	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802818E4-61CD-4074-80B7-6019046485ED}	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D127D88D-938F-4f81-B863-955AE6481C4B}\stubpath = "C:\\Windows\\{D127D88D-938F-4f81-B863-955AE6481C4B}.exe"	{802818E4-61CD-4074-80B7-6019046485ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C532D6F2-B248-4e80-9BAA-BB640D738ED4}	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC3265F-01B3-4c05-8C9D-265782F1559C}	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC3265F-01B3-4c05-8C9D-265782F1559C}\stubpath = "C:\\Windows\\{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe"	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}\stubpath = "C:\\Windows\\{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe"	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10D499B1-F55C-4d48-AAE1-A4F9880BA139}	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe

Executes dropped EXE 12 IoCs

pid	Process
5240	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe
2824	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe
2744	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe
548	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe
640	{08938A70-4678-40ac-BD73-6F70F625330D}.exe
6092	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe
3248	{802818E4-61CD-4074-80B7-6019046485ED}.exe
5680	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe
4424	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe
3420	{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe
3268	{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe
2724	{1258DFD8-B6A1-4181-929D-48D1EA20F68E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe
File created	C:\Windows\{08938A70-4678-40ac-BD73-6F70F625330D}.exe	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe
File created	C:\Windows\{802818E4-61CD-4074-80B7-6019046485ED}.exe	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe
File created	C:\Windows\{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe
File created	C:\Windows\{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe
File created	C:\Windows\{1258DFD8-B6A1-4181-929D-48D1EA20F68E}.exe	{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe
File created	C:\Windows\{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe
File created	C:\Windows\{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe
File created	C:\Windows\{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe	{08938A70-4678-40ac-BD73-6F70F625330D}.exe
File created	C:\Windows\{D127D88D-938F-4f81-B863-955AE6481C4B}.exe	{802818E4-61CD-4074-80B7-6019046485ED}.exe
File created	C:\Windows\{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe	{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe
File created	C:\Windows\{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3224	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
Token: SeIncBasePriorityPrivilege	5240	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe
Token: SeIncBasePriorityPrivilege	2824	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe
Token: SeIncBasePriorityPrivilege	2744	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe
Token: SeIncBasePriorityPrivilege	548	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe
Token: SeIncBasePriorityPrivilege	640	{08938A70-4678-40ac-BD73-6F70F625330D}.exe
Token: SeIncBasePriorityPrivilege	6092	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe
Token: SeIncBasePriorityPrivilege	3248	{802818E4-61CD-4074-80B7-6019046485ED}.exe
Token: SeIncBasePriorityPrivilege	5680	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe
Token: SeIncBasePriorityPrivilege	4424	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe
Token: SeIncBasePriorityPrivilege	3420	{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe
Token: SeIncBasePriorityPrivilege	3268	{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 5240	3224	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	96
PID 3224 wrote to memory of 5240	3224	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	96
PID 3224 wrote to memory of 5240	3224	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	96
PID 3224 wrote to memory of 628	3224	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	97
PID 3224 wrote to memory of 628	3224	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	97
PID 3224 wrote to memory of 628	3224	b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe	97
PID 5240 wrote to memory of 2824	5240	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe	98
PID 5240 wrote to memory of 2824	5240	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe	98
PID 5240 wrote to memory of 2824	5240	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe	98
PID 5240 wrote to memory of 3252	5240	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe	99
PID 5240 wrote to memory of 3252	5240	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe	99
PID 5240 wrote to memory of 3252	5240	{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe	99
PID 2824 wrote to memory of 2744	2824	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe	101
PID 2824 wrote to memory of 2744	2824	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe	101
PID 2824 wrote to memory of 2744	2824	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe	101
PID 2824 wrote to memory of 4668	2824	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe	102
PID 2824 wrote to memory of 4668	2824	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe	102
PID 2824 wrote to memory of 4668	2824	{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe	102
PID 2744 wrote to memory of 548	2744	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe	103
PID 2744 wrote to memory of 548	2744	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe	103
PID 2744 wrote to memory of 548	2744	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe	103
PID 2744 wrote to memory of 4044	2744	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe	104
PID 2744 wrote to memory of 4044	2744	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe	104
PID 2744 wrote to memory of 4044	2744	{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe	104
PID 548 wrote to memory of 640	548	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe	105
PID 548 wrote to memory of 640	548	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe	105
PID 548 wrote to memory of 640	548	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe	105
PID 548 wrote to memory of 3012	548	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe	106
PID 548 wrote to memory of 3012	548	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe	106
PID 548 wrote to memory of 3012	548	{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe	106
PID 640 wrote to memory of 6092	640	{08938A70-4678-40ac-BD73-6F70F625330D}.exe	107
PID 640 wrote to memory of 6092	640	{08938A70-4678-40ac-BD73-6F70F625330D}.exe	107
PID 640 wrote to memory of 6092	640	{08938A70-4678-40ac-BD73-6F70F625330D}.exe	107
PID 640 wrote to memory of 5304	640	{08938A70-4678-40ac-BD73-6F70F625330D}.exe	108
PID 640 wrote to memory of 5304	640	{08938A70-4678-40ac-BD73-6F70F625330D}.exe	108
PID 640 wrote to memory of 5304	640	{08938A70-4678-40ac-BD73-6F70F625330D}.exe	108
PID 6092 wrote to memory of 3248	6092	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe	109
PID 6092 wrote to memory of 3248	6092	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe	109
PID 6092 wrote to memory of 3248	6092	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe	109
PID 6092 wrote to memory of 5308	6092	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe	110
PID 6092 wrote to memory of 5308	6092	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe	110
PID 6092 wrote to memory of 5308	6092	{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe	110
PID 3248 wrote to memory of 5680	3248	{802818E4-61CD-4074-80B7-6019046485ED}.exe	111
PID 3248 wrote to memory of 5680	3248	{802818E4-61CD-4074-80B7-6019046485ED}.exe	111
PID 3248 wrote to memory of 5680	3248	{802818E4-61CD-4074-80B7-6019046485ED}.exe	111
PID 3248 wrote to memory of 1368	3248	{802818E4-61CD-4074-80B7-6019046485ED}.exe	112
PID 3248 wrote to memory of 1368	3248	{802818E4-61CD-4074-80B7-6019046485ED}.exe	112
PID 3248 wrote to memory of 1368	3248	{802818E4-61CD-4074-80B7-6019046485ED}.exe	112
PID 5680 wrote to memory of 4424	5680	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe	113
PID 5680 wrote to memory of 4424	5680	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe	113
PID 5680 wrote to memory of 4424	5680	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe	113
PID 5680 wrote to memory of 2388	5680	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe	114
PID 5680 wrote to memory of 2388	5680	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe	114
PID 5680 wrote to memory of 2388	5680	{D127D88D-938F-4f81-B863-955AE6481C4B}.exe	114
PID 4424 wrote to memory of 3420	4424	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe	115
PID 4424 wrote to memory of 3420	4424	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe	115
PID 4424 wrote to memory of 3420	4424	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe	115
PID 4424 wrote to memory of 5712	4424	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe	116
PID 4424 wrote to memory of 5712	4424	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe	116
PID 4424 wrote to memory of 5712	4424	{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe	116
PID 3420 wrote to memory of 3268	3420	{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe	117
PID 3420 wrote to memory of 3268	3420	{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe	117
PID 3420 wrote to memory of 3268	3420	{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe	117
PID 3420 wrote to memory of 5568	3420	{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe	118

C:\Users\Admin\AppData\Local\Temp\b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe
"C:\Users\Admin\AppData\Local\Temp\b5e0baade0af8ce10c664bd0c7d1a5a7af0197fc18f4c40529b5c2e99838426b.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe
  C:\Windows\{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5240
- - C:\Windows\{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe
    C:\Windows\{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe
      C:\Windows\{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe
        
        C:\Windows\{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Windows\{08938A70-4678-40ac-BD73-6F70F625330D}.exe
        
        C:\Windows\{08938A70-4678-40ac-BD73-6F70F625330D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe
        
        C:\Windows\{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6092
        
        C:\Windows\{802818E4-61CD-4074-80B7-6019046485ED}.exe
        
        C:\Windows\{802818E4-61CD-4074-80B7-6019046485ED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{D127D88D-938F-4f81-B863-955AE6481C4B}.exe
        
        C:\Windows\{D127D88D-938F-4f81-B863-955AE6481C4B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5680
        
        C:\Windows\{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe
        
        C:\Windows\{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe
        
        C:\Windows\{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe
        
        C:\Windows\{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
        
        C:\Windows\{1258DFD8-B6A1-4181-929D-48D1EA20F68E}.exe
        
        C:\Windows\{1258DFD8-B6A1-4181-929D-48D1EA20F68E}.exe
        13⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B2AF~1.EXE > nul
        13⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C532D~1.EXE > nul
        12⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E760~1.EXE > nul
        11⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D127D~1.EXE > nul
        10⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80281~1.EXE > nul
        9⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{889B2~1.EXE > nul
        8⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08938~1.EXE > nul
        7⤵
        
        PID:5304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10D49~1.EXE > nul
        6⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{668AA~1.EXE > nul
        5⤵
        
        PID:4044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7E4A6~1.EXE > nul
      4⤵
      PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC32~1.EXE > nul
    3⤵
    PID:3252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B5E0BA~1.EXE > nul
  2⤵
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08938A70-4678-40ac-BD73-6F70F625330D}.exe

Filesize
103KB

MD5
ec354e83091b40c69477fd55f30bdb77

SHA1
528d5746820f1133c2a3900034093873a27844a3

SHA256
c3c25723579285def11045bf0c23f0eab9daba2a5fa274bd9c118a70da816d8d

SHA512
8d6d194f2461c7ae2332738da5169720dfdbc27e7ca6bf3d3dd4e49185a4e1451531a7890646d51892ca7f0e5d2249a0a7beaacfd6bdda04f16b8c4c6f3bfdd6

Download Submit
C:\Windows\{10D499B1-F55C-4d48-AAE1-A4F9880BA139}.exe

Filesize
103KB

MD5
9770312fa54d58c0356119b053ba32cf

SHA1
f71d75cfcf02083a406b430f932d9d9cf7ab33d1

SHA256
b51ea9b7201d78981acf04c88552a94e6149c18846ec9d1f03530ebae160ce44

SHA512
412a13bd16523ce8b4155d159bcba0b681f5e79eaf5674eb5ecaebdefef156a9a3f75d85f9ef678fca4e8fe3db5d3f887f5352b1b7ec6c033a713d47c5c72dc9

Download Submit
C:\Windows\{1258DFD8-B6A1-4181-929D-48D1EA20F68E}.exe

Filesize
103KB

MD5
a5f3d1a2ceb929f9b332de83ea2e5a58

SHA1
4218d0d7e41411e151ae2837cfa5eb68ef7dfb68

SHA256
d0669423a3bcde91c1edb8b7b906b90b3c5f95eaf967b611fcde43b9d81a9931

SHA512
f831d1a7e1b3c877bff8014252b1881938134e929dafdcdb868a674a36274240ee64231c5b52f009be1cb2d20b4703acd1877702fb1a7903525183ab30e54a9a

Download Submit
C:\Windows\{4B2AFC6F-BBD7-4c67-BE0D-C65434BF80EE}.exe

Filesize
103KB

MD5
e8fc4216c4a068b90655be5a3c7c2db5

SHA1
3aa6d6de26b57b680c256d0fb483823f5d0db2e8

SHA256
571f273f06ffa2a2c51b4d092b8324bf13035519f697f63df53a9a04311cc5c0

SHA512
8bdc24978279010530a727c6708fcb1fb26c14219823dff4eb6f87892f0bedebbeafc171cd40fc7ec7d81f03e241ae0033328cd78f3deb30917624d2dabfff0d

Download Submit
C:\Windows\{5E7607B7-E836-46dd-9C70-0B963B812E10}.exe

Filesize
103KB

MD5
5e41ec2336776532e06a6cc804537dda

SHA1
3e8046c668ad0adc54ee8bb617583fbf77ee5fd0

SHA256
d0c8682ce735808e5f7f03ef31a0451e14a3c7c14c3164a39decc9377de98ddf

SHA512
0207e01ee9c816d389d62de76a32e047e8f401e6eac5abfa95ed6b9c4b8d1cbf61a83be6634cdad48b748aad0eb55b38015015ce4696deac52c54f41ebd74399

Download Submit
C:\Windows\{668AAB6C-E83B-48a4-8DC8-6D55014ABACD}.exe

Filesize
103KB

MD5
49c130452f5c4897a2abaaf299da3d33

SHA1
0c151b4d3f2512e0f43aa297e4e1f4b33f507df6

SHA256
74ab4be0e48cbec8e7a78e69e02d618cb6ea5534bc6e7b8c8c4733dd3e64fa02

SHA512
98756f34758dde98ca11c2d7a042afbcbcf8f1d4961f43ced6d8d31fafe442bcc04554ac601fe2c4ab0906fa35e77dee3a693280796972082c7d6add4d791f34

Download Submit
C:\Windows\{7E4A62A9-CE2D-466a-8D7B-ED01A7B6033D}.exe

Filesize
103KB

MD5
8959df9743e75b521e45fb079b9a825e

SHA1
8a76b6fcf7e9a3dc2bed5011631999b56b229485

SHA256
080fb2bf05cd1537dfb11ccd77788f5e3f46bacc3f5dceb97f4871feb3bc8449

SHA512
96b696ec57fe9a15b3af1bcd99366a8417f85e452317fd3bb49fda6b08b59393120a15488f288052c88e78159388a6977bbad43577fe2ad860889ef10d084eea

Download Submit
C:\Windows\{802818E4-61CD-4074-80B7-6019046485ED}.exe

Filesize
103KB

MD5
c2c8c4e93b5e80dbb007ee6c59f7bb50

SHA1
c5bd5e853b19f22488c99d4d3ed168acb0f2165a

SHA256
423dbbd8787d60031b6faa542bbe5502a3b2d4fcde8cf2acd48a85cbe7863710

SHA512
7fc8d54cbd3c08ae52acf79eef1687a02a07efe757c753f75bb9c77d9fcb0d18d62b43feff8579e60bedc4addc2fcaf249e4e17dffa1caad59660caa5b38cf5d

Download Submit
C:\Windows\{889B209D-9792-40b2-BBF1-3B2FF18F1EF4}.exe

Filesize
103KB

MD5
04d418bf6b2d33fb6c3e53f9d4603c57

SHA1
ffe5facddcd0b579ed8bce4b3129d59d338d3036

SHA256
929ff56185c201027ebbeff220e0dbacd62fd64eeec924555e46b1d7e258b386

SHA512
f81b3845d8f3d52c933dfe55a30767bbeb0dc6291cd7fd6ca84858c4f47f1c7f7e328cc1ea15b4db5b1635665797112d929dcaa6568cb6f8b479a5c598bca970

Download Submit
C:\Windows\{C532D6F2-B248-4e80-9BAA-BB640D738ED4}.exe

Filesize
103KB

MD5
b0a28e3372bf001f6aee24c1e34cdb33

SHA1
6bfaa45320cb94907b88127209ca7d9ae09a422b

SHA256
5cffe2d61dfd2bf39d822c51246adaa72a852a6366f2a8d8353d12b1e92b9501

SHA512
6a4ffb2cf78c2b1fb9389e61b4a9f909fdae54ffcaf6b71b44c60e94cb58fe8cc3cf9ac937f113cbe91595d13e3c176593448cfdfe3d9130a88f6a58b4d48c12

Download Submit
C:\Windows\{D127D88D-938F-4f81-B863-955AE6481C4B}.exe

Filesize
103KB

MD5
4f846b449115363a19c931eed0d4f2dc

SHA1
336466a38102af4211cee1aba72502e22b4e8d1c

SHA256
1da3b4617b7e56ffa755c20fd120c1dea85cc06f364a0468de82ae9c56d66089

SHA512
8b6e6e91b66ee4aec9de96bbb39cb7cae1d4ec485681dce809aa1487c9ed9ab1b76416d89695fc9d2b704ef3aa7341cab7bc8e4adee0c9c134611a11ac939094

Download Submit
C:\Windows\{EEC3265F-01B3-4c05-8C9D-265782F1559C}.exe

Filesize
103KB

MD5
acba4430c2ecff615c5c841d2501b8d7

SHA1
36ecb94ab4bb57134b672e04c00b656829f1e029

SHA256
f3ea8e280cfb6d0323c41e93502e7abb0f2344491e9981c29df930a039c95838

SHA512
833c08fa35c8a3a8ed36fb77dfe6c25d4de2570092d09b3be07dd3986562050309b9324a32a2deecfc356378a1677ab662bf1ef1b274e3c4a009bad7cb6a1b22

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads